HTMLImageElement::insertedIntoAncestor doesn't check that we're appending the <img> as a direct child of a <picture>, which means that some random other ancestor <picture> could be used instead.
WPT PR that tests this: https://github.com/web-platform-tests/wpt/pull/28680
Forthcoming patch makes that test pass.
Created attachment 427022 [details]
Comment on attachment 427022 [details]
View in context: https://bugs.webkit.org/attachment.cgi?id=427022&action=review
> + Tests: https://github.com/web-platform-tests/wpt/pull/28680
Please update the imported test now that it has been merged upstream.
> if (is<HTMLPictureElement>(currentNode()) && is<HTMLImageElement>(*element))
This is crazy. How is this code even needed?
Created attachment 427118 [details]
This patch modifies the imported WPT tests. Please ensure that any changes on the tests (not coming from a WPT import) are exported to WPT. Please see https://trac.webkit.org/wiki/WPTExportProcess
Committed r276679 (237096@main): <https://commits.webkit.org/237096@main>
All reviewed patches have been landed. Closing bug and clearing flags on attachment 427118 [details].