LibWeb: Disallow creating a FileAPI::FileList with a vector of files

This factory forced callers to make a list of GC-allocated FileAPI::File
objects. This isn't safe - this opens a window for these files to be
garbage collected before the FileList object stores / visits the list.

Instead, only allow creating an empty FileList and incrementally adding
files to that list.

Userland/Libraries/LibWeb/FileAPI/FileList.cpp

@@ -14,23 +14,11 @@ namespace Web::FileAPI {
 
 JS_DEFINE_ALLOCATOR(FileList);
 
-JS::NonnullGCPtr<FileList> FileList::create(JS::Realm& realm, Vector<JS::NonnullGCPtr<File>>&& files)
-{
-    return realm.heap().allocate<FileList>(realm, realm, move(files));
-}
-
 JS::NonnullGCPtr<FileList> FileList::create(JS::Realm& realm)
 {
     return realm.heap().allocate<FileList>(realm, realm);
 }
 
-FileList::FileList(JS::Realm& realm, Vector<JS::NonnullGCPtr<File>>&& files)
-    : Bindings::PlatformObject(realm)
-    , m_files(move(files))
-{
-    m_legacy_platform_object_flags = LegacyPlatformObjectFlags { .supports_indexed_properties = 1 };
-}
-
 FileList::FileList(JS::Realm& realm)
     : Bindings::PlatformObject(realm)
 {

Userland/Libraries/LibWeb/FileAPI/FileList.h

@@ -22,9 +22,10 @@ class FileList
     JS_DECLARE_ALLOCATOR(FileList);
 
 public:
-    [[nodiscard]] static JS::NonnullGCPtr<FileList> create(JS::Realm&, Vector<JS::NonnullGCPtr<File>>&&);
     [[nodiscard]] static JS::NonnullGCPtr<FileList> create(JS::Realm&);
 
+    void add_file(JS::NonnullGCPtr<File> file) { m_files.append(file); }
+
     virtual ~FileList() override;
 
     // https://w3c.github.io/FileAPI/#dfn-length
@@ -49,7 +50,6 @@ public:
     virtual WebIDL::ExceptionOr<void> deserialization_steps(ReadonlySpan<u32> const& serialized, size_t& position, HTML::DeserializationMemory&) override;
 
 private:
-    FileList(JS::Realm&, Vector<JS::NonnullGCPtr<File>>&&);
     explicit FileList(JS::Realm&);
 
     virtual void initialize(JS::Realm&) override;

Userland/Libraries/LibWeb/HTML/HTMLInputElement.cpp

@@ -189,7 +189,7 @@ JS::GCPtr<FileAPI::FileList> HTMLInputElement::files()
         return nullptr;
 
     if (!m_selected_files)
-        m_selected_files = FileAPI::FileList::create(realm(), {});
+        m_selected_files = FileAPI::FileList::create(realm());
     return m_selected_files;
 }
 
@@ -461,8 +461,7 @@ void HTMLInputElement::did_select_files(Span<SelectedFile> selected_files)
         return;
     }
 
-    Vector<JS::NonnullGCPtr<FileAPI::File>> files;
-    files.ensure_capacity(selected_files.size());
+    auto files = FileAPI::FileList::create(realm());
 
     for (auto& selected_file : selected_files) {
         auto contents = selected_file.take_contents();
@@ -478,14 +477,14 @@ void HTMLInputElement::did_select_files(Span<SelectedFile> selected_files)
         options.type = mime_type.essence();
 
         auto file = MUST(FileAPI::File::create(realm(), { JS::make_handle(blob) }, file_name, move(options)));
-        files.unchecked_append(file);
+        files->add_file(file);
     }
 
     // https://html.spec.whatwg.org/multipage/input.html#update-the-file-selection
     // 1. Queue an element task on the user interaction task source given element and the following steps:
-    queue_an_element_task(HTML::Task::Source::UserInteraction, [this, files = move(files)]() mutable {
+    queue_an_element_task(HTML::Task::Source::UserInteraction, [this, files]() mutable {
         // 1. Update element's selected files so that it represents the user's selection.
-        m_selected_files = FileAPI::FileList::create(realm(), move(files));
+        m_selected_files = files;
         update_file_input_shadow_tree();
 
         // 2. Fire an event named input at the input element, with the bubbles and composed attributes initialized to true.
@@ -1424,7 +1423,7 @@ void HTMLInputElement::reset_algorithm()
     m_checked = has_attribute(AttributeNames::checked);
 
     // empty the list of selected files,
-    m_selected_files = FileAPI::FileList::create(realm(), {});
+    m_selected_files = FileAPI::FileList::create(realm());
 
     // and then invoke the value sanitization algorithm, if the type attribute's current state defines one.
     m_value = value_sanitization_algorithm(m_value);