[webkit-changes] [236841] trunk

Thu, 04 Oct 2018 12:32:28 -0700

Title: [236841] trunk
Revision
236841
Author
cdu...@apple.com
Date
2018-10-04 12:31:15 -0700 (Thu, 04 Oct 2018)

Log Message

Regression(r236779): Crash when changing the input element type from inside an 'input' event listener
https://bugs.webkit.org/show_bug.cgi?id=190252

Reviewed by Alex Christensen.

Source/WebCore:

Add a null check for element() after firing the 'input' event and before firing the 'change' event
in case the input event listener changes the input type.

Tests: fast/dom/HTMLInputElement/change-type-in-click-event-listener.html
       fast/dom/HTMLInputElement/change-type-in-input-event-listener.html

* html/BaseCheckableInputType.cpp:
(WebCore::BaseCheckableInputType::fireInputAndChangeEvents):

LayoutTests:

Add layout test coverage.

* fast/dom/HTMLInputElement/change-type-in-click-event-listener-expected.txt: Added.
* fast/dom/HTMLInputElement/change-type-in-click-event-listener.html: Added.
* fast/dom/HTMLInputElement/change-type-in-input-event-listener-expected.txt: Added.
* fast/dom/HTMLInputElement/change-type-in-input-event-listener.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (236840 => 236841)


--- trunk/LayoutTests/ChangeLog	2018-10-04 19:27:10 UTC (rev 236840)
+++ trunk/LayoutTests/ChangeLog	2018-10-04 19:31:15 UTC (rev 236841)
@@ -1,3 +1,17 @@
+2018-10-04  Chris Dumez  <cdu...@apple.com>
+
+        Regression(r236779): Crash when changing the input element type from inside an 'input' event listener
+        https://bugs.webkit.org/show_bug.cgi?id=190252
+
+        Reviewed by Alex Christensen.
+
+        Add layout test coverage.
+
+        * fast/dom/HTMLInputElement/change-type-in-click-event-listener-expected.txt: Added.
+        * fast/dom/HTMLInputElement/change-type-in-click-event-listener.html: Added.
+        * fast/dom/HTMLInputElement/change-type-in-input-event-listener-expected.txt: Added.
+        * fast/dom/HTMLInputElement/change-type-in-input-event-listener.html: Added.
+
 2018-10-04  YUHAN WU  <yuhan...@apple.com>
 
         runtime flag and IDL for MediaRecorder

Added: trunk/LayoutTests/fast/dom/HTMLInputElement/change-type-in-click-event-listener-expected.txt (0 => 236841)


--- trunk/LayoutTests/fast/dom/HTMLInputElement/change-type-in-click-event-listener-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/HTMLInputElement/change-type-in-click-event-listener-expected.txt	2018-10-04 19:31:15 UTC (rev 236841)
@@ -0,0 +1,10 @@
+Make sure we do not crash if the 'click' event listener changes the input type.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS Click event was fired
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/fast/dom/HTMLInputElement/change-type-in-click-event-listener.html (0 => 236841)


--- trunk/LayoutTests/fast/dom/HTMLInputElement/change-type-in-click-event-listener.html	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/HTMLInputElement/change-type-in-click-event-listener.html	2018-10-04 19:31:15 UTC (rev 236841)
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script>
+description("Make sure we do not crash if the 'click' event listener changes the input type.");
+
+_onload_ = () => {
+    testInput.addEventListener("click", () => {
+        testPassed("Click event was fired");
+        testInput.type = "text";
+    });
+
+    testInput.addEventListener("input", () => {
+        testFailed("input event should not have fired");
+    });
+    testInput.addEventListener("change", () => {
+        testFailed("change event should not have fired");
+    });
+    testInput.click();
+    setTimeout(finishJSTest, 0);
+};
+</script>
+<input type="checkbox" id="testInput"></input>
+</body>
+</html>

Added: trunk/LayoutTests/fast/dom/HTMLInputElement/change-type-in-input-event-listener-expected.txt (0 => 236841)


--- trunk/LayoutTests/fast/dom/HTMLInputElement/change-type-in-input-event-listener-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/HTMLInputElement/change-type-in-input-event-listener-expected.txt	2018-10-04 19:31:15 UTC (rev 236841)
@@ -0,0 +1,10 @@
+Make sure we do not crash if the 'input' event listener changes the input type.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS Input event was fired
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/fast/dom/HTMLInputElement/change-type-in-input-event-listener.html (0 => 236841)


--- trunk/LayoutTests/fast/dom/HTMLInputElement/change-type-in-input-event-listener.html	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/HTMLInputElement/change-type-in-input-event-listener.html	2018-10-04 19:31:15 UTC (rev 236841)
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script>
+description("Make sure we do not crash if the 'input' event listener changes the input type.");
+
+_onload_ = () => {
+    testInput.addEventListener("input", () => {
+        testPassed("Input event was fired");
+        testInput.type = "text";
+    });
+    testInput.addEventListener("change", () => {
+        testFailed("change event should not have fired");
+    });
+    testInput.click();
+    setTimeout(finishJSTest, 0);
+};
+</script>
+<input type="checkbox" id="testInput"></input>
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (236840 => 236841)


--- trunk/Source/WebCore/ChangeLog	2018-10-04 19:27:10 UTC (rev 236840)
+++ trunk/Source/WebCore/ChangeLog	2018-10-04 19:31:15 UTC (rev 236841)
@@ -1,3 +1,19 @@
+2018-10-04  Chris Dumez  <cdu...@apple.com>
+
+        Regression(r236779): Crash when changing the input element type from inside an 'input' event listener
+        https://bugs.webkit.org/show_bug.cgi?id=190252
+
+        Reviewed by Alex Christensen.
+
+        Add a null check for element() after firing the 'input' event and before firing the 'change' event
+        in case the input event listener changes the input type.
+
+        Tests: fast/dom/HTMLInputElement/change-type-in-click-event-listener.html
+               fast/dom/HTMLInputElement/change-type-in-input-event-listener.html
+
+        * html/BaseCheckableInputType.cpp:
+        (WebCore::BaseCheckableInputType::fireInputAndChangeEvents):
+
 2018-10-04  Yuhan Wu  <yuhan...@apple.com>
 
         runtime flag and IDL for MediaRecorder

Modified: trunk/Source/WebCore/html/BaseCheckableInputType.cpp (236840 => 236841)


--- trunk/Source/WebCore/html/BaseCheckableInputType.cpp	2018-10-04 19:27:10 UTC (rev 236840)
+++ trunk/Source/WebCore/html/BaseCheckableInputType.cpp	2018-10-04 19:31:15 UTC (rev 236841)
@@ -127,9 +127,11 @@
     if (!shouldSendChangeEventAfterCheckedChanged())
         return;
 
+    auto protectedThis = makeRef(*this);
     element()->setTextAsOfLastFormControlChangeEvent(String());
     element()->dispatchInputEvent();
-    element()->dispatchFormControlChangeEvent();
+    if (auto* element = this->element())
+        element->dispatchFormControlChangeEvent();
 }
 
 } // namespace WebCore

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to