Title: [256401] trunk/Source/WebKit
- Revision
- 256401
- Author
- wenson_hs...@apple.com
- Date
- 2020-02-11 16:49:58 -0800 (Tue, 11 Feb 2020)
Log Message
WebPage::getFocusedElementInformation should be robust when the focused element changes during layout
https://bugs.webkit.org/show_bug.cgi?id=207582
<rdar://problem/47634344>
Reviewed by Tim Horton.
This is a speculative fix for <rdar://problem/47634344>, wherein the initial layout update in WebPage::
getFocusedElementInformation may cause the currently focused element to disappear (or change). In the case where
m_focusedElement becomes nil, we end up crashing with a null pointer deref, since the rest of the method assumes
that m_focusedElement exists.
To patch this crash, bail early (after the first layout update) if m_focusedElement changed during the layout
pass. Since the rest of the function my trigger even more layout updates that could nuke m_focusedElement, I
also changed the rest of the function to use the locally stored `focusedElement` variable instead of
m_focusedElement, on WebPage.
* WebProcess/WebPage/ios/WebPageIOS.mm:
(WebKit::WebPage::getFocusedElementInformation):
Modified Paths
Diff
Modified: trunk/Source/WebKit/ChangeLog (256400 => 256401)
--- trunk/Source/WebKit/ChangeLog 2020-02-12 00:49:29 UTC (rev 256400)
+++ trunk/Source/WebKit/ChangeLog 2020-02-12 00:49:58 UTC (rev 256401)
@@ -1,3 +1,24 @@
+2020-02-11 Wenson Hsieh <wenson_hs...@apple.com>
+
+ WebPage::getFocusedElementInformation should be robust when the focused element changes during layout
+ https://bugs.webkit.org/show_bug.cgi?id=207582
+ <rdar://problem/47634344>
+
+ Reviewed by Tim Horton.
+
+ This is a speculative fix for <rdar://problem/47634344>, wherein the initial layout update in WebPage::
+ getFocusedElementInformation may cause the currently focused element to disappear (or change). In the case where
+ m_focusedElement becomes nil, we end up crashing with a null pointer deref, since the rest of the method assumes
+ that m_focusedElement exists.
+
+ To patch this crash, bail early (after the first layout update) if m_focusedElement changed during the layout
+ pass. Since the rest of the function my trigger even more layout updates that could nuke m_focusedElement, I
+ also changed the rest of the function to use the locally stored `focusedElement` variable instead of
+ m_focusedElement, on WebPage.
+
+ * WebProcess/WebPage/ios/WebPageIOS.mm:
+ (WebKit::WebPage::getFocusedElementInformation):
+
2020-02-11 Brent Fulgham <bfulg...@apple.com>
[iOS] Deny access to unused tcp service from NetworkProcess
Modified: trunk/Source/WebKit/WebProcess/WebPage/ios/WebPageIOS.mm (256400 => 256401)
--- trunk/Source/WebKit/WebProcess/WebPage/ios/WebPageIOS.mm 2020-02-12 00:49:29 UTC (rev 256400)
+++ trunk/Source/WebKit/WebProcess/WebPage/ios/WebPageIOS.mm 2020-02-12 00:49:58 UTC (rev 256401)
@@ -2985,14 +2985,17 @@
void WebPage::getFocusedElementInformation(FocusedElementInformation& information)
{
+ auto focusedElement = m_focusedElement.copyRef();
layoutIfNeeded();
+ if (focusedElement != m_focusedElement)
+ return;
information.lastInteractionLocation = m_lastInteractionLocation;
- if (auto elementContext = contextForElement(*m_focusedElement))
+ if (auto elementContext = contextForElement(*focusedElement))
information.elementContext = WTFMove(*elementContext);
- if (auto* renderer = m_focusedElement->renderer()) {
- information.interactionRect = rootViewInteractionBoundsForElement(*m_focusedElement);
+ if (auto* renderer = focusedElement->renderer()) {
+ information.interactionRect = rootViewInteractionBoundsForElement(*focusedElement);
information.nodeFontSize = renderer->style().fontDescription().computedSize();
bool inFixed = false;
@@ -3002,8 +3005,8 @@
} else
information.interactionRect = { };
- if (is<HTMLElement>(m_focusedElement))
- information.isSpellCheckingEnabled = downcast<HTMLElement>(*m_focusedElement).spellcheck();
+ if (is<HTMLElement>(focusedElement))
+ information.isSpellCheckingEnabled = downcast<HTMLElement>(*focusedElement).spellcheck();
information.minimumScaleFactor = minimumPageScaleFactor();
information.maximumScaleFactor = maximumPageScaleFactor();
@@ -3010,18 +3013,18 @@
information.maximumScaleFactorIgnoringAlwaysScalable = maximumPageScaleFactorIgnoringAlwaysScalable();
information.allowsUserScaling = m_viewportConfiguration.allowsUserScaling();
information.allowsUserScalingIgnoringAlwaysScalable = m_viewportConfiguration.allowsUserScalingIgnoringAlwaysScalable();
- if (auto* nextElement = nextAssistableElement(m_focusedElement.get(), *m_page, true)) {
+ if (auto* nextElement = nextAssistableElement(focusedElement.get(), *m_page, true)) {
information.nextNodeRect = rootViewBoundsForElement(*nextElement);
information.hasNextNode = true;
}
- if (auto* previousElement = nextAssistableElement(m_focusedElement.get(), *m_page, false)) {
+ if (auto* previousElement = nextAssistableElement(focusedElement.get(), *m_page, false)) {
information.previousNodeRect = rootViewBoundsForElement(*previousElement);
information.hasPreviousNode = true;
}
information.focusedElementIdentifier = m_currentFocusedElementIdentifier;
- if (is<LabelableElement>(*m_focusedElement)) {
- auto labels = downcast<LabelableElement>(*m_focusedElement).labels();
+ if (is<LabelableElement>(*focusedElement)) {
+ auto labels = downcast<LabelableElement>(*focusedElement).labels();
Vector<Ref<Element>> associatedLabels;
for (unsigned index = 0; index < labels->length(); ++index) {
if (is<Element>(labels->item(index)) && labels->item(index)->renderer())
@@ -3036,11 +3039,11 @@
}
}
- information.title = m_focusedElement->title();
- information.ariaLabel = m_focusedElement->attributeWithoutSynchronization(HTMLNames::aria_labelAttr);
+ information.title = focusedElement->title();
+ information.ariaLabel = focusedElement->attributeWithoutSynchronization(HTMLNames::aria_labelAttr);
- if (is<HTMLSelectElement>(*m_focusedElement)) {
- HTMLSelectElement& element = downcast<HTMLSelectElement>(*m_focusedElement);
+ if (is<HTMLSelectElement>(*focusedElement)) {
+ HTMLSelectElement& element = downcast<HTMLSelectElement>(*focusedElement);
information.elementType = InputType::Select;
const Vector<HTMLElement*>& items = element.listItems();
size_t count = items.size();
@@ -3061,8 +3064,8 @@
}
information.selectedIndex = element.selectedIndex();
information.isMultiSelect = element.multiple();
- } else if (is<HTMLTextAreaElement>(*m_focusedElement)) {
- HTMLTextAreaElement& element = downcast<HTMLTextAreaElement>(*m_focusedElement);
+ } else if (is<HTMLTextAreaElement>(*focusedElement)) {
+ HTMLTextAreaElement& element = downcast<HTMLTextAreaElement>(*focusedElement);
information.autocapitalizeType = element.autocapitalizeType();
information.isAutocorrect = element.shouldAutocorrect();
information.elementType = InputType::TextArea;
@@ -3072,14 +3075,14 @@
information.placeholder = element.attributeWithoutSynchronization(HTMLNames::placeholderAttr);
information.inputMode = element.canonicalInputMode();
information.enterKeyHint = element.canonicalEnterKeyHint();
- } else if (is<HTMLInputElement>(*m_focusedElement)) {
- HTMLInputElement& element = downcast<HTMLInputElement>(*m_focusedElement);
+ } else if (is<HTMLInputElement>(*focusedElement)) {
+ HTMLInputElement& element = downcast<HTMLInputElement>(*focusedElement);
HTMLFormElement* form = element.form();
if (form)
information.formAction = form->getURLAttribute(WebCore::HTMLNames::actionAttr);
if (auto autofillElements = WebCore::AutofillElements::computeAutofillElements(element)) {
information.acceptsAutofilledLoginCredentials = true;
- information.isAutofillableUsernameField = autofillElements->username() == m_focusedElement;
+ information.isAutofillableUsernameField = autofillElements->username() == focusedElement;
}
information.representingPageURL = element.document().urlForBindings();
information.autocapitalizeType = element.autocapitalizeType();
@@ -3138,18 +3141,18 @@
information.value = element.value();
information.valueAsNumber = element.valueAsNumber();
information.autofillFieldName = WebCore::toAutofillFieldName(element.autofillData().fieldName);
- } else if (is<HTMLImageElement>(*m_focusedElement) && downcast<HTMLImageElement>(*m_focusedElement).hasEditableImageAttribute()) {
+ } else if (is<HTMLImageElement>(*focusedElement) && downcast<HTMLImageElement>(*focusedElement).hasEditableImageAttribute()) {
information.elementType = InputType::Drawing;
- information.embeddedViewID = downcast<HTMLImageElement>(*m_focusedElement).editableImageViewID();
- } else if (m_focusedElement->hasEditableStyle()) {
+ information.embeddedViewID = downcast<HTMLImageElement>(*focusedElement).editableImageViewID();
+ } else if (focusedElement->hasEditableStyle()) {
information.elementType = InputType::ContentEditable;
- if (is<HTMLElement>(*m_focusedElement)) {
- auto& focusedElement = downcast<HTMLElement>(*m_focusedElement);
- information.isAutocorrect = focusedElement.shouldAutocorrect();
- information.autocapitalizeType = focusedElement.autocapitalizeType();
- information.inputMode = focusedElement.canonicalInputMode();
- information.enterKeyHint = focusedElement.canonicalEnterKeyHint();
- information.shouldSynthesizeKeyEventsForEditing = focusedElement.document().settings().syntheticEditingCommandsEnabled();
+ if (is<HTMLElement>(*focusedElement)) {
+ auto& focusedHTMLElement = downcast<HTMLElement>(*focusedElement);
+ information.isAutocorrect = focusedHTMLElement.shouldAutocorrect();
+ information.autocapitalizeType = focusedHTMLElement.autocapitalizeType();
+ information.inputMode = focusedHTMLElement.canonicalInputMode();
+ information.enterKeyHint = focusedHTMLElement.canonicalEnterKeyHint();
+ information.shouldSynthesizeKeyEventsForEditing = focusedHTMLElement.document().settings().syntheticEditingCommandsEnabled();
} else {
information.isAutocorrect = true;
information.autocapitalizeType = AutocapitalizeTypeDefault;
@@ -3157,12 +3160,12 @@
information.isReadOnly = false;
}
- if (m_focusedElement->document().quirks().shouldSuppressAutocorrectionAndAutocaptializationInHiddenEditableAreas() && isTransparentOrFullyClipped(*m_focusedElement)) {
+ if (focusedElement->document().quirks().shouldSuppressAutocorrectionAndAutocaptializationInHiddenEditableAreas() && isTransparentOrFullyClipped(*focusedElement)) {
information.autocapitalizeType = AutocapitalizeTypeNone;
information.isAutocorrect = false;
}
- auto& quirks = m_focusedElement->document().quirks();
+ auto& quirks = focusedElement->document().quirks();
information.shouldAvoidResizingWhenInputViewBoundsChange = quirks.shouldAvoidResizingWhenInputViewBoundsChange();
information.shouldAvoidScrollingWhenFocusedContentIsVisible = quirks.shouldAvoidScrollingWhenFocusedContentIsVisible();
information.shouldUseLegacySelectPopoverDismissalBehaviorInDataActivation = quirks.shouldUseLegacySelectPopoverDismissalBehaviorInDataActivation();
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
