Skip to site navigation (Press enter)

[webkit-changes] [202626] trunk

ddkilzer Wed, 29 Jun 2016 09:50:40 -0700

Title: [202626] trunk

Revision: 202626
Author: [email protected]
Date: 2016-06-29 09:50:21 -0700 (Wed, 29 Jun 2016)

Log Message

Crash when 'input' event handler for input[type=color] changes the input type
<https://webkit.org/b/159262>
<rdar://problem/27020404>


Reviewed by Daniel Bates.

Source/WebCore:

Fix based on a Blink change (patch by <[email protected]>):
<https://chromium.googlesource.com/chromium/src.git/+/a17cb3ecef49a078657524cdeaba33ad2083646c>

Test: fast/forms/color/color-type-change-on-input-crash.html

* html/ColorInputType.cpp:
(WebCore::ColorInputType::didChooseColor): Add EventQueueScope
before setValueFromRenderer() to fix the bug.
* html/HTMLInputElement.h:
(WebCore::HTMLInputElement::setValueFromRenderer): Add comment
about how to use this method.

LayoutTests:

Test based on a Blink change (patch by <[email protected]>):
<https://chromium.googlesource.com/chromium/src.git/+/a17cb3ecef49a078657524cdeaba33ad2083646c>

* fast/forms/color/color-type-change-on-input-crash-expected.txt: Added.
* fast/forms/color/color-type-change-on-input-crash.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/html/ColorInputType.cpp
trunk/Source/WebCore/html/HTMLInputElement.h

Added Paths

trunk/LayoutTests/fast/forms/color/color-type-change-on-input-crash-expected.txt
trunk/LayoutTests/fast/forms/color/color-type-change-on-input-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (202625 => 202626)


--- trunk/LayoutTests/ChangeLog	2016-06-29 16:18:38 UTC (rev 202625)
+++ trunk/LayoutTests/ChangeLog	2016-06-29 16:50:21 UTC (rev 202626)
@@ -1,3 +1,17 @@
+2016-06-29  David Kilzer  <[email protected]>
+
+        Crash when 'input' event handler for input[type=color] changes the input type
+        <https://webkit.org/b/159262>
+        <rdar://problem/27020404>
+
+        Reviewed by Daniel Bates.
+
+        Test based on a Blink change (patch by <[email protected]>):
+        <https://chromium.googlesource.com/chromium/src.git/+/a17cb3ecef49a078657524cdeaba33ad2083646c>
+
+        * fast/forms/color/color-type-change-on-input-crash-expected.txt: Added.
+        * fast/forms/color/color-type-change-on-input-crash.html: Added.
+
 2016-06-29  Adam Bergkvist  <[email protected]>
 
         WebRTC: Misc MediaStreamEvent fixes: Update build flag and remove PassRefPtr usage

Added: trunk/LayoutTests/fast/forms/color/color-type-change-on-input-crash-expected.txt (0 => 202626)


--- trunk/LayoutTests/fast/forms/color/color-type-change-on-input-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/forms/color/color-type-change-on-input-crash-expected.txt	2016-06-29 16:50:21 UTC (rev 202626)
@@ -0,0 +1,9 @@
+Changing the input type from "color" to another in "input" event handler should not crash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/fast/forms/color/color-type-change-on-input-crash.html (0 => 202626)


--- trunk/LayoutTests/fast/forms/color/color-type-change-on-input-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/forms/color/color-type-change-on-input-crash.html	2016-06-29 16:50:21 UTC (rev 202626)
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+<script src=""
+</head>
+<body>
+<script>
+description('Changing the input type from "color" to another in "input" event handler should not crash.');
+
+function runTest() {
+    var input = document.createElement('input');
+    input.type = 'color';
+    input._oninput_ = function() {
+        this.type = 'text';
+    };
+    internals.selectColorInColorChooser(input, '#ff0000');
+}
+
+runTest();
+</script>
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (202625 => 202626)


--- trunk/Source/WebCore/ChangeLog	2016-06-29 16:18:38 UTC (rev 202625)
+++ trunk/Source/WebCore/ChangeLog	2016-06-29 16:50:21 UTC (rev 202626)
@@ -1,3 +1,23 @@
+2016-06-29  David Kilzer  <[email protected]>
+
+        Crash when 'input' event handler for input[type=color] changes the input type
+        <https://webkit.org/b/159262>
+        <rdar://problem/27020404>
+
+        Reviewed by Daniel Bates.
+
+        Fix based on a Blink change (patch by <[email protected]>):
+        <https://chromium.googlesource.com/chromium/src.git/+/a17cb3ecef49a078657524cdeaba33ad2083646c>
+
+        Test: fast/forms/color/color-type-change-on-input-crash.html
+
+        * html/ColorInputType.cpp:
+        (WebCore::ColorInputType::didChooseColor): Add EventQueueScope
+        before setValueFromRenderer() to fix the bug.
+        * html/HTMLInputElement.h:
+        (WebCore::HTMLInputElement::setValueFromRenderer): Add comment
+        about how to use this method.
+
 2016-06-29  Adam Bergkvist  <[email protected]>
 
         WebRTC: Misc MediaStreamEvent fixes: Update build flag and remove PassRefPtr usage

Modified: trunk/Source/WebCore/html/ColorInputType.cpp (202625 => 202626)


--- trunk/Source/WebCore/html/ColorInputType.cpp	2016-06-29 16:18:38 UTC (rev 202625)
+++ trunk/Source/WebCore/html/ColorInputType.cpp	2016-06-29 16:50:21 UTC (rev 202626)
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2010 Google Inc. All rights reserved.
- * Copyright (C) 2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2016 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
@@ -46,6 +46,7 @@
 #include "MouseEvent.h"
 #include "RenderObject.h"
 #include "RenderView.h"
+#include "ScopedEventQueue.h"
 #include "ScriptController.h"
 #include "ShadowRoot.h"
 
@@ -174,6 +175,7 @@
 {
     if (element().isDisabledOrReadOnly() || color == valueAsColor())
         return;
+    EventQueueScope scope;
     element().setValueFromRenderer(color.serialized());
     updateColorSwatch();
     element().dispatchFormControlChangeEvent();

Modified: trunk/Source/WebCore/html/HTMLInputElement.h (202625 => 202626)


--- trunk/Source/WebCore/html/HTMLInputElement.h	2016-06-29 16:18:38 UTC (rev 202625)
+++ trunk/Source/WebCore/html/HTMLInputElement.h	2016-06-29 16:50:21 UTC (rev 202626)
@@ -2,7 +2,7 @@
  * Copyright (C) 1999 Lars Knoll ([email protected])
  *           (C) 1999 Antti Koivisto ([email protected])
  *           (C) 2000 Dirk Mueller ([email protected])
- * Copyright (C) 2004, 2005, 2006, 2007, 2010, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2004-2016 Apple Inc. All rights reserved.
  * Copyright (C) 2012 Samsung Electronics. All rights reserved.
  *
  * This library is free software; you can redistribute it and/or
@@ -197,6 +197,9 @@
 
     String valueWithDefault() const;
 
+    // This function dispatches 'input' event for non-textfield types. Callers
+    // need to handle any DOM structure changes by event handlers, or need to
+    // delay the 'input' event with EventQueueScope.
     void setValueFromRenderer(const String&);
 
     bool canHaveSelection() const;

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes