[webkit-changes] [206357] trunk

Sat, 24 Sep 2016 20:17:15 -0700

Title: [206357] trunk
Revision
206357
Author
[email protected]
Date
2016-09-24 20:17:21 -0700 (Sat, 24 Sep 2016)

Log Message

REGRESSION (r205524): Crash under WTF::numGraphemeClusters()
https://bugs.webkit.org/show_bug.cgi?id=162534
<rdar://problem/28463828>

Reviewed by David Kilzer.

Source/WebCore:

We were constructing a StringView from a temporary String and then passing it to
WTF::numGraphemeClusters().

Test: fast/dom/HTMLInputElement/handleBeforeTextInsertedEvent-crash.html

* html/TextFieldInputType.cpp:
(WebCore::TextFieldInputType::handleBeforeTextInsertedEvent):

LayoutTests:

Add layout test coverage.

* fast/dom/HTMLInputElement/handleBeforeTextInsertedEvent-crash-expected.txt: Added.
* fast/dom/HTMLInputElement/handleBeforeTextInsertedEvent-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (206356 => 206357)


--- trunk/LayoutTests/ChangeLog	2016-09-25 02:39:38 UTC (rev 206356)
+++ trunk/LayoutTests/ChangeLog	2016-09-25 03:17:21 UTC (rev 206357)
@@ -1,5 +1,18 @@
 2016-09-24  Chris Dumez  <[email protected]>
 
+        REGRESSION (r205524): Crash under WTF::numGraphemeClusters()
+        https://bugs.webkit.org/show_bug.cgi?id=162534
+        <rdar://problem/28463828>
+
+        Reviewed by David Kilzer.
+
+        Add layout test coverage.
+
+        * fast/dom/HTMLInputElement/handleBeforeTextInsertedEvent-crash-expected.txt: Added.
+        * fast/dom/HTMLInputElement/handleBeforeTextInsertedEvent-crash.html: Added.
+
+2016-09-24  Chris Dumez  <[email protected]>
+
         <a download> does not support Blob URLs
         https://bugs.webkit.org/show_bug.cgi?id=156099
         <rdar://problem/25535520>

Added: trunk/LayoutTests/fast/dom/HTMLInputElement/handleBeforeTextInsertedEvent-crash-expected.txt (0 => 206357)


--- trunk/LayoutTests/fast/dom/HTMLInputElement/handleBeforeTextInsertedEvent-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/HTMLInputElement/handleBeforeTextInsertedEvent-crash-expected.txt	2016-09-25 03:17:21 UTC (rev 206357)
@@ -0,0 +1,3 @@
+This test passes if it does not crash.
+
+

Added: trunk/LayoutTests/fast/dom/HTMLInputElement/handleBeforeTextInsertedEvent-crash.html (0 => 206357)


--- trunk/LayoutTests/fast/dom/HTMLInputElement/handleBeforeTextInsertedEvent-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/HTMLInputElement/handleBeforeTextInsertedEvent-crash.html	2016-09-25 03:17:21 UTC (rev 206357)
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html>
+<body>
+<p>This test passes if it does not crash.</p>
+<input type="text" id="testInput" value="test value"/>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+
+document.getElementById("testInput").focus();
+for (var i = 0; i < 20; i++) {
+    document.execCommand("InsertText", true, "Arial");
+    document.execCommand("ContentReadOnly", true, null);
+    document.execCommand("FontSize", false, "6");
+}
+</script>
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (206356 => 206357)


--- trunk/Source/WebCore/ChangeLog	2016-09-25 02:39:38 UTC (rev 206356)
+++ trunk/Source/WebCore/ChangeLog	2016-09-25 03:17:21 UTC (rev 206357)
@@ -1,5 +1,21 @@
 2016-09-24  Chris Dumez  <[email protected]>
 
+        REGRESSION (r205524): Crash under WTF::numGraphemeClusters()
+        https://bugs.webkit.org/show_bug.cgi?id=162534
+        <rdar://problem/28463828>
+
+        Reviewed by David Kilzer.
+
+        We were constructing a StringView from a temporary String and then passing it to
+        WTF::numGraphemeClusters().
+
+        Test: fast/dom/HTMLInputElement/handleBeforeTextInsertedEvent-crash.html
+
+        * html/TextFieldInputType.cpp:
+        (WebCore::TextFieldInputType::handleBeforeTextInsertedEvent):
+
+2016-09-24  Chris Dumez  <[email protected]>
+
         <a download> does not support Blob URLs
         https://bugs.webkit.org/show_bug.cgi?id=156099
         <rdar://problem/25535520>

Modified: trunk/Source/WebCore/html/TextFieldInputType.cpp (206356 => 206357)


--- trunk/Source/WebCore/html/TextFieldInputType.cpp	2016-09-25 02:39:38 UTC (rev 206356)
+++ trunk/Source/WebCore/html/TextFieldInputType.cpp	2016-09-25 03:17:21 UTC (rev 206357)
@@ -456,7 +456,7 @@
     // We use RenderTextControlSingleLine::text() instead of InputElement::value()
     // because they can be mismatched by sanitizeValue() in
     // HTMLInputElement::subtreeHasChanged() in some cases.
-    StringView innerText = element().innerTextValue();
+    String innerText = element().innerTextValue();
     unsigned oldLength = numGraphemeClusters(innerText);
 
     // selectionLength represents the selection length of this text field to be
@@ -470,7 +470,7 @@
         int selectionStart = element().selectionStart();
         ASSERT(selectionStart <= element().selectionEnd());
         int selectionCodeUnitCount = element().selectionEnd() - selectionStart;
-        selectionLength = selectionCodeUnitCount ? numGraphemeClusters(innerText.substring(selectionStart, selectionCodeUnitCount)) : 0;
+        selectionLength = selectionCodeUnitCount ? numGraphemeClusters(StringView(innerText).substring(selectionStart, selectionCodeUnitCount)) : 0;
     }
     ASSERT(oldLength >= selectionLength);
 

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to