- Revision
- 214291
- Author
- [email protected]
- Date
- 2017-03-22 19:21:58 -0700 (Wed, 22 Mar 2017)
Log Message
ASSERT_WITH_SECURITY_IMPLICATION hit when removing an <input type="range"> while dragging on iOS
https://bugs.webkit.org/show_bug.cgi?id=165535
<rdar://problem/29559749>
Reviewed by Ryosuke Niwa.
Source/WebCore:
Utimately we should prevent SliderThumbElement::unregisterForTouchEvents() being called while
updating render tree. A quick fix for this is to move dispatchFormControlChangeEvent for input
from stopDragging up to the callers which really needs to dispatch this event, i.e., finishing
dragging the slider. It is clear that not every caller of stopDragging wants to
dispatchFormControlChangeEvent.
Test: fast/forms/range/range-remove-on-drag.html
* html/shadow/SliderThumbElement.cpp:
(WebCore::SliderThumbElement::stopDragging):
(WebCore::SliderThumbElement::defaultEventHandler):
(WebCore::SliderThumbElement::handleTouchEndAndCancel):
LayoutTests:
This test case is only enabled in iOS simulator WK2.
* TestExpectations:
* fast/forms/range/range-remove-on-drag-expected.txt: Added.
* fast/forms/range/range-remove-on-drag.html: Added.
* platform/ios-simulator-wk2/TestExpectations:
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (214290 => 214291)
--- trunk/LayoutTests/ChangeLog 2017-03-23 01:16:07 UTC (rev 214290)
+++ trunk/LayoutTests/ChangeLog 2017-03-23 02:21:58 UTC (rev 214291)
@@ -1,3 +1,18 @@
+2017-03-22 Jiewen Tan <[email protected]>
+
+ ASSERT_WITH_SECURITY_IMPLICATION hit when removing an <input type="range"> while dragging on iOS
+ https://bugs.webkit.org/show_bug.cgi?id=165535
+ <rdar://problem/29559749>
+
+ Reviewed by Ryosuke Niwa.
+
+ This test case is only enabled in iOS simulator WK2.
+
+ * TestExpectations:
+ * fast/forms/range/range-remove-on-drag-expected.txt: Added.
+ * fast/forms/range/range-remove-on-drag.html: Added.
+ * platform/ios-simulator-wk2/TestExpectations:
+
2017-03-22 Antti Koivisto <[email protected]>
Dynamically applied :empty pseudo class with display:none does not get unapplied
Modified: trunk/LayoutTests/TestExpectations (214290 => 214291)
--- trunk/LayoutTests/TestExpectations 2017-03-23 01:16:07 UTC (rev 214290)
+++ trunk/LayoutTests/TestExpectations 2017-03-23 02:21:58 UTC (rev 214291)
@@ -1225,6 +1225,9 @@
# Test disabled until we can fix layout of orthogonal writing mode roots
fast/table/colspanMinWidth-vertical.html [ Skip ]
+# Test only works on iOS WK2. webkit.org/b/165535
+fast/forms/range/range-remove-on-drag.html [ Skip ]
+
### END OF -disabled tests
########################################
Added: trunk/LayoutTests/fast/forms/range/range-remove-on-drag-expected.txt (0 => 214291)
--- trunk/LayoutTests/fast/forms/range/range-remove-on-drag-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/forms/range/range-remove-on-drag-expected.txt 2017-03-23 02:21:58 UTC (rev 214291)
@@ -0,0 +1,2 @@
+CONSOLE MESSAGE: line 10: Test Passed! WebKit didn't crash.
+
Added: trunk/LayoutTests/fast/forms/range/range-remove-on-drag.html (0 => 214291)
--- trunk/LayoutTests/fast/forms/range/range-remove-on-drag.html (rev 0)
+++ trunk/LayoutTests/fast/forms/range/range-remove-on-drag.html 2017-03-23 02:21:58 UTC (rev 214291)
@@ -0,0 +1,46 @@
+<!DOCTYPE html>
+<html>
+ <head>
+ <script>
+ count = 0;
+ function finish()
+ {
+ count = count + 1;
+ if (count == 2 && window.testRunner) {
+ console.log("Test Passed! WebKit didn't crash.")
+ testRunner.notifyDone();
+ }
+ }
+ function remove(event)
+ {
+ event.target.remove();
+ finish();
+ }
+ </script>
+ </head>
+ <body>
+ <input id="input" type="range" style="width: 500px;" _oninput_="remove(event)">
+ <script>
+ function getDragUIScript(startX, startY, endX, endY)
+ {
+ return `
+ (function() {
+ uiController.dragFromPointToPoint(${startX}, ${startY}, ${endX}, ${endY}, 0.15, function() {
+ uiController.uiScriptComplete("Dispatched Drag");
+ });
+ })();`
+ }
+
+ _onload_ = function() {
+ var input = document.getElementById("input");
+ var centerX = input.offsetLeft + input.offsetWidth / 2;
+ var centerY = input.offsetTop + input.offsetHeight / 2;
+ if (window.testRunner) {
+ testRunner.waitUntilDone();
+ testRunner.dumpAsText();
+ testRunner.runUIScript(getDragUIScript(centerX, centerY, input.offsetLeft + input.offsetWidth, centerY), function(result) { finish(); });
+ }
+ };
+ </script>
+ </body>
+</html>
\ No newline at end of file
Modified: trunk/LayoutTests/platform/ios-simulator-wk2/TestExpectations (214290 => 214291)
--- trunk/LayoutTests/platform/ios-simulator-wk2/TestExpectations 2017-03-23 01:16:07 UTC (rev 214290)
+++ trunk/LayoutTests/platform/ios-simulator-wk2/TestExpectations 2017-03-23 02:21:58 UTC (rev 214291)
@@ -1932,3 +1932,6 @@
webkit.org/b/168924 scrollingcoordinator/ios/non-stable-viewport-scroll.html [ Pass Failure ]
webkit.org/b/169640 imported/w3c/web-platform-tests/html/webappapis/scripting/events/event-handler-_javascript_.html [ Failure ]
+
+# Test only works on iOS WK2. webkit.org/b/165535
+fast/forms/range/range-remove-on-drag.html [ Pass ]
Modified: trunk/Source/WebCore/ChangeLog (214290 => 214291)
--- trunk/Source/WebCore/ChangeLog 2017-03-23 01:16:07 UTC (rev 214290)
+++ trunk/Source/WebCore/ChangeLog 2017-03-23 02:21:58 UTC (rev 214291)
@@ -1,3 +1,24 @@
+2017-03-22 Jiewen Tan <[email protected]>
+
+ ASSERT_WITH_SECURITY_IMPLICATION hit when removing an <input type="range"> while dragging on iOS
+ https://bugs.webkit.org/show_bug.cgi?id=165535
+ <rdar://problem/29559749>
+
+ Reviewed by Ryosuke Niwa.
+
+ Utimately we should prevent SliderThumbElement::unregisterForTouchEvents() being called while
+ updating render tree. A quick fix for this is to move dispatchFormControlChangeEvent for input
+ from stopDragging up to the callers which really needs to dispatch this event, i.e., finishing
+ dragging the slider. It is clear that not every caller of stopDragging wants to
+ dispatchFormControlChangeEvent.
+
+ Test: fast/forms/range/range-remove-on-drag.html
+
+ * html/shadow/SliderThumbElement.cpp:
+ (WebCore::SliderThumbElement::stopDragging):
+ (WebCore::SliderThumbElement::defaultEventHandler):
+ (WebCore::SliderThumbElement::handleTouchEndAndCancel):
+
2017-03-22 Antti Koivisto <[email protected]>
Dynamically applied :empty pseudo class with display:none does not get unapplied
Modified: trunk/Source/WebCore/html/shadow/SliderThumbElement.cpp (214290 => 214291)
--- trunk/Source/WebCore/html/shadow/SliderThumbElement.cpp 2017-03-23 01:16:07 UTC (rev 214290)
+++ trunk/Source/WebCore/html/shadow/SliderThumbElement.cpp 2017-03-23 02:21:58 UTC (rev 214291)
@@ -335,10 +335,6 @@
m_inDragMode = false;
if (renderer())
renderer()->setNeedsLayout();
-
- RefPtr<HTMLInputElement> input = hostInput();
- if (input)
- input->dispatchFormControlChangeEvent();
}
#if !PLATFORM(IOS)
@@ -369,6 +365,7 @@
startDragging();
return;
} else if (eventType == eventNames().mouseupEvent && isLeftButton) {
+ input->dispatchFormControlChangeEvent();
stopDragging();
return;
} else if (eventType == eventNames().mousemoveEvent) {
@@ -499,6 +496,9 @@
clearExclusiveTouchIdentifier();
+ RefPtr<HTMLInputElement> input = hostInput();
+ if (input)
+ input->dispatchFormControlChangeEvent();
stopDragging();
}
