[webkit-changes] [216159] trunk

Wed, 03 May 2017 16:58:32 -0700

Title: [216159] trunk
Revision
216159
Author
[email protected]
Date
2017-05-03 16:57:18 -0700 (Wed, 03 May 2017)

Log Message

SearchInputType could end up with a mismatched renderer.
https://bugs.webkit.org/show_bug.cgi?id=171547
<rdar://problem/31935047>

Reviewed by Antti Koivisto.

Source/WebCore:

Normally we've got the correct renderer by the time we call into SearchInputType.
However, since HTMLInputElement::updateType() eagerly updates the type while the associated renderers are done lazily
(so we don't get them updated until after the next tree update), we could actually end up
with a mismatched renderer (e.g. through form submission).

Test: fast/forms/change-input-type-and-submit-form-crash.html

* html/SearchInputType.cpp:
(WebCore::SearchInputType::addSearchResult):
(WebCore::SearchInputType::didSetValueByUserEdit):

LayoutTests:

* fast/forms/change-input-type-and-submit-form-crash-expected.txt: Added.
* fast/forms/change-input-type-and-submit-form-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (216158 => 216159)


--- trunk/LayoutTests/ChangeLog	2017-05-03 23:52:09 UTC (rev 216158)
+++ trunk/LayoutTests/ChangeLog	2017-05-03 23:57:18 UTC (rev 216159)
@@ -1,3 +1,14 @@
+2017-05-03  Zalan Bujtas  <[email protected]>
+
+        SearchInputType could end up with a mismatched renderer.
+        https://bugs.webkit.org/show_bug.cgi?id=171547
+        <rdar://problem/31935047>
+
+        Reviewed by Antti Koivisto.
+
+        * fast/forms/change-input-type-and-submit-form-crash-expected.txt: Added.
+        * fast/forms/change-input-type-and-submit-form-crash.html: Added.
+
 2017-05-03  Ryan Haddad  <[email protected]>
 
         Mark media/modern-media-controls/slider/slider-styles.html as flaky on mac-wk1.

Added: trunk/LayoutTests/fast/forms/change-input-type-and-submit-form-crash-expected.txt (0 => 216159)


--- trunk/LayoutTests/fast/forms/change-input-type-and-submit-form-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/forms/change-input-type-and-submit-form-crash-expected.txt	2017-05-03 23:57:18 UTC (rev 216159)
@@ -0,0 +1,2 @@
+PASS if no crash or assert.
+

Added: trunk/LayoutTests/fast/forms/change-input-type-and-submit-form-crash.html (0 => 216159)


--- trunk/LayoutTests/fast/forms/change-input-type-and-submit-form-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/forms/change-input-type-and-submit-form-crash.html	2017-05-03 23:57:18 UTC (rev 216159)
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>This tests that submitting a form soon after changing the input type is ok.</title>
+</head>
+<body>
+PASS if no crash or assert.
+<form id=formToSubmit><input id=inputToChange results="1"></form>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+
+document.body.offsetHeight;
+inputToChange.value = "1";
+inputToChange.type = "search";
+formToSubmit.submit();
+</script>
+<body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (216158 => 216159)


--- trunk/Source/WebCore/ChangeLog	2017-05-03 23:52:09 UTC (rev 216158)
+++ trunk/Source/WebCore/ChangeLog	2017-05-03 23:57:18 UTC (rev 216159)
@@ -1,3 +1,22 @@
+2017-05-03  Zalan Bujtas  <[email protected]>
+
+        SearchInputType could end up with a mismatched renderer.
+        https://bugs.webkit.org/show_bug.cgi?id=171547
+        <rdar://problem/31935047>
+
+        Reviewed by Antti Koivisto.
+
+        Normally we've got the correct renderer by the time we call into SearchInputType.
+        However, since HTMLInputElement::updateType() eagerly updates the type while the associated renderers are done lazily
+        (so we don't get them updated until after the next tree update), we could actually end up
+        with a mismatched renderer (e.g. through form submission).
+
+        Test: fast/forms/change-input-type-and-submit-form-crash.html
+
+        * html/SearchInputType.cpp:
+        (WebCore::SearchInputType::addSearchResult):
+        (WebCore::SearchInputType::didSetValueByUserEdit):
+
 2017-05-03  Jer Noble  <[email protected]>
 
         Make the VPIO audio unit a singleton, shared between multiple CaptureSources

Modified: trunk/Source/WebCore/html/SearchInputType.cpp (216158 => 216159)


--- trunk/Source/WebCore/html/SearchInputType.cpp	2017-05-03 23:52:09 UTC (rev 216158)
+++ trunk/Source/WebCore/html/SearchInputType.cpp	2017-05-03 23:57:18 UTC (rev 216159)
@@ -55,8 +55,11 @@
 void SearchInputType::addSearchResult()
 {
 #if !PLATFORM(IOS)
-    if (auto* renderer = element().renderer())
-        downcast<RenderSearchField>(*renderer).addSearchResult();
+    // Normally we've got the correct renderer by the time we get here. However when the input type changes
+    // we don't update the associated renderers until after the next tree update, so we could actually end up here
+    // with a mismatched renderer (e.g. through form submission).
+    if (is<RenderSearchField>(element().renderer()))
+        downcast<RenderSearchField>(*element().renderer()).addSearchResult();
 #endif
 }
 
@@ -185,9 +188,8 @@
 
 void SearchInputType::didSetValueByUserEdit()
 {
-    if (m_cancelButton && element().renderer())
+    if (m_cancelButton && is<RenderSearchField>(element().renderer()))
         downcast<RenderSearchField>(*element().renderer()).updateCancelButtonVisibility();
-
     // If the incremental attribute is set, then dispatch the search event
     if (searchEventsShouldBeDispatched())
         startSearchEventTimer();

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to