[webkit-changes] [236803] trunk

Wed, 03 Oct 2018 11:28:08 -0700

Title: [236803] trunk
Revision
236803
Author
cdu...@apple.com
Date
2018-10-03 11:26:29 -0700 (Wed, 03 Oct 2018)

Log Message

Regression(r236779): Crash when changing the input element type from inside an 'input' event listener
https://bugs.webkit.org/show_bug.cgi?id=190252

Reviewed by Alex Christensen.

Source/WebCore:

Add a null check for element() after firing the 'input' event and before firing the 'change' event
in case the input event listener changes the input type.

Tests: fast/dom/HTMLInputElement/change-type-in-click-event-listener.html
       fast/dom/HTMLInputElement/change-type-in-input-event-listener.html

* html/BaseCheckableInputType.cpp:
(WebCore::BaseCheckableInputType::fireInputAndChangeEvents):

LayoutTests:

Add layout test coverage.

* fast/dom/HTMLInputElement/change-type-in-click-event-listener-expected.txt: Added.
* fast/dom/HTMLInputElement/change-type-in-click-event-listener.html: Added.
* fast/dom/HTMLInputElement/change-type-in-input-event-listener-expected.txt: Added.
* fast/dom/HTMLInputElement/change-type-in-input-event-listener.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (236802 => 236803)


--- trunk/LayoutTests/ChangeLog	2018-10-03 18:23:53 UTC (rev 236802)
+++ trunk/LayoutTests/ChangeLog	2018-10-03 18:26:29 UTC (rev 236803)
@@ -1,3 +1,17 @@
+2018-10-03  Chris Dumez  <cdu...@apple.com>
+
+        Regression(r236779): Crash when changing the input element type from inside an 'input' event listener
+        https://bugs.webkit.org/show_bug.cgi?id=190252
+
+        Reviewed by Alex Christensen.
+
+        Add layout test coverage.
+
+        * fast/dom/HTMLInputElement/change-type-in-click-event-listener-expected.txt: Added.
+        * fast/dom/HTMLInputElement/change-type-in-click-event-listener.html: Added.
+        * fast/dom/HTMLInputElement/change-type-in-input-event-listener-expected.txt: Added.
+        * fast/dom/HTMLInputElement/change-type-in-input-event-listener.html: Added.
+
 2018-10-03  Matt Lewis  <jlew...@apple.com>
 
         Unreviewed, rolling out r236781.

Added: trunk/LayoutTests/fast/dom/HTMLInputElement/change-type-in-click-event-listener-expected.txt (0 => 236803)


--- trunk/LayoutTests/fast/dom/HTMLInputElement/change-type-in-click-event-listener-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/HTMLInputElement/change-type-in-click-event-listener-expected.txt	2018-10-03 18:26:29 UTC (rev 236803)
@@ -0,0 +1,10 @@
+Make sure we do not crash if the 'click' event listener changes the input type.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS Click event was fired
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/fast/dom/HTMLInputElement/change-type-in-click-event-listener.html (0 => 236803)


--- trunk/LayoutTests/fast/dom/HTMLInputElement/change-type-in-click-event-listener.html	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/HTMLInputElement/change-type-in-click-event-listener.html	2018-10-03 18:26:29 UTC (rev 236803)
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script>
+description("Make sure we do not crash if the 'click' event listener changes the input type.");
+
+_onload_ = () => {
+    testInput.addEventListener("click", () => {
+        testPassed("Click event was fired");
+        testInput.type = "text";
+    });
+
+    testInput.addEventListener("input", () => {
+        testFailed("input event should not have fired");
+    });
+    testInput.addEventListener("change", () => {
+        testFailed("change event should not have fired");
+    });
+    testInput.click();
+    setTimeout(finishJSTest, 0);
+};
+</script>
+<input type="checkbox" id="testInput"></input>
+</body>
+</html>

Added: trunk/LayoutTests/fast/dom/HTMLInputElement/change-type-in-input-event-listener-expected.txt (0 => 236803)


--- trunk/LayoutTests/fast/dom/HTMLInputElement/change-type-in-input-event-listener-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/HTMLInputElement/change-type-in-input-event-listener-expected.txt	2018-10-03 18:26:29 UTC (rev 236803)
@@ -0,0 +1,10 @@
+Make sure we do not crash if the 'input' event listener changes the input type.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS Input event was fired
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/fast/dom/HTMLInputElement/change-type-in-input-event-listener.html (0 => 236803)


--- trunk/LayoutTests/fast/dom/HTMLInputElement/change-type-in-input-event-listener.html	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/HTMLInputElement/change-type-in-input-event-listener.html	2018-10-03 18:26:29 UTC (rev 236803)
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script>
+description("Make sure we do not crash if the 'input' event listener changes the input type.");
+
+_onload_ = () => {
+    testInput.addEventListener("input", () => {
+        testPassed("Input event was fired");
+        testInput.type = "text";
+    });
+    testInput.addEventListener("change", () => {
+        testFailed("change event should not have fired");
+    });
+    testInput.click();
+    setTimeout(finishJSTest, 0);
+};
+</script>
+<input type="checkbox" id="testInput"></input>
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (236802 => 236803)


--- trunk/Source/WebCore/ChangeLog	2018-10-03 18:23:53 UTC (rev 236802)
+++ trunk/Source/WebCore/ChangeLog	2018-10-03 18:26:29 UTC (rev 236803)
@@ -1,5 +1,21 @@
 2018-10-03  Chris Dumez  <cdu...@apple.com>
 
+        Regression(r236779): Crash when changing the input element type from inside an 'input' event listener
+        https://bugs.webkit.org/show_bug.cgi?id=190252
+
+        Reviewed by Alex Christensen.
+
+        Add a null check for element() after firing the 'input' event and before firing the 'change' event
+        in case the input event listener changes the input type.
+
+        Tests: fast/dom/HTMLInputElement/change-type-in-click-event-listener.html
+               fast/dom/HTMLInputElement/change-type-in-input-event-listener.html
+
+        * html/BaseCheckableInputType.cpp:
+        (WebCore::BaseCheckableInputType::fireInputAndChangeEvents):
+
+2018-10-03  Chris Dumez  <cdu...@apple.com>
+
         Passing noopener=NOOPENER to window.open() should cause the new window to not have an opener
         https://bugs.webkit.org/show_bug.cgi?id=190251

Modified: trunk/Source/WebCore/html/BaseCheckableInputType.cpp (236802 => 236803)


--- trunk/Source/WebCore/html/BaseCheckableInputType.cpp	2018-10-03 18:23:53 UTC (rev 236802)
+++ trunk/Source/WebCore/html/BaseCheckableInputType.cpp	2018-10-03 18:26:29 UTC (rev 236803)
@@ -129,7 +129,8 @@
 
     element()->setTextAsOfLastFormControlChangeEvent(String());
     element()->dispatchInputEvent();
-    element()->dispatchFormControlChangeEvent();
+    if (auto* element = this->element())
+        element->dispatchFormControlChangeEvent();
 }
 
 } // namespace WebCore

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to