[webkit-changes] [240056] branches/safari-607-branch

Wed, 16 Jan 2019 15:27:49 -0800

Title: [240056] branches/safari-607-branch
Revision
240056
Author
alanc...@apple.com
Date
2019-01-16 15:26:45 -0800 (Wed, 16 Jan 2019)

Log Message

Cherry-pick r239786. rdar://problem/47260219

    [Datalist] Crash when input with datalist is dynamically added.
    https://bugs.webkit.org/show_bug.cgi?id=193012
    <rdar://problem/45923457>

    Reviewed by Brent Fulgham.

    Source/WebCore:

    In certain cases (cloning, setAttribute), it's too early to check for the list attribute in createShadowSubtree
    to see whether the input needs datalist related items. The list attribute is simply not set yet.
    This patch only addresses the obvious crash. m_dataListDropdownIndicator clearly lacks proper lifecycle management (see webkit.org/b/193032).

    Test: fast/forms/datalist/datalist-crash-when-dynamic.html

    * html/TextFieldInputType.cpp:
    (WebCore::TextFieldInputType::createShadowSubtree):
    (WebCore::TextFieldInputType::attributeChanged):
    (WebCore::TextFieldInputType::createDataListDropdownIndicator):
    * html/TextFieldInputType.h:

    LayoutTests:

    * fast/forms/datalist/datalist-crash-when-dynamic-expected.txt: Added.
    * fast/forms/datalist/datalist-crash-when-dynamic.html: Added.

    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@239786 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Modified Paths

Added Paths

Diff

Modified: branches/safari-607-branch/LayoutTests/ChangeLog (240055 => 240056)


--- branches/safari-607-branch/LayoutTests/ChangeLog	2019-01-16 23:17:02 UTC (rev 240055)
+++ branches/safari-607-branch/LayoutTests/ChangeLog	2019-01-16 23:26:45 UTC (rev 240056)
@@ -1,3 +1,46 @@
+2019-01-15  Alan Coon  <alanc...@apple.com>
+
+        Cherry-pick r239786. rdar://problem/47260219
+
+    [Datalist] Crash when input with datalist is dynamically added.
+    https://bugs.webkit.org/show_bug.cgi?id=193012
+    <rdar://problem/45923457>
+    
+    Reviewed by Brent Fulgham.
+    
+    Source/WebCore:
+    
+    In certain cases (cloning, setAttribute), it's too early to check for the list attribute in createShadowSubtree
+    to see whether the input needs datalist related items. The list attribute is simply not set yet.
+    This patch only addresses the obvious crash. m_dataListDropdownIndicator clearly lacks proper lifecycle management (see webkit.org/b/193032).
+    
+    Test: fast/forms/datalist/datalist-crash-when-dynamic.html
+    
+    * html/TextFieldInputType.cpp:
+    (WebCore::TextFieldInputType::createShadowSubtree):
+    (WebCore::TextFieldInputType::attributeChanged):
+    (WebCore::TextFieldInputType::createDataListDropdownIndicator):
+    * html/TextFieldInputType.h:
+    
+    LayoutTests:
+    
+    * fast/forms/datalist/datalist-crash-when-dynamic-expected.txt: Added.
+    * fast/forms/datalist/datalist-crash-when-dynamic.html: Added.
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@239786 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2019-01-09  Zalan Bujtas  <za...@apple.com>
+
+            [Datalist] Crash when input with datalist is dynamically added.
+            https://bugs.webkit.org/show_bug.cgi?id=193012
+            <rdar://problem/45923457>
+
+            Reviewed by Brent Fulgham.
+
+            * fast/forms/datalist/datalist-crash-when-dynamic-expected.txt: Added.
+            * fast/forms/datalist/datalist-crash-when-dynamic.html: Added.
+
 2019-01-09  Kocsen Chung  <kocsen_ch...@apple.com>
 
         Cherry-pick r239746. rdar://problem/47158728

Added: branches/safari-607-branch/LayoutTests/fast/forms/datalist/datalist-crash-when-dynamic-expected.txt (0 => 240056)


--- branches/safari-607-branch/LayoutTests/fast/forms/datalist/datalist-crash-when-dynamic-expected.txt	                        (rev 0)
+++ branches/safari-607-branch/LayoutTests/fast/forms/datalist/datalist-crash-when-dynamic-expected.txt	2019-01-16 23:26:45 UTC (rev 240056)
@@ -0,0 +1,2 @@
+Pass if no crash or assert
+

Added: branches/safari-607-branch/LayoutTests/fast/forms/datalist/datalist-crash-when-dynamic.html (0 => 240056)


--- branches/safari-607-branch/LayoutTests/fast/forms/datalist/datalist-crash-when-dynamic.html	                        (rev 0)
+++ branches/safari-607-branch/LayoutTests/fast/forms/datalist/datalist-crash-when-dynamic.html	2019-01-16 23:26:45 UTC (rev 240056)
@@ -0,0 +1,16 @@
+<div>Pass if no crash or assert</div>
+<input id="ice" name="ice-cream-choice">
+<datalist id="ice-cream-flavors">
+    <option value="Chocolate">
+    </option><option value="Coconut">
+    </option><option value="Mint">
+	</option>
+</datalist>
+
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+document.body.offsetHeight;
+ice.setAttribute("list", "ice-cream-flavors");
+document.body.appendChild(ice.cloneNode());
+</script>

Modified: branches/safari-607-branch/Source/WebCore/ChangeLog (240055 => 240056)


--- branches/safari-607-branch/Source/WebCore/ChangeLog	2019-01-16 23:17:02 UTC (rev 240055)
+++ branches/safari-607-branch/Source/WebCore/ChangeLog	2019-01-16 23:26:45 UTC (rev 240056)
@@ -1,3 +1,55 @@
+2019-01-15  Alan Coon  <alanc...@apple.com>
+
+        Cherry-pick r239786. rdar://problem/47260219
+
+    [Datalist] Crash when input with datalist is dynamically added.
+    https://bugs.webkit.org/show_bug.cgi?id=193012
+    <rdar://problem/45923457>
+    
+    Reviewed by Brent Fulgham.
+    
+    Source/WebCore:
+    
+    In certain cases (cloning, setAttribute), it's too early to check for the list attribute in createShadowSubtree
+    to see whether the input needs datalist related items. The list attribute is simply not set yet.
+    This patch only addresses the obvious crash. m_dataListDropdownIndicator clearly lacks proper lifecycle management (see webkit.org/b/193032).
+    
+    Test: fast/forms/datalist/datalist-crash-when-dynamic.html
+    
+    * html/TextFieldInputType.cpp:
+    (WebCore::TextFieldInputType::createShadowSubtree):
+    (WebCore::TextFieldInputType::attributeChanged):
+    (WebCore::TextFieldInputType::createDataListDropdownIndicator):
+    * html/TextFieldInputType.h:
+    
+    LayoutTests:
+    
+    * fast/forms/datalist/datalist-crash-when-dynamic-expected.txt: Added.
+    * fast/forms/datalist/datalist-crash-when-dynamic.html: Added.
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@239786 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2019-01-09  Zalan Bujtas  <za...@apple.com>
+
+            [Datalist] Crash when input with datalist is dynamically added.
+            https://bugs.webkit.org/show_bug.cgi?id=193012
+            <rdar://problem/45923457>
+
+            Reviewed by Brent Fulgham.
+
+            In certain cases (cloning, setAttribute), it's too early to check for the list attribute in createShadowSubtree
+            to see whether the input needs datalist related items. The list attribute is simply not set yet.
+            This patch only addresses the obvious crash. m_dataListDropdownIndicator clearly lacks proper lifecycle management (see webkit.org/b/193032).
+
+            Test: fast/forms/datalist/datalist-crash-when-dynamic.html
+
+            * html/TextFieldInputType.cpp:
+            (WebCore::TextFieldInputType::createShadowSubtree):
+            (WebCore::TextFieldInputType::attributeChanged):
+            (WebCore::TextFieldInputType::createDataListDropdownIndicator):
+            * html/TextFieldInputType.h:
+
 2019-01-09  Kocsen Chung  <kocsen_ch...@apple.com>
 
         Cherry-pick r239758. rdar://problem/47158613

Modified: branches/safari-607-branch/Source/WebCore/html/TextFieldInputType.cpp (240055 => 240056)


--- branches/safari-607-branch/Source/WebCore/html/TextFieldInputType.cpp	2019-01-16 23:17:02 UTC (rev 240055)
+++ branches/safari-607-branch/Source/WebCore/html/TextFieldInputType.cpp	2019-01-16 23:26:45 UTC (rev 240056)
@@ -299,9 +299,6 @@
 
 bool TextFieldInputType::needsContainer() const
 {
-#if ENABLE(DATALIST_ELEMENT)
-    return element()->hasAttributeWithoutSynchronization(listAttr);
-#endif
     return false;
 }
 
@@ -358,14 +355,7 @@
 
         m_container->appendChild(*m_capsLockIndicator);
     }
-
     updateAutoFillButton();
-
-#if ENABLE(DATALIST_ELEMENT)
-    m_dataListDropdownIndicator = DataListButtonElement::create(element()->document(), *this);
-    m_dataListDropdownIndicator->setInlineStyleProperty(CSSPropertyDisplay, CSSValueNone, true);
-    m_container->appendChild(*m_dataListDropdownIndicator);
-#endif
 }
 
 HTMLElement* TextFieldInputType::containerElement() const
@@ -456,6 +446,18 @@
     return true;
 }
 
+#if ENABLE(DATALIST_ELEMENT)
+void TextFieldInputType::createDataListDropdownIndicator()
+{
+    ASSERT(!m_dataListDropdownIndicator);
+    if (!m_container)
+        createContainer();
+    m_dataListDropdownIndicator = DataListButtonElement::create(element()->document(), *this);
+    m_dataListDropdownIndicator->setInlineStyleProperty(CSSPropertyDisplay, CSSValueNone, true);
+    m_container->appendChild(*m_dataListDropdownIndicator);
+}
+#endif
+
 // FIXME: The name of this function doesn't make clear the two jobs it does:
 // 1) Limits the string to a particular number of grapheme clusters.
 // 2) Truncates the string at the first character which is a control character other than tab.
@@ -832,7 +834,7 @@
     m_cachedSuggestions = std::make_pair(String(), Vector<String>());
 
     if (!m_dataListDropdownIndicator)
-        return;
+        createDataListDropdownIndicator();
 
 #if !PLATFORM(IOS_FAMILY)
     m_dataListDropdownIndicator->setInlineStyleProperty(CSSPropertyDisplay, element()->list() ? CSSValueBlock : CSSValueNone, true);

Modified: branches/safari-607-branch/Source/WebCore/html/TextFieldInputType.h (240055 => 240056)


--- branches/safari-607-branch/Source/WebCore/html/TextFieldInputType.h	2019-01-16 23:17:02 UTC (rev 240055)
+++ branches/safari-607-branch/Source/WebCore/html/TextFieldInputType.h	2019-01-16 23:26:45 UTC (rev 240056)
@@ -124,6 +124,7 @@
     void createAutoFillButton(AutoFillButtonType);
 
 #if ENABLE(DATALIST_ELEMENT)
+    void createDataListDropdownIndicator();
     bool isPresentingAttachedView() const final;
     void listAttributeTargetChanged() final;
     void displaySuggestions(DataListSuggestionActivationType);

Modified: branches/safari-607-branch/Source/WebCore/rendering/RenderThemeMac.mm (240055 => 240056)


--- branches/safari-607-branch/Source/WebCore/rendering/RenderThemeMac.mm	2019-01-16 23:17:02 UTC (rev 240055)
+++ branches/safari-607-branch/Source/WebCore/rendering/RenderThemeMac.mm	2019-01-16 23:26:45 UTC (rev 240056)
@@ -1145,8 +1145,11 @@
         [listButton setUserInterfaceLayoutDirection:NSUserInterfaceLayoutDirectionLeftToRight];
 
     [listButton setHighlighted:input.isPresentingAttachedView()];
-    if (!input.isPresentingAttachedView())
-        updatePressedState(listButton, *(input.dataListButtonElement()->renderer()));
+    if (!input.isPresentingAttachedView()) {
+        ASSERT(input.dataListButtonElement());
+        if (auto* buttonElement = input.dataListButtonElement())
+            updatePressedState(listButton, *buttonElement->renderer());
+    }
 
     [listButton drawWithFrame:listButtonFrame inView:documentViewFor(o)];
     [listButton setControlView:nil];

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to