Title: [252478] trunk
- Revision
- 252478
- Author
- [email protected]
- Date
- 2019-11-14 19:26:51 -0800 (Thu, 14 Nov 2019)
Log Message
Crash when setting HTMLInputElement.checked for a disconnected radio button in a shadow root
https://bugs.webkit.org/show_bug.cgi?id=204208
<rdar://problem/57045830>
Reviewed by Tim Horton.
Source/WebCore:
r251110 refactored logic in RadioButtonGroup::updateCheckedState, such that it assumes that m_nameToGroupMap
always contains an entry for the given input element's name. Prior to r251110, it would bail if m_nameToGroupMap
didn't exist. In this particular case, a named input element is added to a shadow root that is disconnected from
the document. This means that in HTMLInputElement::didFinishInsertingNode(), we will avoid adding the element to
the radio button group, even though it has a tree scope due to the `isConnected()` check.
Later, when we try to set the `checked` attribute, we invoke updateCheckedState which sees that we have a tree
scope and assumes that we must have previously added the input element to the radio button map; this leads to a
nullptr deref, as the map is empty. Thus, to fix this, we change the `isConnected()` check to `isInTreeScope()`.
Test: fast/forms/radio-input-in-shadow-root-crash.html
* html/HTMLInputElement.cpp:
(WebCore::HTMLInputElement::didFinishInsertingNode):
LayoutTests:
Adds a new layout test to verify that we don't crash in this scenario.
* fast/forms/radio-input-in-shadow-root-crash-expected.txt: Added.
* fast/forms/radio-input-in-shadow-root-crash.html: Added.
2019-11-07 Youenn Fablet <[email protected]>
Update libwebrtc to M78
https://bugs.webkit.org/show_bug.cgi?id=203897
Reviewed by Eric Carlson.
* webrtc/simulcast-h264.html:
Update test to remove rid information from answer.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (252477 => 252478)
--- trunk/LayoutTests/ChangeLog 2019-11-15 03:14:02 UTC (rev 252477)
+++ trunk/LayoutTests/ChangeLog 2019-11-15 03:26:51 UTC (rev 252478)
@@ -1,3 +1,16 @@
+2019-11-14 Wenson Hsieh <[email protected]>
+
+ Crash when setting HTMLInputElement.checked for a disconnected radio button in a shadow root
+ https://bugs.webkit.org/show_bug.cgi?id=204208
+ <rdar://problem/57045830>
+
+ Reviewed by Tim Horton.
+
+ Adds a new layout test to verify that we don't crash in this scenario.
+
+ * fast/forms/radio-input-in-shadow-root-crash-expected.txt: Added.
+ * fast/forms/radio-input-in-shadow-root-crash.html: Added.
+
2019-11-07 Youenn Fablet <[email protected]>
Update libwebrtc to M78
Added: trunk/LayoutTests/fast/forms/radio-input-in-shadow-root-crash-expected.txt (0 => 252478)
--- trunk/LayoutTests/fast/forms/radio-input-in-shadow-root-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/forms/radio-input-in-shadow-root-crash-expected.txt 2019-11-15 03:26:51 UTC (rev 252478)
@@ -0,0 +1,10 @@
+This test checks that the checked attribute can be set on a disconnected radio button inside a shadow root. This test passes if it does not crash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS input.checked is true
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/fast/forms/radio-input-in-shadow-root-crash.html (0 => 252478)
--- trunk/LayoutTests/fast/forms/radio-input-in-shadow-root-crash.html (rev 0)
+++ trunk/LayoutTests/fast/forms/radio-input-in-shadow-root-crash.html 2019-11-15 03:26:51 UTC (rev 252478)
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html>
+<body>
+ <script src=""
+ <input type="radio" name="foo" />
+ <script>
+ description("This test checks that the checked attribute can be set on a disconnected radio button inside a shadow root. This test passes if it does not crash.");
+
+ input = document.querySelector("input")
+ const container = document.createElement("div");
+ container.attachShadow({ mode: "open" }).appendChild(input);
+ input.checked = true;
+ shouldBeTrue("input.checked");
+ </script>
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (252477 => 252478)
--- trunk/Source/WebCore/ChangeLog 2019-11-15 03:14:02 UTC (rev 252477)
+++ trunk/Source/WebCore/ChangeLog 2019-11-15 03:26:51 UTC (rev 252478)
@@ -1,3 +1,26 @@
+2019-11-14 Wenson Hsieh <[email protected]>
+
+ Crash when setting HTMLInputElement.checked for a disconnected radio button in a shadow root
+ https://bugs.webkit.org/show_bug.cgi?id=204208
+ <rdar://problem/57045830>
+
+ Reviewed by Tim Horton.
+
+ r251110 refactored logic in RadioButtonGroup::updateCheckedState, such that it assumes that m_nameToGroupMap
+ always contains an entry for the given input element's name. Prior to r251110, it would bail if m_nameToGroupMap
+ didn't exist. In this particular case, a named input element is added to a shadow root that is disconnected from
+ the document. This means that in HTMLInputElement::didFinishInsertingNode(), we will avoid adding the element to
+ the radio button group, even though it has a tree scope due to the `isConnected()` check.
+
+ Later, when we try to set the `checked` attribute, we invoke updateCheckedState which sees that we have a tree
+ scope and assumes that we must have previously added the input element to the radio button map; this leads to a
+ nullptr deref, as the map is empty. Thus, to fix this, we change the `isConnected()` check to `isInTreeScope()`.
+
+ Test: fast/forms/radio-input-in-shadow-root-crash.html
+
+ * html/HTMLInputElement.cpp:
+ (WebCore::HTMLInputElement::didFinishInsertingNode):
+
2019-11-14 Jiewen Tan <[email protected]>
Unreviewed, update the feature status of WebAuthn
Modified: trunk/Source/WebCore/html/HTMLInputElement.cpp (252477 => 252478)
--- trunk/Source/WebCore/html/HTMLInputElement.cpp 2019-11-15 03:14:02 UTC (rev 252477)
+++ trunk/Source/WebCore/html/HTMLInputElement.cpp 2019-11-15 03:26:51 UTC (rev 252478)
@@ -1550,7 +1550,7 @@
void HTMLInputElement::didFinishInsertingNode()
{
HTMLTextFormControlElement::didFinishInsertingNode();
- if (isConnected() && !form())
+ if (isInTreeScope() && !form())
addToRadioButtonGroup();
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
