Title: [254722] trunk
- Revision
- 254722
- Author
- [email protected]
- Date
- 2020-01-16 16:47:09 -0800 (Thu, 16 Jan 2020)
Log Message
REGRESSION (r251110): Crash on https://developer.apple.com/tutorials/swiftui/creating-and-combining-views
https://bugs.webkit.org/show_bug.cgi?id=206337
Reviewed by Geoffrey Garen.
Source/WebCore:
The crash was caused by RadioButtonGroups::hasCheckedButton getting called by RadioInputType's
matchesIndeterminatePseudoClass during a style update which happens before the input element had a chance
to register itself with RadioButtonGroups in HTMLInputElement::didFinishInsertingNode.
This happens, in particular, when didFinishInsertingNode of other nodes that appear before the input element
executes arbitrary author scripts or otherwise update the style.
Test: fast/forms/match-pseudo-on-radio-before-finalizing-tree-insertion-crash.html
* dom/RadioButtonGroups.cpp:
(WebCore::RadioButtonGroups::hasCheckedButton const):
LayoutTests:
Added a regression test. The test crashes on trunk and causes an infinite loop before r251110.
* fast/forms/match-pseudo-on-radio-before-finalizing-tree-insertion-crash-expected.txt: Added.
* fast/forms/match-pseudo-on-radio-before-finalizing-tree-insertion-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (254721 => 254722)
--- trunk/LayoutTests/ChangeLog 2020-01-17 00:41:17 UTC (rev 254721)
+++ trunk/LayoutTests/ChangeLog 2020-01-17 00:47:09 UTC (rev 254722)
@@ -1,3 +1,15 @@
+2020-01-16 Ryosuke Niwa <[email protected]>
+
+ REGRESSION (r251110): Crash on https://developer.apple.com/tutorials/swiftui/creating-and-combining-views
+ https://bugs.webkit.org/show_bug.cgi?id=206337
+
+ Reviewed by Geoffrey Garen.
+
+ Added a regression test. The test crashes on trunk and causes an infinite loop before r251110.
+
+ * fast/forms/match-pseudo-on-radio-before-finalizing-tree-insertion-crash-expected.txt: Added.
+ * fast/forms/match-pseudo-on-radio-before-finalizing-tree-insertion-crash.html: Added.
+
2020-01-16 Lauro Moura <[email protected]>
[GTK] Gardening indexeddb tests
Added: trunk/LayoutTests/fast/forms/match-pseudo-on-radio-before-finalizing-tree-insertion-crash-expected.txt (0 => 254722)
--- trunk/LayoutTests/fast/forms/match-pseudo-on-radio-before-finalizing-tree-insertion-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/forms/match-pseudo-on-radio-before-finalizing-tree-insertion-crash-expected.txt 2020-01-17 00:47:09 UTC (rev 254722)
@@ -0,0 +1,6 @@
+This tests updating the pseudo class state of a radio button in the middle of node insertions.
+The test passes if WebKit does not crash or hang.
+
+PASS
+
+
Added: trunk/LayoutTests/fast/forms/match-pseudo-on-radio-before-finalizing-tree-insertion-crash.html (0 => 254722)
--- trunk/LayoutTests/fast/forms/match-pseudo-on-radio-before-finalizing-tree-insertion-crash.html (rev 0)
+++ trunk/LayoutTests/fast/forms/match-pseudo-on-radio-before-finalizing-tree-insertion-crash.html 2020-01-17 00:47:09 UTC (rev 254722)
@@ -0,0 +1,37 @@
+<!DOCTYPE html>
+<html>
+<body>
+<p>This tests updating the pseudo class state of a radio button in the middle of node insertions.<br>
+The test passes if WebKit does not crash or hang.</p>
+<div id="result"></div>
+<style>
+:indeterminate { color: green; }
+</style>
+<script>
+
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+const div = document.createElement('div');
+
+const script = document.createElement('script');
+script.textContent = 'window.c = getComputedStyle(input).color; document.getElementById("result").textContent = "PASS"';
+div.appendChild(script);
+
+const input = document.createElement('input');
+input.type = 'radio';
+input.name = 'baz';
+input.form = 'foo';
+div.appendChild(input);
+
+const input2 = document.createElement('input');
+input2.type = 'radio';
+input2.name = 'bar';
+input2.form = 'foo';
+document.body.appendChild(input2);
+
+document.body.appendChild(div);
+
+</script>
+</body>
+</html>
\ No newline at end of file
Modified: trunk/Source/WebCore/ChangeLog (254721 => 254722)
--- trunk/Source/WebCore/ChangeLog 2020-01-17 00:41:17 UTC (rev 254721)
+++ trunk/Source/WebCore/ChangeLog 2020-01-17 00:47:09 UTC (rev 254722)
@@ -1,3 +1,22 @@
+2020-01-16 Ryosuke Niwa <[email protected]>
+
+ REGRESSION (r251110): Crash on https://developer.apple.com/tutorials/swiftui/creating-and-combining-views
+ https://bugs.webkit.org/show_bug.cgi?id=206337
+
+ Reviewed by Geoffrey Garen.
+
+ The crash was caused by RadioButtonGroups::hasCheckedButton getting called by RadioInputType's
+ matchesIndeterminatePseudoClass during a style update which happens before the input element had a chance
+ to register itself with RadioButtonGroups in HTMLInputElement::didFinishInsertingNode.
+
+ This happens, in particular, when didFinishInsertingNode of other nodes that appear before the input element
+ executes arbitrary author scripts or otherwise update the style.
+
+ Test: fast/forms/match-pseudo-on-radio-before-finalizing-tree-insertion-crash.html
+
+ * dom/RadioButtonGroups.cpp:
+ (WebCore::RadioButtonGroups::hasCheckedButton const):
+
2020-01-16 Zalan Bujtas <[email protected]>
[LFC][IFC] Optimize LineCandidateContent for the most common type of content
Modified: trunk/Source/WebCore/dom/RadioButtonGroups.cpp (254721 => 254722)
--- trunk/Source/WebCore/dom/RadioButtonGroups.cpp 2020-01-17 00:41:17 UTC (rev 254721)
+++ trunk/Source/WebCore/dom/RadioButtonGroups.cpp 2020-01-17 00:47:09 UTC (rev 254722)
@@ -254,7 +254,10 @@
const AtomString& name = element.name();
if (name.isEmpty())
return element.checked();
- return m_nameToGroupMap.get(name.impl())->checkedButton();
+ auto* group = m_nameToGroupMap.get(name.impl());
+ if (!group)
+ return false; // FIXME: Update the radio button group before author script had a chance to run in didFinishInsertingNode().
+ return group->checkedButton();
}
bool RadioButtonGroups::isInRequiredGroup(HTMLInputElement& element) const
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
