Title: [255023] branches/safari-609-branch
- Revision
- 255023
- Author
- [email protected]
- Date
- 2020-01-23 13:44:18 -0800 (Thu, 23 Jan 2020)
Log Message
Cherry-pick r254722. rdar://problem/58811423
REGRESSION (r251110): Crash on https://developer.apple.com/tutorials/swiftui/creating-and-combining-views
https://bugs.webkit.org/show_bug.cgi?id=206337
Reviewed by Geoffrey Garen.
Source/WebCore:
The crash was caused by RadioButtonGroups::hasCheckedButton getting called by RadioInputType's
matchesIndeterminatePseudoClass during a style update which happens before the input element had a chance
to register itself with RadioButtonGroups in HTMLInputElement::didFinishInsertingNode.
This happens, in particular, when didFinishInsertingNode of other nodes that appear before the input element
executes arbitrary author scripts or otherwise update the style.
Test: fast/forms/match-pseudo-on-radio-before-finalizing-tree-insertion-crash.html
* dom/RadioButtonGroups.cpp:
(WebCore::RadioButtonGroups::hasCheckedButton const):
LayoutTests:
Added a regression test. The test crashes on trunk and causes an infinite loop before r251110.
* fast/forms/match-pseudo-on-radio-before-finalizing-tree-insertion-crash-expected.txt: Added.
* fast/forms/match-pseudo-on-radio-before-finalizing-tree-insertion-crash.html: Added.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@254722 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Added Paths
Diff
Modified: branches/safari-609-branch/LayoutTests/ChangeLog (255022 => 255023)
--- branches/safari-609-branch/LayoutTests/ChangeLog 2020-01-23 21:44:15 UTC (rev 255022)
+++ branches/safari-609-branch/LayoutTests/ChangeLog 2020-01-23 21:44:18 UTC (rev 255023)
@@ -1,5 +1,50 @@
2020-01-23 Russell Epstein <[email protected]>
+ Cherry-pick r254722. rdar://problem/58811423
+
+ REGRESSION (r251110): Crash on https://developer.apple.com/tutorials/swiftui/creating-and-combining-views
+ https://bugs.webkit.org/show_bug.cgi?id=206337
+
+ Reviewed by Geoffrey Garen.
+
+ Source/WebCore:
+
+ The crash was caused by RadioButtonGroups::hasCheckedButton getting called by RadioInputType's
+ matchesIndeterminatePseudoClass during a style update which happens before the input element had a chance
+ to register itself with RadioButtonGroups in HTMLInputElement::didFinishInsertingNode.
+
+ This happens, in particular, when didFinishInsertingNode of other nodes that appear before the input element
+ executes arbitrary author scripts or otherwise update the style.
+
+ Test: fast/forms/match-pseudo-on-radio-before-finalizing-tree-insertion-crash.html
+
+ * dom/RadioButtonGroups.cpp:
+ (WebCore::RadioButtonGroups::hasCheckedButton const):
+
+ LayoutTests:
+
+ Added a regression test. The test crashes on trunk and causes an infinite loop before r251110.
+
+ * fast/forms/match-pseudo-on-radio-before-finalizing-tree-insertion-crash-expected.txt: Added.
+ * fast/forms/match-pseudo-on-radio-before-finalizing-tree-insertion-crash.html: Added.
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@254722 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2020-01-16 Ryosuke Niwa <[email protected]>
+
+ REGRESSION (r251110): Crash on https://developer.apple.com/tutorials/swiftui/creating-and-combining-views
+ https://bugs.webkit.org/show_bug.cgi?id=206337
+
+ Reviewed by Geoffrey Garen.
+
+ Added a regression test. The test crashes on trunk and causes an infinite loop before r251110.
+
+ * fast/forms/match-pseudo-on-radio-before-finalizing-tree-insertion-crash-expected.txt: Added.
+ * fast/forms/match-pseudo-on-radio-before-finalizing-tree-insertion-crash.html: Added.
+
+2020-01-23 Russell Epstein <[email protected]>
+
Cherry-pick r254705. rdar://problem/58811395
REGRESSION: [ Mac WK2 ] fast/text/international/unicode-bidi-other-neutrals.html is a flaky failure
Added: branches/safari-609-branch/LayoutTests/fast/forms/match-pseudo-on-radio-before-finalizing-tree-insertion-crash-expected.txt (0 => 255023)
--- branches/safari-609-branch/LayoutTests/fast/forms/match-pseudo-on-radio-before-finalizing-tree-insertion-crash-expected.txt (rev 0)
+++ branches/safari-609-branch/LayoutTests/fast/forms/match-pseudo-on-radio-before-finalizing-tree-insertion-crash-expected.txt 2020-01-23 21:44:18 UTC (rev 255023)
@@ -0,0 +1,6 @@
+This tests updating the pseudo class state of a radio button in the middle of node insertions.
+The test passes if WebKit does not crash or hang.
+
+PASS
+
+
Added: branches/safari-609-branch/LayoutTests/fast/forms/match-pseudo-on-radio-before-finalizing-tree-insertion-crash.html (0 => 255023)
--- branches/safari-609-branch/LayoutTests/fast/forms/match-pseudo-on-radio-before-finalizing-tree-insertion-crash.html (rev 0)
+++ branches/safari-609-branch/LayoutTests/fast/forms/match-pseudo-on-radio-before-finalizing-tree-insertion-crash.html 2020-01-23 21:44:18 UTC (rev 255023)
@@ -0,0 +1,37 @@
+<!DOCTYPE html>
+<html>
+<body>
+<p>This tests updating the pseudo class state of a radio button in the middle of node insertions.<br>
+The test passes if WebKit does not crash or hang.</p>
+<div id="result"></div>
+<style>
+:indeterminate { color: green; }
+</style>
+<script>
+
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+const div = document.createElement('div');
+
+const script = document.createElement('script');
+script.textContent = 'window.c = getComputedStyle(input).color; document.getElementById("result").textContent = "PASS"';
+div.appendChild(script);
+
+const input = document.createElement('input');
+input.type = 'radio';
+input.name = 'baz';
+input.form = 'foo';
+div.appendChild(input);
+
+const input2 = document.createElement('input');
+input2.type = 'radio';
+input2.name = 'bar';
+input2.form = 'foo';
+document.body.appendChild(input2);
+
+document.body.appendChild(div);
+
+</script>
+</body>
+</html>
\ No newline at end of file
Modified: branches/safari-609-branch/Source/WebCore/ChangeLog (255022 => 255023)
--- branches/safari-609-branch/Source/WebCore/ChangeLog 2020-01-23 21:44:15 UTC (rev 255022)
+++ branches/safari-609-branch/Source/WebCore/ChangeLog 2020-01-23 21:44:18 UTC (rev 255023)
@@ -1,5 +1,57 @@
2020-01-23 Russell Epstein <[email protected]>
+ Cherry-pick r254722. rdar://problem/58811423
+
+ REGRESSION (r251110): Crash on https://developer.apple.com/tutorials/swiftui/creating-and-combining-views
+ https://bugs.webkit.org/show_bug.cgi?id=206337
+
+ Reviewed by Geoffrey Garen.
+
+ Source/WebCore:
+
+ The crash was caused by RadioButtonGroups::hasCheckedButton getting called by RadioInputType's
+ matchesIndeterminatePseudoClass during a style update which happens before the input element had a chance
+ to register itself with RadioButtonGroups in HTMLInputElement::didFinishInsertingNode.
+
+ This happens, in particular, when didFinishInsertingNode of other nodes that appear before the input element
+ executes arbitrary author scripts or otherwise update the style.
+
+ Test: fast/forms/match-pseudo-on-radio-before-finalizing-tree-insertion-crash.html
+
+ * dom/RadioButtonGroups.cpp:
+ (WebCore::RadioButtonGroups::hasCheckedButton const):
+
+ LayoutTests:
+
+ Added a regression test. The test crashes on trunk and causes an infinite loop before r251110.
+
+ * fast/forms/match-pseudo-on-radio-before-finalizing-tree-insertion-crash-expected.txt: Added.
+ * fast/forms/match-pseudo-on-radio-before-finalizing-tree-insertion-crash.html: Added.
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@254722 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2020-01-16 Ryosuke Niwa <[email protected]>
+
+ REGRESSION (r251110): Crash on https://developer.apple.com/tutorials/swiftui/creating-and-combining-views
+ https://bugs.webkit.org/show_bug.cgi?id=206337
+
+ Reviewed by Geoffrey Garen.
+
+ The crash was caused by RadioButtonGroups::hasCheckedButton getting called by RadioInputType's
+ matchesIndeterminatePseudoClass during a style update which happens before the input element had a chance
+ to register itself with RadioButtonGroups in HTMLInputElement::didFinishInsertingNode.
+
+ This happens, in particular, when didFinishInsertingNode of other nodes that appear before the input element
+ executes arbitrary author scripts or otherwise update the style.
+
+ Test: fast/forms/match-pseudo-on-radio-before-finalizing-tree-insertion-crash.html
+
+ * dom/RadioButtonGroups.cpp:
+ (WebCore::RadioButtonGroups::hasCheckedButton const):
+
+2020-01-23 Russell Epstein <[email protected]>
+
Cherry-pick r254710. rdar://problem/58807942
[WebAuthn] User Verification (UV) option present on a CTAP2 authenticatorMakeCredential while the authenticator has not advertised support for it
Modified: branches/safari-609-branch/Source/WebCore/dom/RadioButtonGroups.cpp (255022 => 255023)
--- branches/safari-609-branch/Source/WebCore/dom/RadioButtonGroups.cpp 2020-01-23 21:44:15 UTC (rev 255022)
+++ branches/safari-609-branch/Source/WebCore/dom/RadioButtonGroups.cpp 2020-01-23 21:44:18 UTC (rev 255023)
@@ -254,7 +254,10 @@
const AtomString& name = element.name();
if (name.isEmpty())
return element.checked();
- return m_nameToGroupMap.get(name.impl())->checkedButton();
+ auto* group = m_nameToGroupMap.get(name.impl());
+ if (!group)
+ return false; // FIXME: Update the radio button group before author script had a chance to run in didFinishInsertingNode().
+ return group->checkedButton();
}
bool RadioButtonGroups::isInRequiredGroup(HTMLInputElement& element) const
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
