Title: [257429] releases/WebKitGTK/webkit-2.28
- Revision
- 257429
- Author
- [email protected]
- Date
- 2020-02-26 02:55:53 -0800 (Wed, 26 Feb 2020)
Log Message
Merge r256764 - Null Ptr Deref @ WebCore::Node::Treescope
https://bugs.webkit.org/show_bug.cgi?id=207748
Patch by Pinki Gyanchandani <[email protected]> on 2020-02-17
Reviewed by Darin Adler.
Source/WebCore:
Added a check for isTextField after updateLayoutIgnorePendingStylesheets as that could cause modification of input element type.
Test: editing/selection/ignore-selection-range-on-input-style-change.html
* html/HTMLTextFormControlElement.cpp:
(WebCore::HTMLTextFormControlElement::setSelectionRange):
LayoutTests:
Added a regression test provided by Ryosuke Niwa to verify the fix.
* editing/selection/ignore-selection-range-on-input-style-change-expected.txt: Added.
* editing/selection/ignore-selection-range-on-input-style-change.html: Added.
Modified Paths
Added Paths
Diff
Modified: releases/WebKitGTK/webkit-2.28/LayoutTests/ChangeLog (257428 => 257429)
--- releases/WebKitGTK/webkit-2.28/LayoutTests/ChangeLog 2020-02-26 10:55:48 UTC (rev 257428)
+++ releases/WebKitGTK/webkit-2.28/LayoutTests/ChangeLog 2020-02-26 10:55:53 UTC (rev 257429)
@@ -1,3 +1,15 @@
+2020-02-17 Pinki Gyanchandani <[email protected]>
+
+ Null Ptr Deref @ WebCore::Node::Treescope
+ https://bugs.webkit.org/show_bug.cgi?id=207748
+
+ Reviewed by Darin Adler.
+
+ Added a regression test provided by Ryosuke Niwa to verify the fix.
+
+ * editing/selection/ignore-selection-range-on-input-style-change-expected.txt: Added.
+ * editing/selection/ignore-selection-range-on-input-style-change.html: Added.
+
2020-02-14 Nikos Mouchtaris <[email protected]>
new FontFace() should not throw when failing to parse arguments
Added: releases/WebKitGTK/webkit-2.28/LayoutTests/editing/selection/ignore-selection-range-on-input-style-change-expected.txt (0 => 257429)
--- releases/WebKitGTK/webkit-2.28/LayoutTests/editing/selection/ignore-selection-range-on-input-style-change-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.28/LayoutTests/editing/selection/ignore-selection-range-on-input-style-change-expected.txt 2020-02-26 10:55:53 UTC (rev 257429)
@@ -0,0 +1,3 @@
+This test passes if there is no crash
+
+
Added: releases/WebKitGTK/webkit-2.28/LayoutTests/editing/selection/ignore-selection-range-on-input-style-change.html (0 => 257429)
--- releases/WebKitGTK/webkit-2.28/LayoutTests/editing/selection/ignore-selection-range-on-input-style-change.html (rev 0)
+++ releases/WebKitGTK/webkit-2.28/LayoutTests/editing/selection/ignore-selection-range-on-input-style-change.html 2020-02-26 10:55:53 UTC (rev 257429)
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html>
+<script>
+
+function runTest() {
+ if (window.testRunner)
+ testRunner.dumpAsText();
+
+ const input = document.createElement('input');
+ document.body.appendChild(input);
+
+ const inputwithautofocus = document.createElement('input');
+ inputwithautofocus.setAttribute('autofocus', '');
+ inputwithautofocus.addEventListener('focus', () => {
+ input.type = 'submit';
+ });
+ document.body.appendChild(inputwithautofocus);
+
+ input.setSelectionRange(0, 0);
+ getSelection().containsNode(document.body);
+}
+</script>
+<body _onload_=runTest()>
+<p>This test passes if there is no crash </p>
+</body>
+</html>
Modified: releases/WebKitGTK/webkit-2.28/Source/WebCore/ChangeLog (257428 => 257429)
--- releases/WebKitGTK/webkit-2.28/Source/WebCore/ChangeLog 2020-02-26 10:55:48 UTC (rev 257428)
+++ releases/WebKitGTK/webkit-2.28/Source/WebCore/ChangeLog 2020-02-26 10:55:53 UTC (rev 257429)
@@ -1,3 +1,17 @@
+2020-02-17 Pinki Gyanchandani <[email protected]>
+
+ Null Ptr Deref @ WebCore::Node::Treescope
+ https://bugs.webkit.org/show_bug.cgi?id=207748
+
+ Reviewed by Darin Adler.
+
+ Added a check for isTextField after updateLayoutIgnorePendingStylesheets as that could cause modification of input element type.
+
+ Test: editing/selection/ignore-selection-range-on-input-style-change.html
+
+ * html/HTMLTextFormControlElement.cpp:
+ (WebCore::HTMLTextFormControlElement::setSelectionRange):
+
2020-02-17 Sihui Liu <[email protected]>
IndexedDB: index cursor iteration is slow when there are a lot of index records from different object stores
Modified: releases/WebKitGTK/webkit-2.28/Source/WebCore/html/HTMLTextFormControlElement.cpp (257428 => 257429)
--- releases/WebKitGTK/webkit-2.28/Source/WebCore/html/HTMLTextFormControlElement.cpp 2020-02-26 10:55:48 UTC (rev 257428)
+++ releases/WebKitGTK/webkit-2.28/Source/WebCore/html/HTMLTextFormControlElement.cpp 2020-02-26 10:55:53 UTC (rev 257429)
@@ -303,6 +303,9 @@
// FIXME: Removing this synchronous layout requires fixing setSelectionWithoutUpdatingAppearance not needing up-to-date style.
document().updateLayoutIgnorePendingStylesheets();
+
+ if (!isTextField())
+ return;
// Double-check the state of innerTextElement after the layout.
innerText = innerTextElement();
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
