[webkit-changes] [258532] trunk

Mon, 16 Mar 2020 17:15:22 -0700

Title: [258532] trunk
Revision
258532
Author
[email protected]
Date
2020-03-16 17:14:34 -0700 (Mon, 16 Mar 2020)

Log Message

A change event gets dispatched when textarea gets changed without focus
https://bugs.webkit.org/show_bug.cgi?id=202144

Patch by ChangSeok Oh <[email protected]> on 2020-03-16
Reviewed by Ryosuke Niwa.

Source/WebCore:

A crash happens in WebCore::ValidationMessage::buildBubbleTree. An immediate reason
is that DOM tree is modified in buildBubbleTree triggered by a timer.
The function calls document.updateLayout() that causes a change event
for textarea to fire when something changed in the textarea.
This bug is not reproduced on Mac because buildBubbleTree is not called.
See ValidationMessage::setMessage.
On the other hand, the root cause of this issue is triggering the change event
for textarea even if it is not focused when a change is made. This behavior
is different to what Gecko and Chromium do. When loading the test, they do not
trigger the change event although the textarea is filled by the script
since the textarea is not focused. Only when we manually make a change (meaning
the textarea is focused by user input), the event gets dispatched. To fix it,
setChangedSinceLastFormControlChangeEvent(true) is moved below the focus check
in HTMLTextAreaElement::subtreeHasChanged();

Test: fast/forms/textfield-onchange-without-focus.html

* html/HTMLTextAreaElement.cpp:
(WebCore::HTMLTextAreaElement::subtreeHasChanged):

LayoutTests:

The test should be identical to the extected result without crash.

* fast/forms/textfield-onchange-without-focus-expected.html: Added.
* fast/forms/textfield-onchange-without-focus.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (258531 => 258532)


--- trunk/LayoutTests/ChangeLog	2020-03-17 00:12:17 UTC (rev 258531)
+++ trunk/LayoutTests/ChangeLog	2020-03-17 00:14:34 UTC (rev 258532)
@@ -1,3 +1,15 @@
+2020-03-16  ChangSeok Oh  <[email protected]>
+
+        A change event gets dispatched when textarea gets changed without focus
+        https://bugs.webkit.org/show_bug.cgi?id=202144
+
+        Reviewed by Ryosuke Niwa.
+
+        The test should be identical to the extected result without crash.
+
+        * fast/forms/textfield-onchange-without-focus-expected.html: Added.
+        * fast/forms/textfield-onchange-without-focus.html: Added.
+
 2020-03-16  Keith Miller  <[email protected]>
 
         _javascript_ identifier grammar supports unescaped astral symbols, but JSC doesn’t

Added: trunk/LayoutTests/fast/forms/textfield-onchange-without-focus-expected.html (0 => 258532)


--- trunk/LayoutTests/fast/forms/textfield-onchange-without-focus-expected.html	                        (rev 0)
+++ trunk/LayoutTests/fast/forms/textfield-onchange-without-focus-expected.html	2020-03-17 00:14:34 UTC (rev 258532)
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<script>
+function test() {
+  const select = document.querySelector('select');
+  select.setCustomValidity('validity');
+  select.reportValidity();
+
+  const textarea = document.querySelector('textarea');
+  textarea.setRangeText('lol');
+  select.autofocus = true;
+
+  setTimeout(() => {
+    select.reportValidity();
+    textarea.blur();
+  }, 0);
+}
+</script>
+<body _onload_='test()'>
+  <p>The onchange should not be triggered by textarea when it got something changed without being focused. Pass if not crashed, and the focused select box is displayed.</p>
+  <select></select>
+  <textarea></textarea>
+</body>

Added: trunk/LayoutTests/fast/forms/textfield-onchange-without-focus.html (0 => 258532)


--- trunk/LayoutTests/fast/forms/textfield-onchange-without-focus.html	                        (rev 0)
+++ trunk/LayoutTests/fast/forms/textfield-onchange-without-focus.html	2020-03-17 00:14:34 UTC (rev 258532)
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<script>
+function test() {
+  const select = document.querySelector('select');
+  select.setCustomValidity('validity');
+  select.reportValidity();
+
+  const textarea = document.querySelector('textarea');
+  textarea.setRangeText('lol');
+  select.autofocus = true;
+
+  setTimeout(() => {
+    select.reportValidity();
+    textarea.blur();
+  }, 0);
+}
+</script>
+<body _onload_='test()'>
+  <p>The onchange should not be triggered by textarea when it got something changed without being focused. Pass if not crashed, and the focused select box is displayed.</p>
+  <select></select>
+  <textarea _onchange_="document.all[2].appendChild(document.querySelector('select'));"></textarea>
+</body>

Modified: trunk/Source/WebCore/ChangeLog (258531 => 258532)


--- trunk/Source/WebCore/ChangeLog	2020-03-17 00:12:17 UTC (rev 258531)
+++ trunk/Source/WebCore/ChangeLog	2020-03-17 00:14:34 UTC (rev 258532)
@@ -1,3 +1,30 @@
+2020-03-16  ChangSeok Oh  <[email protected]>
+
+        A change event gets dispatched when textarea gets changed without focus
+        https://bugs.webkit.org/show_bug.cgi?id=202144
+
+        Reviewed by Ryosuke Niwa.
+
+        A crash happens in WebCore::ValidationMessage::buildBubbleTree. An immediate reason
+        is that DOM tree is modified in buildBubbleTree triggered by a timer.
+        The function calls document.updateLayout() that causes a change event
+        for textarea to fire when something changed in the textarea.
+        This bug is not reproduced on Mac because buildBubbleTree is not called.
+        See ValidationMessage::setMessage.
+        On the other hand, the root cause of this issue is triggering the change event
+        for textarea even if it is not focused when a change is made. This behavior
+        is different to what Gecko and Chromium do. When loading the test, they do not
+        trigger the change event although the textarea is filled by the script
+        since the textarea is not focused. Only when we manually make a change (meaning
+        the textarea is focused by user input), the event gets dispatched. To fix it,
+        setChangedSinceLastFormControlChangeEvent(true) is moved below the focus check
+        in HTMLTextAreaElement::subtreeHasChanged();
+
+        Test: fast/forms/textfield-onchange-without-focus.html
+
+        * html/HTMLTextAreaElement.cpp:
+        (WebCore::HTMLTextAreaElement::subtreeHasChanged):
+
 2020-03-16  Simon Fraser  <[email protected]>
 
         Update touch event regions once per frame

Modified: trunk/Source/WebCore/html/HTMLTextAreaElement.cpp (258531 => 258532)


--- trunk/Source/WebCore/html/HTMLTextAreaElement.cpp	2020-03-17 00:12:17 UTC (rev 258531)
+++ trunk/Source/WebCore/html/HTMLTextAreaElement.cpp	2020-03-17 00:14:34 UTC (rev 258532)
@@ -284,7 +284,6 @@
 
 void HTMLTextAreaElement::subtreeHasChanged()
 {
-    setChangedSinceLastFormControlChangeEvent(true);
     setFormControlValueMatchesRenderer(false);
     updateValidity();
 
@@ -291,6 +290,8 @@
     if (!focused())
         return;
 
+    setChangedSinceLastFormControlChangeEvent(true);
+
     if (RefPtr<Frame> frame = document().frame())
         frame->editor().textDidChangeInTextArea(this);
     // When typing in a textarea, childrenChanged is not called, so we need to force the directionality check.

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to