Skip to site navigation (Press enter)

[webkit-changes] [285306] trunk

akeerthi Thu, 04 Nov 2021 13:36:33 -0700

Title: [285306] trunk

Revision: 285306
Author: [email protected]
Date: 2021-11-04 13:35:46 -0700 (Thu, 04 Nov 2021)

Log Message

Crash when opening and closing color picker while resetting form
https://bugs.webkit.org/show_bug.cgi?id=232689
rdar://84979791


Reviewed by Simon Fraser.

Source/WebKit:

Resetting a <form> element containing an <input type=color> resets
the value of the color input. If the WebProcess believes that a
color picker is visible in the UIProcess, an IPC message
(WebPageProxy_SetColorPickerColor) is sent to the UIProcess to update
the selected color.

If the color picker is closed by user action (on macOS, clicking
outside the popover), the UIProcess nulls out `m_colorPicker`, and
notifies the WebProcess that the color picker is no longer visible
by sending the WebPage_DidEndColorPicker message.

Consequently, it is possible for WebPageProxy_SetColorPickerColor to be
dispatched in the UIProcess after `m_colorPicker` is nulled out, while
the WebProcess is still waiting to process WebPage_DidEndColorPicker.
This sequence of events results in a MESSAGE_CHECK failure in
WebPageProxy::setColorPickerColor, leading to WebProcess termination.

To fix, remove the MESSAGE_CHECK and replace it with a null check, since
a null `m_colorPicker` is a valid state.

Test: fast/forms/color/color-input-reset-crash.html

* UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::setColorPickerColor):

LayoutTests:

Added a layout test to exercise the crash.

* fast/forms/color/color-input-reset-crash-expected.txt: Added.
* fast/forms/color/color-input-reset-crash.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebKit/ChangeLog
trunk/Source/WebKit/UIProcess/WebPageProxy.cpp

Added Paths

trunk/LayoutTests/fast/forms/color/color-input-reset-crash-expected.txt
trunk/LayoutTests/fast/forms/color/color-input-reset-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (285305 => 285306)


--- trunk/LayoutTests/ChangeLog	2021-11-04 20:31:43 UTC (rev 285305)
+++ trunk/LayoutTests/ChangeLog	2021-11-04 20:35:46 UTC (rev 285306)
@@ -1,3 +1,16 @@
+2021-11-04  Aditya Keerthi  <[email protected]>
+
+        Crash when opening and closing color picker while resetting form
+        https://bugs.webkit.org/show_bug.cgi?id=232689
+        rdar://84979791
+
+        Reviewed by Simon Fraser.
+
+        Added a layout test to exercise the crash.
+
+        * fast/forms/color/color-input-reset-crash-expected.txt: Added.
+        * fast/forms/color/color-input-reset-crash.html: Added.
+
 2021-11-04  Eric Hutchison  <[email protected]>
 
         Update test expectations for http/tests/appcache/fail-on-update-2.html.

Added: trunk/LayoutTests/fast/forms/color/color-input-reset-crash-expected.txt (0 => 285306)


--- trunk/LayoutTests/fast/forms/color/color-input-reset-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/forms/color/color-input-reset-crash-expected.txt	2021-11-04 20:35:46 UTC (rev 285306)
@@ -0,0 +1,10 @@
+This test verifies that opening and closing a color picker, while resetting the form associated with the input, does not result in a crash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS Did not crash.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/fast/forms/color/color-input-reset-crash.html (0 => 285306)


--- trunk/LayoutTests/fast/forms/color/color-input-reset-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/forms/color/color-input-reset-crash.html	2021-11-04 20:35:46 UTC (rev 285306)
@@ -0,0 +1,34 @@
+<!DOCTYPE html>
+<html>
+    <script src=""
+    <script src=""
+</head>
+<body>
+    <form id="form">
+        <input type="color" id="color">
+    </form>
+</body>
+<script>
+jsTestIsAsync = true;
+
+addEventListener("load", async () => {
+    description("This test verifies that opening and closing a color picker, while resetting the form associated with the input, does not result in a crash.");
+
+    let interval = 100;
+
+    setInterval(() => {
+        form.reset();
+    }, interval);
+
+    await UIHelper.activateElement(color);
+    await UIHelper.ensurePresentationUpdate();
+
+    await UIHelper.activateAt(0, 0);
+    await UIHelper.delayFor(interval);
+
+    testPassed("Did not crash.");
+
+    finishJSTest();
+});
+</script>
+</html>

Modified: trunk/Source/WebKit/ChangeLog (285305 => 285306)


--- trunk/Source/WebKit/ChangeLog	2021-11-04 20:31:43 UTC (rev 285305)
+++ trunk/Source/WebKit/ChangeLog	2021-11-04 20:35:46 UTC (rev 285306)
@@ -1,3 +1,36 @@
+2021-11-04  Aditya Keerthi  <[email protected]>
+
+        Crash when opening and closing color picker while resetting form
+        https://bugs.webkit.org/show_bug.cgi?id=232689
+        rdar://84979791
+
+        Reviewed by Simon Fraser.
+
+        Resetting a <form> element containing an <input type=color> resets
+        the value of the color input. If the WebProcess believes that a
+        color picker is visible in the UIProcess, an IPC message
+        (WebPageProxy_SetColorPickerColor) is sent to the UIProcess to update
+        the selected color.
+
+        If the color picker is closed by user action (on macOS, clicking
+        outside the popover), the UIProcess nulls out `m_colorPicker`, and
+        notifies the WebProcess that the color picker is no longer visible
+        by sending the WebPage_DidEndColorPicker message.
+
+        Consequently, it is possible for WebPageProxy_SetColorPickerColor to be
+        dispatched in the UIProcess after `m_colorPicker` is nulled out, while
+        the WebProcess is still waiting to process WebPage_DidEndColorPicker.
+        This sequence of events results in a MESSAGE_CHECK failure in
+        WebPageProxy::setColorPickerColor, leading to WebProcess termination.
+
+        To fix, remove the MESSAGE_CHECK and replace it with a null check, since
+        a null `m_colorPicker` is a valid state.
+
+        Test: fast/forms/color/color-input-reset-crash.html
+
+        * UIProcess/WebPageProxy.cpp:
+        (WebKit::WebPageProxy::setColorPickerColor):
+
 2021-11-04  John Pascoe  <[email protected]>
 
         [WebAuthn] Implement add/remove_virtual_authenticator for transport=internal

Modified: trunk/Source/WebKit/UIProcess/WebPageProxy.cpp (285305 => 285306)


--- trunk/Source/WebKit/UIProcess/WebPageProxy.cpp	2021-11-04 20:31:43 UTC (rev 285305)
+++ trunk/Source/WebKit/UIProcess/WebPageProxy.cpp	2021-11-04 20:35:46 UTC (rev 285306)
@@ -6325,9 +6325,8 @@
 
 void WebPageProxy::setColorPickerColor(const WebCore::Color& color)
 {
-    MESSAGE_CHECK(m_process, m_colorPicker);
-
-    m_colorPicker->setSelectedColor(color);
+    if (m_colorPicker)
+        m_colorPicker->setSelectedColor(color);
 }
 
 void WebPageProxy::endColorPicker()

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes