Diff
Modified: branches/safari-613.1.17.0-branch/LayoutTests/ChangeLog (290043 => 290044)
--- branches/safari-613.1.17.0-branch/LayoutTests/ChangeLog 2022-02-17 19:51:26 UTC (rev 290043)
+++ branches/safari-613.1.17.0-branch/LayoutTests/ChangeLog 2022-02-17 19:59:25 UTC (rev 290044)
@@ -1,5 +1,49 @@
2022-02-17 Russell Epstein <repst...@apple.com>
+ Cherry-pick r289693. rdar://problem/88264857
+
+ Suppress style invalidation when matching :checked
+ https://bugs.webkit.org/show_bug.cgi?id=235910
+
+ Patch by Rob Buis <rb...@igalia.com> on 2022-02-12
+ Reviewed by Antti Koivisto.
+
+ Source/WebCore:
+
+ Suppress style invalidation when matching :checked for option elements.
+
+ Test: fast/selectors/has-select-option-crash.html
+
+ * css/SelectorCheckerTestFunctions.h:
+ (WebCore::isChecked):
+ * html/HTMLOptionElement.cpp:
+ (WebCore::HTMLOptionElement::selected const):
+ (WebCore::HTMLOptionElement::setSelectedState):
+ * html/HTMLOptionElement.h:
+ * html/HTMLSelectElement.cpp:
+ (WebCore::HTMLSelectElement::updateListItemSelectedStates):
+ (WebCore::HTMLSelectElement::recalcListItems const):
+ * html/HTMLSelectElement.h:
+
+ LayoutTests:
+
+ * fast/selectors/has-select-option-crash-expected.txt: Added.
+ * fast/selectors/has-select-option-crash.html: Added.
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@289693 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2022-02-12 Rob Buis <rb...@igalia.com>
+
+ Suppress style invalidation when matching :checked
+ https://bugs.webkit.org/show_bug.cgi?id=235910
+
+ Reviewed by Antti Koivisto.
+
+ * fast/selectors/has-select-option-crash-expected.txt: Added.
+ * fast/selectors/has-select-option-crash.html: Added.
+
+2022-02-17 Russell Epstein <repst...@apple.com>
+
Cherry-pick r289995. rdar://problem/87462825
REGRESSION(r285885) Unable to exit Trip Details in Amtrak app
Added: branches/safari-613.1.17.0-branch/LayoutTests/fast/selectors/has-select-option-crash-expected.txt (0 => 290044)
--- branches/safari-613.1.17.0-branch/LayoutTests/fast/selectors/has-select-option-crash-expected.txt (rev 0)
+++ branches/safari-613.1.17.0-branch/LayoutTests/fast/selectors/has-select-option-crash-expected.txt 2022-02-17 19:59:25 UTC (rev 290044)
@@ -0,0 +1 @@
+PASS
Added: branches/safari-613.1.17.0-branch/LayoutTests/fast/selectors/has-select-option-crash.html (0 => 290044)
--- branches/safari-613.1.17.0-branch/LayoutTests/fast/selectors/has-select-option-crash.html (rev 0)
+++ branches/safari-613.1.17.0-branch/LayoutTests/fast/selectors/has-select-option-crash.html 2022-02-17 19:59:25 UTC (rev 290044)
@@ -0,0 +1,18 @@
+<style>
+ :has(:not(:checked)) {
+ foo: bar;
+ }
+</style>
+<script>
+ if (window.testRunner)
+ testRunner.dumpAsText();
+ _onload_ = () => {
+ let select = document.createElement('select');
+ document.head.append(document.createElement('object'));
+ document.head.append(select);
+ select.append(document.createElement('option'));
+ document.execCommand('SelectAll');
+ select.append(document.createElement('div'));
+ document.write('PASS');
+ };
+</script>
Modified: branches/safari-613.1.17.0-branch/Source/WebCore/ChangeLog (290043 => 290044)
--- branches/safari-613.1.17.0-branch/Source/WebCore/ChangeLog 2022-02-17 19:51:26 UTC (rev 290043)
+++ branches/safari-613.1.17.0-branch/Source/WebCore/ChangeLog 2022-02-17 19:59:25 UTC (rev 290044)
@@ -1,5 +1,61 @@
2022-02-17 Russell Epstein <repst...@apple.com>
+ Cherry-pick r289693. rdar://problem/88264857
+
+ Suppress style invalidation when matching :checked
+ https://bugs.webkit.org/show_bug.cgi?id=235910
+
+ Patch by Rob Buis <rb...@igalia.com> on 2022-02-12
+ Reviewed by Antti Koivisto.
+
+ Source/WebCore:
+
+ Suppress style invalidation when matching :checked for option elements.
+
+ Test: fast/selectors/has-select-option-crash.html
+
+ * css/SelectorCheckerTestFunctions.h:
+ (WebCore::isChecked):
+ * html/HTMLOptionElement.cpp:
+ (WebCore::HTMLOptionElement::selected const):
+ (WebCore::HTMLOptionElement::setSelectedState):
+ * html/HTMLOptionElement.h:
+ * html/HTMLSelectElement.cpp:
+ (WebCore::HTMLSelectElement::updateListItemSelectedStates):
+ (WebCore::HTMLSelectElement::recalcListItems const):
+ * html/HTMLSelectElement.h:
+
+ LayoutTests:
+
+ * fast/selectors/has-select-option-crash-expected.txt: Added.
+ * fast/selectors/has-select-option-crash.html: Added.
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@289693 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2022-02-12 Rob Buis <rb...@igalia.com>
+
+ Suppress style invalidation when matching :checked
+ https://bugs.webkit.org/show_bug.cgi?id=235910
+
+ Reviewed by Antti Koivisto.
+
+ Suppress style invalidation when matching :checked for option elements.
+
+ Test: fast/selectors/has-select-option-crash.html
+
+ * css/SelectorCheckerTestFunctions.h:
+ (WebCore::isChecked):
+ * html/HTMLOptionElement.cpp:
+ (WebCore::HTMLOptionElement::selected const):
+ (WebCore::HTMLOptionElement::setSelectedState):
+ * html/HTMLOptionElement.h:
+ * html/HTMLSelectElement.cpp:
+ (WebCore::HTMLSelectElement::updateListItemSelectedStates):
+ (WebCore::HTMLSelectElement::recalcListItems const):
+ * html/HTMLSelectElement.h:
+
+2022-02-17 Russell Epstein <repst...@apple.com>
+
Cherry-pick r290005. rdar://problem/87596724
CrashTracer: com.apple.WebKit.WebContent at _javascript_Core: bmalloc_allocate_impl_impl_slow
Modified: branches/safari-613.1.17.0-branch/Source/WebCore/css/SelectorCheckerTestFunctions.h (290043 => 290044)
--- branches/safari-613.1.17.0-branch/Source/WebCore/css/SelectorCheckerTestFunctions.h 2022-02-17 19:51:26 UTC (rev 290043)
+++ branches/safari-613.1.17.0-branch/Source/WebCore/css/SelectorCheckerTestFunctions.h 2022-02-17 19:59:25 UTC (rev 290044)
@@ -115,7 +115,7 @@
return inputElement.shouldAppearChecked() && !inputElement.shouldAppearIndeterminate();
}
if (is<HTMLOptionElement>(element))
- return const_cast<HTMLOptionElement&>(downcast<HTMLOptionElement>(element)).selected();
+ return const_cast<HTMLOptionElement&>(downcast<HTMLOptionElement>(element)).selected(AllowStyleInvalidation::No);
return false;
}
Modified: branches/safari-613.1.17.0-branch/Source/WebCore/html/HTMLOptionElement.cpp (290043 => 290044)
--- branches/safari-613.1.17.0-branch/Source/WebCore/html/HTMLOptionElement.cpp 2022-02-17 19:51:26 UTC (rev 290043)
+++ branches/safari-613.1.17.0-branch/Source/WebCore/html/HTMLOptionElement.cpp 2022-02-17 19:59:25 UTC (rev 290044)
@@ -210,10 +210,10 @@
setAttributeWithoutSynchronization(valueAttr, value);
}
-bool HTMLOptionElement::selected() const
+bool HTMLOptionElement::selected(AllowStyleInvalidation allowStyleInvalidation) const
{
if (RefPtr<HTMLSelectElement> select = ownerSelectElement())
- select->updateListItemSelectedStates();
+ select->updateListItemSelectedStates(allowStyleInvalidation);
return m_isSelected;
}
@@ -228,12 +228,14 @@
select->optionSelectionStateChanged(*this, selected);
}
-void HTMLOptionElement::setSelectedState(bool selected)
+void HTMLOptionElement::setSelectedState(bool selected, AllowStyleInvalidation allowStyleInvalidation)
{
if (m_isSelected == selected)
return;
- Style::PseudoClassChangeInvalidation checkedInvalidation(*this, CSSSelector::PseudoClassChecked, selected);
+ std::optional<Style::PseudoClassChangeInvalidation> checkedInvalidation;
+ if (allowStyleInvalidation == AllowStyleInvalidation::Yes)
+ emplace(checkedInvalidation, *this, { { CSSSelector::PseudoClassChecked, selected } });
m_isSelected = selected;
Modified: branches/safari-613.1.17.0-branch/Source/WebCore/html/HTMLOptionElement.h (290043 => 290044)
--- branches/safari-613.1.17.0-branch/Source/WebCore/html/HTMLOptionElement.h 2022-02-17 19:51:26 UTC (rev 290043)
+++ branches/safari-613.1.17.0-branch/Source/WebCore/html/HTMLOptionElement.h 2022-02-17 19:59:25 UTC (rev 290044)
@@ -30,6 +30,8 @@
class HTMLSelectElement;
+enum class AllowStyleInvalidation { Yes, No };
+
class HTMLOptionElement final : public HTMLElement {
WTF_MAKE_ISO_ALLOCATED(HTMLOptionElement);
public:
@@ -45,7 +47,7 @@
WEBCORE_EXPORT String value() const;
WEBCORE_EXPORT void setValue(const String&);
- WEBCORE_EXPORT bool selected() const;
+ WEBCORE_EXPORT bool selected(AllowStyleInvalidation = AllowStyleInvalidation::Yes) const;
WEBCORE_EXPORT void setSelected(bool);
WEBCORE_EXPORT HTMLSelectElement* ownerSelectElement() const;
@@ -60,7 +62,7 @@
String textIndentedToRespectGroupLabel() const;
- void setSelectedState(bool);
+ void setSelectedState(bool, AllowStyleInvalidation = AllowStyleInvalidation::Yes);
private:
HTMLOptionElement(const QualifiedName&, Document&);
Modified: branches/safari-613.1.17.0-branch/Source/WebCore/html/HTMLSelectElement.cpp (290043 => 290044)
--- branches/safari-613.1.17.0-branch/Source/WebCore/html/HTMLSelectElement.cpp 2022-02-17 19:51:26 UTC (rev 290043)
+++ branches/safari-613.1.17.0-branch/Source/WebCore/html/HTMLSelectElement.cpp 2022-02-17 19:59:25 UTC (rev 290044)
@@ -41,7 +41,6 @@
#include "HTMLHRElement.h"
#include "HTMLNames.h"
#include "HTMLOptGroupElement.h"
-#include "HTMLOptionElement.h"
#include "HTMLOptionsCollection.h"
#include "HTMLParserIdioms.h"
#include "KeyboardEvent.h"
@@ -365,10 +364,10 @@
return ensureRareData().ensureNodeLists().addCachedCollection<HTMLOptionsCollection>(*this, SelectOptions);
}
-void HTMLSelectElement::updateListItemSelectedStates()
+void HTMLSelectElement::updateListItemSelectedStates(AllowStyleInvalidation allowStyleInvalidation)
{
if (m_shouldRecalcListItems)
- recalcListItems();
+ recalcListItems(true, allowStyleInvalidation);
}
void HTMLSelectElement::childrenChanged(const ChildChange& change)
@@ -762,7 +761,7 @@
cache->childrenChanged(this);
}
-void HTMLSelectElement::recalcListItems(bool updateSelectedStates) const
+void HTMLSelectElement::recalcListItems(bool updateSelectedStates, AllowStyleInvalidation allowStyleInvalidation) const
{
m_listItems.clear();
@@ -795,11 +794,11 @@
firstOption = &option;
if (option.selected()) {
if (foundSelected)
- foundSelected->setSelectedState(false);
+ foundSelected->setSelectedState(false, allowStyleInvalidation);
foundSelected = &option;
} else if (m_size <= 1 && !foundSelected && !option.isDisabledFormControl()) {
foundSelected = &option;
- foundSelected->setSelectedState(true);
+ foundSelected->setSelectedState(true, allowStyleInvalidation);
}
}
}
@@ -817,7 +816,7 @@
}
if (!foundSelected && m_size <= 1 && firstOption && !firstOption->selected())
- firstOption->setSelectedState(true);
+ firstOption->setSelectedState(true, allowStyleInvalidation);
}
int HTMLSelectElement::selectedIndex() const
Modified: branches/safari-613.1.17.0-branch/Source/WebCore/html/HTMLSelectElement.h (290043 => 290044)
--- branches/safari-613.1.17.0-branch/Source/WebCore/html/HTMLSelectElement.h 2022-02-17 19:51:26 UTC (rev 290043)
+++ branches/safari-613.1.17.0-branch/Source/WebCore/html/HTMLSelectElement.h 2022-02-17 19:59:25 UTC (rev 290044)
@@ -26,6 +26,7 @@
#pragma once
#include "HTMLFormControlElementWithState.h"
+#include "HTMLOptionElement.h"
#include "TypeAhead.h"
namespace WebCore {
@@ -69,7 +70,7 @@
void setRecalcListItems();
void invalidateSelectedItems();
- void updateListItemSelectedStates();
+ void updateListItemSelectedStates(AllowStyleInvalidation = AllowStyleInvalidation::Yes);
WEBCORE_EXPORT const Vector<HTMLElement*>& listItems() const;
@@ -144,7 +145,7 @@
void didRecalcStyle(Style::Change) final;
- void recalcListItems(bool updateSelectedStates = true) const;
+ void recalcListItems(bool updateSelectedStates = true, AllowStyleInvalidation = AllowStyleInvalidation::Yes) const;
void deselectItems(HTMLOptionElement* excludeElement = nullptr);
void typeAheadFind(KeyboardEvent&);
