Skip to site navigation (Press enter)

[webkit-changes] [121930] trunk

hayato Thu, 05 Jul 2012 17:26:48 -0700

Title: [121930] trunk

Revision: 121930
Author: [email protected]
Date: 2012-07-05 17:26:39 -0700 (Thu, 05 Jul 2012)

Log Message

t/fuzzer-mouse-crash

<patch description>


Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/page/EventHandler.cpp


Added Paths

trunk/LayoutTests/fast/events/display-none-on-focus-crash-expected.txt
trunk/LayoutTests/fast/events/display-none-on-focus-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (121929 => 121930)


--- trunk/LayoutTests/ChangeLog	2012-07-06 00:20:44 UTC (rev 121929)
+++ trunk/LayoutTests/ChangeLog	2012-07-06 00:26:39 UTC (rev 121930)
@@ -1,3 +1,13 @@
+2012-07-05  Hayato Ito  <[email protected]>
+
+        [Crash] Click an element which will be 'display: none' on focus.
+        https://bugs.webkit.org/show_bug.cgi?id=90516
+
+        Reviewed by Hajime Morita.
+
+        * fast/events/display-none-on-focus-crash-expected.txt: Added.
+        * fast/events/display-none-on-focus-crash.html: Added.
+
 2012-07-05  Leandro Gracia Gil  <[email protected]>
 
         Character iterators should not advance if they are at end

Added: trunk/LayoutTests/fast/events/display-none-on-focus-crash-expected.txt (0 => 121930)


--- trunk/LayoutTests/fast/events/display-none-on-focus-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/events/display-none-on-focus-crash-expected.txt	2012-07-06 00:26:39 UTC (rev 121930)
@@ -0,0 +1,2 @@
+Test passes if it does not crash.
+
Property changes on: trunk/LayoutTests/fast/events/display-none-on-focus-crash-expected.txt
___________________________________________________________________

Added: svn:eol-style

Added: trunk/LayoutTests/fast/events/display-none-on-focus-crash.html (0 => 121930)


--- trunk/LayoutTests/fast/events/display-none-on-focus-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/events/display-none-on-focus-crash.html	2012-07-06 00:26:39 UTC (rev 121930)
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<head>
+<style>
+.c3 { padding-top: 200px; }
+.c3:focus { display: none; }
+</style>
+</head>
+<body></body>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+var iframe1;
+function boom() {
+    iframe1 = document.createElement('iframe');
+    document.documentElement.appendChild(iframe1);
+    document.documentElement.appendChild(document.createElement('li'));
+    document.documentElement.appendChild(document.createElement('iframe'));
+    iframe1.setAttribute('class', 'c3');
+    eventSender.mouseMoveTo(1000, 100);
+    eventSender.mouseDown();
+    eventSender.mouseUp();
+    eventSender.mouseDown();
+    eventSender.mouseUp();
+    eventSender.mouseMoveTo(100, 100);
+    eventSender.mouseDown();
+    document.body.innerHTML = 'Test passes if it does not crash.'
+}
+window._onload_ = boom;
+</script>
Property changes on: trunk/LayoutTests/fast/events/display-none-on-focus-crash.html
___________________________________________________________________

Added: svn:eol-style

Modified: trunk/Source/WebCore/ChangeLog (121929 => 121930)


--- trunk/Source/WebCore/ChangeLog	2012-07-06 00:20:44 UTC (rev 121929)
+++ trunk/Source/WebCore/ChangeLog	2012-07-06 00:26:39 UTC (rev 121930)
@@ -1,3 +1,25 @@
+2012-07-05  Hayato Ito  <[email protected]>
+
+        [Crash] Click an element which will be 'display: none' on focus.
+        https://bugs.webkit.org/show_bug.cgi?id=90516
+
+        Reviewed by Hajime Morita.
+
+        EventHandler::handleMousePressEventSingleClick checks whether
+        innerNode has a renderer in the beginning of the function.  But
+        the renderer may disappear in the middle of the function since its
+        style has just become 'display:none'.  As a result, it touches null renderer
+        in EventHandler.cpp:517:
+            VisiblePosition visiblePos(innerNode->renderer()->positionForPoint(event.localPoint()));
+        In the case of 'display:none', we don't have to continue.  So call
+        updateLayoutIgnorePendingStylesheets() in the beginning so that we
+        can early exit and do not touch null renderer.
+
+        Test: fast/events/display-none-on-focus-crash.html
+
+        * page/EventHandler.cpp:
+        (WebCore::EventHandler::handleMousePressEventSingleClick):
+
 2012-07-05  Benjamin Poulain  <[email protected]>
 
         Double release of resources if the load is canceled in a callback of ResourceLoader::didFinishLoading

Modified: trunk/Source/WebCore/page/EventHandler.cpp (121929 => 121930)


--- trunk/Source/WebCore/page/EventHandler.cpp	2012-07-06 00:20:44 UTC (rev 121929)
+++ trunk/Source/WebCore/page/EventHandler.cpp	2012-07-06 00:26:39 UTC (rev 121930)
@@ -496,6 +496,7 @@
 
 bool EventHandler::handleMousePressEventSingleClick(const MouseEventWithHitTestResults& event)
 {
+    m_frame->document()->updateLayoutIgnorePendingStylesheets();
     Node* innerNode = targetNode(event);
     if (!(innerNode && innerNode->renderer() && m_mouseDownMayStartSelect))
         return false;

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes