Title: [134377] trunk
- Revision
- 134377
- Author
- [email protected]
- Date
- 2012-11-13 00:23:48 -0800 (Tue, 13 Nov 2012)
Log Message
Crash when replacing parts of text inputs with content: url(...)
https://bugs.webkit.org/show_bug.cgi?id=101133
Reviewed by Kent Tamura.
Source/WebCore:
Disable directly setting content of elements in an input element's
shadow dom tree, because the setting breaks input element's behavior.
Tests: fast/forms/number/number-content-url-crash.html
fast/forms/search/search-content-url-crash.html
* css/html.css:
(input::-webkit-textfield-decoration-container):
Use important to disable overriding an input element's content
property.
* html/TextFieldInputType.cpp:
(WebCore::TextFieldInputType::attach):
Added ASSERTION. No content should be applied to
input::-webkit-textfield-decoration-container.
LayoutTests:
* fast/forms/number/number-content-url-crash-expected.txt: Added.
* fast/forms/number/number-content-url-crash.html: Added.
* fast/forms/search/search-content-url-crash-expected.txt: Added.
* fast/forms/search/search-content-url-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (134376 => 134377)
--- trunk/LayoutTests/ChangeLog 2012-11-13 08:11:18 UTC (rev 134376)
+++ trunk/LayoutTests/ChangeLog 2012-11-13 08:23:48 UTC (rev 134377)
@@ -1,3 +1,15 @@
+2012-11-13 Takashi Sakamoto <[email protected]>
+
+ Crash when replacing parts of text inputs with content: url(...)
+ https://bugs.webkit.org/show_bug.cgi?id=101133
+
+ Reviewed by Kent Tamura.
+
+ * fast/forms/number/number-content-url-crash-expected.txt: Added.
+ * fast/forms/number/number-content-url-crash.html: Added.
+ * fast/forms/search/search-content-url-crash-expected.txt: Added.
+ * fast/forms/search/search-content-url-crash.html: Added.
+
2012-11-12 Shinya Kawanaka <[email protected]>
Changing id, className, or attribute should invalidate distribution
Added: trunk/LayoutTests/fast/forms/number/number-content-url-crash-expected.txt (0 => 134377)
--- trunk/LayoutTests/fast/forms/number/number-content-url-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/forms/number/number-content-url-crash-expected.txt 2012-11-13 08:23:48 UTC (rev 134377)
@@ -0,0 +1 @@
+ PASS
Added: trunk/LayoutTests/fast/forms/number/number-content-url-crash.html (0 => 134377)
--- trunk/LayoutTests/fast/forms/number/number-content-url-crash.html (rev 0)
+++ trunk/LayoutTests/fast/forms/number/number-content-url-crash.html 2012-11-13 08:23:48 UTC (rev 134377)
@@ -0,0 +1,19 @@
+<!doctype html>
+<head>
+<style>
+input::-webkit-textfield-decoration-container {
+ content: url("") !important;
+}
+</style>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+</head>
+<body>
+<!-- [bug 101133] https://bugs.webkit.org/show_bug.cgi?id=101133 -->
+<!-- Crash when replacing parts of text inputs with content: url(...) -->
+<!-- If this test passes, we can see juast "PASS". -->
+<input type="number">
+PASS
+</body>
Added: trunk/LayoutTests/fast/forms/search/search-content-url-crash-expected.txt (0 => 134377)
--- trunk/LayoutTests/fast/forms/search/search-content-url-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/forms/search/search-content-url-crash-expected.txt 2012-11-13 08:23:48 UTC (rev 134377)
@@ -0,0 +1 @@
+ PASS
Added: trunk/LayoutTests/fast/forms/search/search-content-url-crash.html (0 => 134377)
--- trunk/LayoutTests/fast/forms/search/search-content-url-crash.html (rev 0)
+++ trunk/LayoutTests/fast/forms/search/search-content-url-crash.html 2012-11-13 08:23:48 UTC (rev 134377)
@@ -0,0 +1,19 @@
+<!doctype html>
+<head>
+<style>
+input::-webkit-textfield-decoration-container {
+ content: url("") !important;
+}
+</style>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+</head>
+<body>
+<!-- [bug 101133] https://bugs.webkit.org/show_bug.cgi?id=101133 -->
+<!-- Crash when replacing parts of text inputs with content: url(...) -->
+<!-- If this test passes, we can see juast "PASS". -->
+<input type="search">
+PASS
+</body>
Modified: trunk/Source/WebCore/ChangeLog (134376 => 134377)
--- trunk/Source/WebCore/ChangeLog 2012-11-13 08:11:18 UTC (rev 134376)
+++ trunk/Source/WebCore/ChangeLog 2012-11-13 08:23:48 UTC (rev 134377)
@@ -1,3 +1,25 @@
+2012-11-13 Takashi Sakamoto <[email protected]>
+
+ Crash when replacing parts of text inputs with content: url(...)
+ https://bugs.webkit.org/show_bug.cgi?id=101133
+
+ Reviewed by Kent Tamura.
+
+ Disable directly setting content of elements in an input element's
+ shadow dom tree, because the setting breaks input element's behavior.
+
+ Tests: fast/forms/number/number-content-url-crash.html
+ fast/forms/search/search-content-url-crash.html
+
+ * css/html.css:
+ (input::-webkit-textfield-decoration-container):
+ Use important to disable overriding an input element's content
+ property.
+ * html/TextFieldInputType.cpp:
+ (WebCore::TextFieldInputType::attach):
+ Added ASSERTION. No content should be applied to
+ input::-webkit-textfield-decoration-container.
+
2012-11-12 Huang Dongsung <[email protected]>
[Qt] REGRESSION(134142): overscaled tiles in pixel test results and MiniBrowser
Modified: trunk/Source/WebCore/css/html.css (134376 => 134377)
--- trunk/Source/WebCore/css/html.css 2012-11-13 08:11:18 UTC (rev 134376)
+++ trunk/Source/WebCore/css/html.css 2012-11-13 08:23:48 UTC (rev 134377)
@@ -436,6 +436,7 @@
display: -webkit-box;
-webkit-box-align: center;
-webkit-user-modify: read-only !important;
+ content: none !important;
}
input[type="search"]::-webkit-textfield-decoration-container {
Modified: trunk/Source/WebCore/html/TextFieldInputType.cpp (134376 => 134377)
--- trunk/Source/WebCore/html/TextFieldInputType.cpp 2012-11-13 08:11:18 UTC (rev 134376)
+++ trunk/Source/WebCore/html/TextFieldInputType.cpp 2012-11-13 08:23:48 UTC (rev 134377)
@@ -425,6 +425,9 @@
void TextFieldInputType::attach()
{
InputType::attach();
+ // If container exists, the container should not have any content data.
+ ASSERT(!m_container || !m_container->renderStyle() || !m_container->renderStyle()->hasContent());
+
element()->fixPlaceholderRenderer(m_placeholder.get(), m_container ? m_container.get() : m_innerText.get());
}
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
