Skip to site navigation (Press enter)

[webkit-changes] [154308] trunk

rniwa Mon, 19 Aug 2013 17:02:00 -0700

Title: [154308] trunk

Revision: 154308
Author: [email protected]
Date: 2013-08-19 17:02:56 -0700 (Mon, 19 Aug 2013)

Log Message

<https://webkit.org/b/119930> input[type=range]: Fix a crash by changing input type in 'input' event handler


Reviewed by Kent Tamura.

Source/WebCore:

Merge https://chromium.googlesource.com/chromium/blink/+/99afc9b55ce176b4f5fe053070e19dbebc1891a5

In SliderThumbElement::setPositionFromPoint, renderer() can be NULL after HTMLInputElement::setValueFromRenderer,
which dispatches 'input' event. Also, make a local vairable 'input' a RefPtr just in case.

Also add null-poinetr checks for the host element as SliderThumbElement only weakly holds onto the host element.

Test: fast/forms/range/range-type-change-oninput.html

* html/shadow/SliderThumbElement.cpp:
(WebCore::SliderThumbElement::isDisabledFormControl):
(WebCore::SliderThumbElement::matchesReadOnlyPseudoClass):
(WebCore::SliderThumbElement::matchesReadWritePseudoClass):
(WebCore::SliderThumbElement::setPositionFromPoint):
(WebCore::SliderThumbElement::hostInput):

LayoutTests:

Add a regresion test from https://chromium.googlesource.com/chromium/blink/+/99afc9b55ce176b4f5fe053070e19dbebc1891a5

* fast/forms/range/range-type-change-oninput-expected.txt: Added.
* fast/forms/range/range-type-change-oninput.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/html/shadow/SliderThumbElement.cpp

Added Paths

trunk/LayoutTests/fast/forms/range/range-type-change-oninput-expected.txt
trunk/LayoutTests/fast/forms/range/range-type-change-oninput.html

Diff

Modified: trunk/LayoutTests/ChangeLog (154307 => 154308)


--- trunk/LayoutTests/ChangeLog	2013-08-20 00:02:42 UTC (rev 154307)
+++ trunk/LayoutTests/ChangeLog	2013-08-20 00:02:56 UTC (rev 154308)
@@ -1,3 +1,14 @@
+2013-08-19  Ryosuke Niwa  <[email protected]>
+
+        <https://webkit.org/b/119930> input[type=range]: Fix a crash by changing input type in 'input' event handler
+
+        Reviewed by Kent Tamura.
+
+        Add a regresion test from https://chromium.googlesource.com/chromium/blink/+/99afc9b55ce176b4f5fe053070e19dbebc1891a5
+
+        * fast/forms/range/range-type-change-oninput-expected.txt: Added.
+        * fast/forms/range/range-type-change-oninput.html: Added.
+
 2013-08-19  Alexey Proskuryakov  <[email protected]>
 
         https://bugs.webkit.org/show_bug.cgi?id=120028

Added: trunk/LayoutTests/fast/forms/range/range-type-change-oninput-expected.txt (0 => 154308)


--- trunk/LayoutTests/fast/forms/range/range-type-change-oninput-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/forms/range/range-type-change-oninput-expected.txt	2013-08-20 00:02:56 UTC (rev 154308)
@@ -0,0 +1,5 @@
+PASS if not crashed.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/fast/forms/range/range-type-change-oninput.html (0 => 154308)


--- trunk/LayoutTests/fast/forms/range/range-type-change-oninput.html	                        (rev 0)
+++ trunk/LayoutTests/fast/forms/range/range-type-change-oninput.html	2013-08-20 00:02:56 UTC (rev 154308)
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script src=""
+<script src=""
+<input type="range" value="0" _oninput_="this.type = 'text';">
+<script>
+if (!window.eventSender) {
+    debug('Manual test instruction: Click on the slider.');
+} else {
+    clickElement(document.querySelector('input'));
+    testPassed('if not crashed.');
+}
+</script>
+<script src=""
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (154307 => 154308)


--- trunk/Source/WebCore/ChangeLog	2013-08-20 00:02:42 UTC (rev 154307)
+++ trunk/Source/WebCore/ChangeLog	2013-08-20 00:02:56 UTC (rev 154308)
@@ -1,3 +1,25 @@
+2013-08-19  Ryosuke Niwa  <[email protected]>
+
+        <https://webkit.org/b/119930> input[type=range]: Fix a crash by changing input type in 'input' event handler
+
+        Reviewed by Kent Tamura.
+
+        Merge https://chromium.googlesource.com/chromium/blink/+/99afc9b55ce176b4f5fe053070e19dbebc1891a5
+
+        In SliderThumbElement::setPositionFromPoint, renderer() can be NULL after HTMLInputElement::setValueFromRenderer,
+        which dispatches 'input' event. Also, make a local vairable 'input' a RefPtr just in case.
+
+        Also add null-poinetr checks for the host element as SliderThumbElement only weakly holds onto the host element.
+
+        Test: fast/forms/range/range-type-change-oninput.html
+
+        * html/shadow/SliderThumbElement.cpp:
+        (WebCore::SliderThumbElement::isDisabledFormControl):
+        (WebCore::SliderThumbElement::matchesReadOnlyPseudoClass):
+        (WebCore::SliderThumbElement::matchesReadWritePseudoClass):
+        (WebCore::SliderThumbElement::setPositionFromPoint):
+        (WebCore::SliderThumbElement::hostInput):
+
 2013-08-19  Alexey Proskuryakov  <[email protected]>
 
         https://bugs.webkit.org/show_bug.cgi?id=120028

Modified: trunk/Source/WebCore/html/shadow/SliderThumbElement.cpp (154307 => 154308)


--- trunk/Source/WebCore/html/shadow/SliderThumbElement.cpp	2013-08-20 00:02:42 UTC (rev 154307)
+++ trunk/Source/WebCore/html/shadow/SliderThumbElement.cpp	2013-08-20 00:02:56 UTC (rev 154308)
@@ -229,17 +229,20 @@
 
 bool SliderThumbElement::isDisabledFormControl() const
 {
-    return hostInput()->isDisabledFormControl();
+    HTMLInputElement* input = hostInput();
+    return !input || input->isDisabledFormControl();
 }
 
 bool SliderThumbElement::matchesReadOnlyPseudoClass() const
 {
-    return hostInput()->matchesReadOnlyPseudoClass();
+    HTMLInputElement* input = hostInput();
+    return input && input->matchesReadOnlyPseudoClass();
 }
 
 bool SliderThumbElement::matchesReadWritePseudoClass() const
 {
-    return hostInput()->matchesReadWritePseudoClass();
+    HTMLInputElement* input = hostInput();
+    return input && input->matchesReadWritePseudoClass();
 }
 
 Element* SliderThumbElement::focusDelegate()
@@ -255,15 +258,15 @@
 
 void SliderThumbElement::setPositionFromPoint(const LayoutPoint& point)
 {
-    HTMLInputElement* input = hostInput();
-    HTMLElement* trackElement = sliderTrackElementOf(input);
+    RefPtr<HTMLInputElement> input(hostInput());
+    HTMLElement* trackElement = sliderTrackElementOf(input.get());
 
     if (!input->renderer() || !renderBox() || !trackElement->renderBox())
         return;
 
     input->setTextAsOfLastFormControlChangeEvent(input->value());
     LayoutPoint offset = roundedLayoutPoint(input->renderer()->absoluteToLocal(point, UseTransforms));
-    bool isVertical = hasVerticalAppearance(input);
+    bool isVertical = hasVerticalAppearance(input.get());
     bool isLeftToRightDirection = renderBox()->style()->isLeftToRightDirection();
     LayoutUnit trackSize;
     LayoutUnit position;
@@ -312,7 +315,8 @@
 
     // FIXME: This is no longer being set from renderer. Consider updating the method name.
     input->setValueFromRenderer(valueString);
-    renderer()->setNeedsLayout(true);
+    if (renderer())
+        renderer()->setNeedsLayout(true);
     input->dispatchFormControlChangeEvent();
 }
 
@@ -404,7 +408,8 @@
 {
     // Only HTMLInputElement creates SliderThumbElement instances as its shadow nodes.
     // So, shadowHost() must be an HTMLInputElement.
-    return shadowHost()->toInputElement();
+    Element* host = shadowHost();
+    return host ? host->toInputElement() : 0;
 }
 
 static const AtomicString& sliderThumbShadowPseudoId()

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes