Skip to site navigation (Press enter)

[webkit-changes] [157956] branches/safari-537.73-branch

lforschler Thu, 24 Oct 2013 14:29:49 -0700

Title: [157956] branches/safari-537.73-branch

Revision: 157956
Author: [email protected]
Date: 2013-10-24 14:31:11 -0700 (Thu, 24 Oct 2013)

Log Message

Merged r154308.  <rdar://problem/15109394>


Modified Paths

branches/safari-537.73-branch/LayoutTests/ChangeLog
branches/safari-537.73-branch/Source/WebCore/ChangeLog
branches/safari-537.73-branch/Source/WebCore/html/shadow/SliderThumbElement.cpp


Added Paths

branches/safari-537.73-branch/LayoutTests/fast/forms/range/range-type-change-oninput-expected.txt
branches/safari-537.73-branch/LayoutTests/fast/forms/range/range-type-change-oninput.html

Diff

Modified: branches/safari-537.73-branch/LayoutTests/ChangeLog (157955 => 157956)


--- branches/safari-537.73-branch/LayoutTests/ChangeLog	2013-10-24 21:28:39 UTC (rev 157955)
+++ branches/safari-537.73-branch/LayoutTests/ChangeLog	2013-10-24 21:31:11 UTC (rev 157956)
@@ -1,3 +1,18 @@
+2013-10-24  Lucas Forschler  <[email protected]>
+
+        Merge r154308
+
+    2013-08-19  Ryosuke Niwa  <[email protected]>
+
+            <https://webkit.org/b/119930> input[type=range]: Fix a crash by changing input type in 'input' event handler
+
+            Reviewed by Kent Tamura.
+
+            Add a regresion test from https://chromium.googlesource.com/chromium/blink/+/99afc9b55ce176b4f5fe053070e19dbebc1891a5
+
+            * fast/forms/range/range-type-change-oninput-expected.txt: Added.
+            * fast/forms/range/range-type-change-oninput.html: Added.
+
 2013-10-24  Oliver Hunt  <[email protected]>
 
         <https://webkit.org/b/119860> Crash during exception unwinding

Copied: branches/safari-537.73-branch/LayoutTests/fast/forms/range/range-type-change-oninput-expected.txt (from rev 154308, trunk/LayoutTests/fast/forms/range/range-type-change-oninput-expected.txt) (0 => 157956)


--- branches/safari-537.73-branch/LayoutTests/fast/forms/range/range-type-change-oninput-expected.txt	                        (rev 0)
+++ branches/safari-537.73-branch/LayoutTests/fast/forms/range/range-type-change-oninput-expected.txt	2013-10-24 21:31:11 UTC (rev 157956)
@@ -0,0 +1,5 @@
+PASS if not crashed.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Copied: branches/safari-537.73-branch/LayoutTests/fast/forms/range/range-type-change-oninput.html (from rev 154308, trunk/LayoutTests/fast/forms/range/range-type-change-oninput.html) (0 => 157956)


--- branches/safari-537.73-branch/LayoutTests/fast/forms/range/range-type-change-oninput.html	                        (rev 0)
+++ branches/safari-537.73-branch/LayoutTests/fast/forms/range/range-type-change-oninput.html	2013-10-24 21:31:11 UTC (rev 157956)
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script src=""
+<script src=""
+<input type="range" value="0" _oninput_="this.type = 'text';">
+<script>
+if (!window.eventSender) {
+    debug('Manual test instruction: Click on the slider.');
+} else {
+    clickElement(document.querySelector('input'));
+    testPassed('if not crashed.');
+}
+</script>
+<script src=""
+</body>
+</html>

Modified: branches/safari-537.73-branch/Source/WebCore/ChangeLog (157955 => 157956)


--- branches/safari-537.73-branch/Source/WebCore/ChangeLog	2013-10-24 21:28:39 UTC (rev 157955)
+++ branches/safari-537.73-branch/Source/WebCore/ChangeLog	2013-10-24 21:31:11 UTC (rev 157956)
@@ -1,3 +1,29 @@
+2013-10-24  Lucas Forschler  <[email protected]>
+
+        Merge r154308
+
+    2013-08-19  Ryosuke Niwa  <[email protected]>
+
+            <https://webkit.org/b/119930> input[type=range]: Fix a crash by changing input type in 'input' event handler
+
+            Reviewed by Kent Tamura.
+
+            Merge https://chromium.googlesource.com/chromium/blink/+/99afc9b55ce176b4f5fe053070e19dbebc1891a5
+
+            In SliderThumbElement::setPositionFromPoint, renderer() can be NULL after HTMLInputElement::setValueFromRenderer,
+            which dispatches 'input' event. Also, make a local vairable 'input' a RefPtr just in case.
+
+            Also add null-poinetr checks for the host element as SliderThumbElement only weakly holds onto the host element.
+
+            Test: fast/forms/range/range-type-change-oninput.html
+
+            * html/shadow/SliderThumbElement.cpp:
+            (WebCore::SliderThumbElement::isDisabledFormControl):
+            (WebCore::SliderThumbElement::matchesReadOnlyPseudoClass):
+            (WebCore::SliderThumbElement::matchesReadWritePseudoClass):
+            (WebCore::SliderThumbElement::setPositionFromPoint):
+            (WebCore::SliderThumbElement::hostInput):
+
 2013-10-21  Lucas Forschler  <[email protected]>
 
         Merge r154289

Modified: branches/safari-537.73-branch/Source/WebCore/html/shadow/SliderThumbElement.cpp (157955 => 157956)


--- branches/safari-537.73-branch/Source/WebCore/html/shadow/SliderThumbElement.cpp	2013-10-24 21:28:39 UTC (rev 157955)
+++ branches/safari-537.73-branch/Source/WebCore/html/shadow/SliderThumbElement.cpp	2013-10-24 21:31:11 UTC (rev 157956)
@@ -224,17 +224,20 @@
 
 bool SliderThumbElement::isDisabledFormControl() const
 {
-    return hostInput()->isDisabledFormControl();
+    HTMLInputElement* input = hostInput();
+    return !input || input->isDisabledFormControl();
 }
 
 bool SliderThumbElement::matchesReadOnlyPseudoClass() const
 {
-    return hostInput()->matchesReadOnlyPseudoClass();
+    HTMLInputElement* input = hostInput();
+    return input && input->matchesReadOnlyPseudoClass();
 }
 
 bool SliderThumbElement::matchesReadWritePseudoClass() const
 {
-    return hostInput()->matchesReadWritePseudoClass();
+    HTMLInputElement* input = hostInput();
+    return input && input->matchesReadWritePseudoClass();
 }
 
 Element* SliderThumbElement::focusDelegate()
@@ -250,15 +253,15 @@
 
 void SliderThumbElement::setPositionFromPoint(const LayoutPoint& point)
 {
-    HTMLInputElement* input = hostInput();
-    HTMLElement* trackElement = sliderTrackElementOf(input);
+    RefPtr<HTMLInputElement> input(hostInput());
+    HTMLElement* trackElement = sliderTrackElementOf(input.get());
 
     if (!input->renderer() || !renderBox() || !trackElement->renderBox())
         return;
 
     input->setTextAsOfLastFormControlChangeEvent(input->value());
     LayoutPoint offset = roundedLayoutPoint(input->renderer()->absoluteToLocal(point, UseTransforms));
-    bool isVertical = hasVerticalAppearance(input);
+    bool isVertical = hasVerticalAppearance(input.get());
     bool isLeftToRightDirection = renderBox()->style()->isLeftToRightDirection();
     LayoutUnit trackSize;
     LayoutUnit position;
@@ -307,7 +310,8 @@
 
     // FIXME: This is no longer being set from renderer. Consider updating the method name.
     input->setValueFromRenderer(valueString);
-    renderer()->setNeedsLayout(true);
+    if (renderer())
+        renderer()->setNeedsLayout(true);
     input->dispatchFormControlChangeEvent();
 }
 
@@ -400,7 +404,8 @@
 {
     // Only HTMLInputElement creates SliderThumbElement instances as its shadow nodes.
     // So, shadowHost() must be an HTMLInputElement.
-    return shadowHost()->toInputElement();
+    Element* host = shadowHost();
+    return host ? host->toInputElement() : 0;
 }
 
 static const AtomicString& sliderThumbShadowPseudoId()

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes