[webkit-changes] [165150] branches/safari-537.75-branch

Wed, 05 Mar 2014 17:29:27 -0800

Title: [165150] branches/safari-537.75-branch

Diff

Modified: branches/safari-537.75-branch/LayoutTests/ChangeLog (165149 => 165150)


--- branches/safari-537.75-branch/LayoutTests/ChangeLog	2014-03-06 01:28:19 UTC (rev 165149)
+++ branches/safari-537.75-branch/LayoutTests/ChangeLog	2014-03-06 01:34:53 UTC (rev 165150)
@@ -1,5 +1,21 @@
 2014-03-05  Matthew Hanson  <[email protected]>
 
+        Merge r158724.
+
+    2013-11-05  Ryosuke Niwa  <[email protected]>
+
+            Use-after-free in SliderThumbElement::dragFrom
+            https://bugs.webkit.org/show_bug.cgi?id=123873
+
+            Reviewed by Andreas Kling.
+
+            Merge https://chromium.googlesource.com/chromium/blink/+/04a23bfca2d04101a1828d36ff36c29f3a24f34b
+
+            * fast/forms/range/range-type-change-onchange-2-expected.txt: Added.
+            * fast/forms/range/range-type-change-onchange-2.html: Added.
+
+2014-03-05  Matthew Hanson  <[email protected]>
+
         Merge r163599.
 
     2014-02-06  Jeffrey Pfau  <[email protected]>

Copied: branches/safari-537.75-branch/LayoutTests/fast/forms/range/range-type-change-onchange-2-expected.txt (from rev 158724, trunk/LayoutTests/fast/forms/range/range-type-change-onchange-2-expected.txt) (0 => 165150)


--- branches/safari-537.75-branch/LayoutTests/fast/forms/range/range-type-change-onchange-2-expected.txt	                        (rev 0)
+++ branches/safari-537.75-branch/LayoutTests/fast/forms/range/range-type-change-onchange-2-expected.txt	2014-03-06 01:34:53 UTC (rev 165150)
@@ -0,0 +1,10 @@
+Test if drag on a padding area of input[type=range] do not trigger an assertion failure.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS if not crashed.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Copied: branches/safari-537.75-branch/LayoutTests/fast/forms/range/range-type-change-onchange-2.html (from rev 158724, trunk/LayoutTests/fast/forms/range/range-type-change-onchange-2.html) (0 => 165150)


--- branches/safari-537.75-branch/LayoutTests/fast/forms/range/range-type-change-onchange-2.html	                        (rev 0)
+++ branches/safari-537.75-branch/LayoutTests/fast/forms/range/range-type-change-onchange-2.html	2014-03-06 01:34:53 UTC (rev 165150)
@@ -0,0 +1,32 @@
+<body>
+<style>
+input {
+    padding-right: 32px;
+    padding-top: 32px;
+}
+</style>
+<input _onchange_="this.type = 'text';" type="range" id="input">
+<script src=""
+<script>
+jsTestIsAsync = true;
+
+function keyDownMouseClick(x1, y1, x2, y2) {
+    if (!window.eventSender)
+        return;
+    eventSender.mouseMoveTo(x1, y1);
+    eventSender.mouseDown();
+    eventSender.mouseMoveTo(x2, y2);
+    eventSender.mouseUp();
+}
+
+window._onload_ = function() {
+    var input = document.getElementById("input");
+    input.focus();
+    keyDownMouseClick(input.offsetLeft + input.offsetWidth - 32, input.offsetTop, 0, 0);
+    description('Test if drag on a padding area of input[type=range] do not trigger an assertion failure.');
+    testPassed('if not crashed.');
+    finishJSTest();
+};
+</script>
+<script src=""
+</body>

Modified: branches/safari-537.75-branch/Source/WebCore/ChangeLog (165149 => 165150)


--- branches/safari-537.75-branch/Source/WebCore/ChangeLog	2014-03-06 01:28:19 UTC (rev 165149)
+++ branches/safari-537.75-branch/Source/WebCore/ChangeLog	2014-03-06 01:34:53 UTC (rev 165150)
@@ -1,5 +1,23 @@
 2014-03-05  Matthew Hanson  <[email protected]>
 
+        Merge r158724.
+
+    2013-11-05  Ryosuke Niwa  <[email protected]>
+
+            Use-after-free in SliderThumbElement::dragFrom
+            https://bugs.webkit.org/show_bug.cgi?id=123873
+
+            Reviewed by Andreas Kling.
+
+            Ref the SliderThumbElement since it could go away inside dragFrom.
+
+            Test: fast/forms/range/range-type-change-onchange-2.html
+
+            * html/RangeInputType.cpp:
+            (WebCore::RangeInputType::handleMouseDownEvent):
+
+2014-03-05  Matthew Hanson  <[email protected]>
+
         Merge r163599.
 
     2014-02-06  Jeffrey Pfau  <[email protected]>

Modified: branches/safari-537.75-branch/Source/WebCore/html/RangeInputType.cpp (165149 => 165150)


--- branches/safari-537.75-branch/Source/WebCore/html/RangeInputType.cpp	2014-03-06 01:28:19 UTC (rev 165149)
+++ branches/safari-537.75-branch/Source/WebCore/html/RangeInputType.cpp	2014-03-06 01:34:53 UTC (rev 165150)
@@ -161,7 +161,7 @@
     ASSERT(element()->shadow());
     if (targetNode != element() && !targetNode->isDescendantOf(element()->userAgentShadowRoot()))
         return;
-    SliderThumbElement* thumb = sliderThumbElementOf(element());
+    RefPtr<SliderThumbElement> thumb = sliderThumbElementOf(element());
     if (targetNode == thumb)
         return;
     thumb->dragFrom(event->absoluteLocation());

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to