Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 589e3edb7b1c0d3f8d78d399fadd9a54d9c062d4 https://github.com/WebKit/WebKit/commit/589e3edb7b1c0d3f8d78d399fadd9a54d9c062d4 Author: Chris Dumez <cdu...@apple.com> Date: 2023-01-24 (Tue, 24 Jan 2023)
Changed paths: A LayoutTests/fast/forms/datalist/datalist-idTargetChanged-crash-expected.txt A LayoutTests/fast/forms/datalist/datalist-idTargetChanged-crash.html M Source/WebCore/html/HTMLInputElement.cpp Log Message: ----------- Cherry-pick 252432.806@safari-7614-branch (a09205d980f6). rdar://104599817 Assertion hit under IdTargetObserverRegistry::notifyObservers() https://bugs.webkit.org/show_bug.cgi?id=247592 rdar://101454107 Reviewed by Aditya Keerthi, Wenson Hsieh and Geoffrey Garen. ListAttributeTargetObserver::idTargetChanged() is not safe to re-enter. As a result, we have an assertion and a runtime check to protect against this. However, it was still possible to hit this assertion in debug. ListAttributeTargetObserver::idTargetChanged() would call TextFieldInputType::dataListMayHaveChanged() which could run script by calling createDataListDropdownIndicator(). The script could then change the datalist element's id, which would attempt to re-enter. This patch addresses the issue by calling dataListMayHaveChanged() asynchronously. * LayoutTests/fast/forms/datalist/datalist-idTargetChanged-crash-expected.txt: Added. * LayoutTests/fast/forms/datalist/datalist-idTargetChanged-crash.html: Added. * Source/WebCore/html/HTMLInputElement.cpp: (WebCore::ListAttributeTargetObserver::idTargetChanged): Canonical link: https://commits.webkit.org/252432.806@safari-7614-branch Canonical link: https://commits.webkit.org/259290@main _______________________________________________ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes