Title: [216407] releases/WebKitGTK/webkit-2.16
- Revision
- 216407
- Author
- carlo...@webkit.org
- Date
- 2017-05-08 06:33:51 -0700 (Mon, 08 May 2017)
Log Message
Merge r216159 - SearchInputType could end up with a mismatched renderer.
https://bugs.webkit.org/show_bug.cgi?id=171547
<rdar://problem/31935047>
Reviewed by Antti Koivisto.
Source/WebCore:
Normally we've got the correct renderer by the time we call into SearchInputType.
However, since HTMLInputElement::updateType() eagerly updates the type while the associated renderers are done lazily
(so we don't get them updated until after the next tree update), we could actually end up
with a mismatched renderer (e.g. through form submission).
Test: fast/forms/change-input-type-and-submit-form-crash.html
* html/SearchInputType.cpp:
(WebCore::SearchInputType::addSearchResult):
(WebCore::SearchInputType::didSetValueByUserEdit):
LayoutTests:
* fast/forms/change-input-type-and-submit-form-crash-expected.txt: Added.
* fast/forms/change-input-type-and-submit-form-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: releases/WebKitGTK/webkit-2.16/LayoutTests/ChangeLog (216406 => 216407)
--- releases/WebKitGTK/webkit-2.16/LayoutTests/ChangeLog 2017-05-08 13:32:50 UTC (rev 216406)
+++ releases/WebKitGTK/webkit-2.16/LayoutTests/ChangeLog 2017-05-08 13:33:51 UTC (rev 216407)
@@ -1,3 +1,14 @@
+2017-05-03 Zalan Bujtas <za...@apple.com>
+
+ SearchInputType could end up with a mismatched renderer.
+ https://bugs.webkit.org/show_bug.cgi?id=171547
+ <rdar://problem/31935047>
+
+ Reviewed by Antti Koivisto.
+
+ * fast/forms/change-input-type-and-submit-form-crash-expected.txt: Added.
+ * fast/forms/change-input-type-and-submit-form-crash.html: Added.
+
2017-05-03 Daniel Bates <daba...@apple.com>
Detach frame from document when entering page cache
Added: releases/WebKitGTK/webkit-2.16/LayoutTests/fast/forms/change-input-type-and-submit-form-crash-expected.txt (0 => 216407)
--- releases/WebKitGTK/webkit-2.16/LayoutTests/fast/forms/change-input-type-and-submit-form-crash-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.16/LayoutTests/fast/forms/change-input-type-and-submit-form-crash-expected.txt 2017-05-08 13:33:51 UTC (rev 216407)
@@ -0,0 +1,2 @@
+PASS if no crash or assert.
+
Added: releases/WebKitGTK/webkit-2.16/LayoutTests/fast/forms/change-input-type-and-submit-form-crash.html (0 => 216407)
--- releases/WebKitGTK/webkit-2.16/LayoutTests/fast/forms/change-input-type-and-submit-form-crash.html (rev 0)
+++ releases/WebKitGTK/webkit-2.16/LayoutTests/fast/forms/change-input-type-and-submit-form-crash.html 2017-05-08 13:33:51 UTC (rev 216407)
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>This tests that submitting a form soon after changing the input type is ok.</title>
+</head>
+<body>
+PASS if no crash or assert.
+<form id=formToSubmit><input id=inputToChange results="1"></form>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+document.body.offsetHeight;
+inputToChange.value = "1";
+inputToChange.type = "search";
+formToSubmit.submit();
+</script>
+<body>
+</html>
Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/ChangeLog (216406 => 216407)
--- releases/WebKitGTK/webkit-2.16/Source/WebCore/ChangeLog 2017-05-08 13:32:50 UTC (rev 216406)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/ChangeLog 2017-05-08 13:33:51 UTC (rev 216407)
@@ -1,3 +1,22 @@
+2017-05-03 Zalan Bujtas <za...@apple.com>
+
+ SearchInputType could end up with a mismatched renderer.
+ https://bugs.webkit.org/show_bug.cgi?id=171547
+ <rdar://problem/31935047>
+
+ Reviewed by Antti Koivisto.
+
+ Normally we've got the correct renderer by the time we call into SearchInputType.
+ However, since HTMLInputElement::updateType() eagerly updates the type while the associated renderers are done lazily
+ (so we don't get them updated until after the next tree update), we could actually end up
+ with a mismatched renderer (e.g. through form submission).
+
+ Test: fast/forms/change-input-type-and-submit-form-crash.html
+
+ * html/SearchInputType.cpp:
+ (WebCore::SearchInputType::addSearchResult):
+ (WebCore::SearchInputType::didSetValueByUserEdit):
+
2017-05-07 Michael Catanzaro <mcatanz...@igalia.com>
[GTK] Cannot sign in with new Google sign-in page
Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/html/SearchInputType.cpp (216406 => 216407)
--- releases/WebKitGTK/webkit-2.16/Source/WebCore/html/SearchInputType.cpp 2017-05-08 13:32:50 UTC (rev 216406)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/html/SearchInputType.cpp 2017-05-08 13:33:51 UTC (rev 216407)
@@ -55,8 +55,11 @@
void SearchInputType::addSearchResult()
{
#if !PLATFORM(IOS)
- if (auto* renderer = element().renderer())
- downcast<RenderSearchField>(*renderer).addSearchResult();
+ // Normally we've got the correct renderer by the time we get here. However when the input type changes
+ // we don't update the associated renderers until after the next tree update, so we could actually end up here
+ // with a mismatched renderer (e.g. through form submission).
+ if (is<RenderSearchField>(element().renderer()))
+ downcast<RenderSearchField>(*element().renderer()).addSearchResult();
#endif
}
@@ -185,9 +188,8 @@
void SearchInputType::didSetValueByUserEdit()
{
- if (m_cancelButton && element().renderer())
+ if (m_cancelButton && is<RenderSearchField>(element().renderer()))
downcast<RenderSearchField>(*element().renderer()).updateCancelButtonVisibility();
-
// If the incremental attribute is set, then dispatch the search event
if (searchEventsShouldBeDispatched())
startSearchEventTimer();
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
