[webkit-changes] [133209] branches/safari-536.28-branch

Thu, 01 Nov 2012 12:06:38 -0700

Title: [133209] branches/safari-536.28-branch

Diff

Modified: branches/safari-536.28-branch/LayoutTests/ChangeLog (133208 => 133209)


--- branches/safari-536.28-branch/LayoutTests/ChangeLog	2012-11-01 19:03:28 UTC (rev 133208)
+++ branches/safari-536.28-branch/LayoutTests/ChangeLog	2012-11-01 19:08:05 UTC (rev 133209)
@@ -1,5 +1,19 @@
 2012-10-31  Lucas Forschler  <lforsch...@apple.com>
 
+        Merge r121930
+
+    2012-07-05  Hayato Ito  <hay...@chromium.org>
+
+            [Crash] Click an element which will be 'display: none' on focus.
+            https://bugs.webkit.org/show_bug.cgi?id=90516
+
+            Reviewed by Hajime Morita.
+
+            * fast/events/display-none-on-focus-crash-expected.txt: Added.
+            * fast/events/display-none-on-focus-crash.html: Added.
+
+2012-10-31  Lucas Forschler  <lforsch...@apple.com>
+
         Merge r121491
 
     2012-06-28  Philip Rogers  <p...@google.com>
@@ -10533,3 +10547,4 @@
 .
 .
 .
+.

Copied: branches/safari-536.28-branch/LayoutTests/fast/events/display-none-on-focus-crash-expected.txt (from rev 121930, trunk/LayoutTests/fast/events/display-none-on-focus-crash-expected.txt) (0 => 133209)


--- branches/safari-536.28-branch/LayoutTests/fast/events/display-none-on-focus-crash-expected.txt	                        (rev 0)
+++ branches/safari-536.28-branch/LayoutTests/fast/events/display-none-on-focus-crash-expected.txt	2012-11-01 19:08:05 UTC (rev 133209)
@@ -0,0 +1,2 @@
+Test passes if it does not crash.
+

Copied: branches/safari-536.28-branch/LayoutTests/fast/events/display-none-on-focus-crash.html (from rev 121930, trunk/LayoutTests/fast/events/display-none-on-focus-crash.html) (0 => 133209)


--- branches/safari-536.28-branch/LayoutTests/fast/events/display-none-on-focus-crash.html	                        (rev 0)
+++ branches/safari-536.28-branch/LayoutTests/fast/events/display-none-on-focus-crash.html	2012-11-01 19:08:05 UTC (rev 133209)
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<head>
+<style>
+.c3 { padding-top: 200px; }
+.c3:focus { display: none; }
+</style>
+</head>
+<body></body>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+var iframe1;
+function boom() {
+    iframe1 = document.createElement('iframe');
+    document.documentElement.appendChild(iframe1);
+    document.documentElement.appendChild(document.createElement('li'));
+    document.documentElement.appendChild(document.createElement('iframe'));
+    iframe1.setAttribute('class', 'c3');
+    eventSender.mouseMoveTo(1000, 100);
+    eventSender.mouseDown();
+    eventSender.mouseUp();
+    eventSender.mouseDown();
+    eventSender.mouseUp();
+    eventSender.mouseMoveTo(100, 100);
+    eventSender.mouseDown();
+    document.body.innerHTML = 'Test passes if it does not crash.'
+}
+window._onload_ = boom;
+</script>

Modified: branches/safari-536.28-branch/Source/WebCore/ChangeLog (133208 => 133209)


--- branches/safari-536.28-branch/Source/WebCore/ChangeLog	2012-11-01 19:03:28 UTC (rev 133208)
+++ branches/safari-536.28-branch/Source/WebCore/ChangeLog	2012-11-01 19:08:05 UTC (rev 133209)
@@ -1,5 +1,31 @@
 2012-10-31  Lucas Forschler  <lforsch...@apple.com>
 
+        Merge r121930
+
+    2012-07-05  Hayato Ito  <hay...@chromium.org>
+
+            [Crash] Click an element which will be 'display: none' on focus.
+            https://bugs.webkit.org/show_bug.cgi?id=90516
+
+            Reviewed by Hajime Morita.
+
+            EventHandler::handleMousePressEventSingleClick checks whether
+            innerNode has a renderer in the beginning of the function.  But
+            the renderer may disappear in the middle of the function since its
+            style has just become 'display:none'.  As a result, it touches null renderer
+            in EventHandler.cpp:517:
+                VisiblePosition visiblePos(innerNode->renderer()->positionForPoint(event.localPoint()));
+            In the case of 'display:none', we don't have to continue.  So call
+            updateLayoutIgnorePendingStylesheets() in the beginning so that we
+            can early exit and do not touch null renderer.
+
+            Test: fast/events/display-none-on-focus-crash.html
+
+            * page/EventHandler.cpp:
+            (WebCore::EventHandler::handleMousePressEventSingleClick):
+
+2012-10-31  Lucas Forschler  <lforsch...@apple.com>
+
         Merge r121491
 
     2012-06-28  Philip Rogers  <p...@google.com>
@@ -205681,3 +205707,4 @@
 .
 .
 .
+.

Modified: branches/safari-536.28-branch/Source/WebCore/page/EventHandler.cpp (133208 => 133209)


--- branches/safari-536.28-branch/Source/WebCore/page/EventHandler.cpp	2012-11-01 19:03:28 UTC (rev 133208)
+++ branches/safari-536.28-branch/Source/WebCore/page/EventHandler.cpp	2012-11-01 19:08:05 UTC (rev 133209)
@@ -493,6 +493,7 @@
 
 bool EventHandler::handleMousePressEventSingleClick(const MouseEventWithHitTestResults& event)
 {
+    m_frame->document()->updateLayoutIgnorePendingStylesheets();
     Node* innerNode = targetNode(event);
     if (!(innerNode && innerNode->renderer() && m_mouseDownMayStartSelect))
         return false;

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to