Skip to site navigation (Press enter)

[webkit-changes] [162683] trunk

changseok . oh Thu, 23 Jan 2014 20:09:07 -0800

Title: [162683] trunk

Revision: 162683
Author: changseok...@collabora.com
Date: 2014-01-23 20:12:23 -0800 (Thu, 23 Jan 2014)

Log Message

Dragging from inner side of video to outside causes a crash
https://bugs.webkit.org/show_bug.cgi?id=126338


Reviewed by Jer Noble.

Source/WebCore:

The crash happens while dragging mouse cursor through timeline control to outside
of video region. This is beacause media controls are selected with the drag.
The media controls disappear when mouse cursor goes outside of video though
the dragging/selection proceeds. If once media controls are hidden, related element
lose their renderers. However the drag is still under going. it requires shadowPseudoId
of the selected controls. Untorntunately, SliderThumbElement/SliderContainerElement
don't return a static value for the shadowPseudoId unlike other media controls,
but they need a renderer to determine it. This is the reason of crash.

Test: media/media-controller-drag-crash.html

* html/shadow/SliderThumbElement.cpp:
(WebCore::SliderThumbElement::shadowPseudoId):
(WebCore::SliderContainerElement::shadowPseudoId):

LayoutTests:

This tests that dragging through timeslider control to outside of video causes a crash.
The crash happened on both gtk+ and efl ports not using MEDIA_CONTROL_SCRIPT.

* media/media-controller-drag-crash-expected.txt: Added.
* media/media-controller-drag-crash.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/html/shadow/SliderThumbElement.cpp

Added Paths

trunk/LayoutTests/media/media-controller-drag-crash-expected.txt
trunk/LayoutTests/media/media-controller-drag-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (162682 => 162683)


--- trunk/LayoutTests/ChangeLog	2014-01-24 03:52:30 UTC (rev 162682)
+++ trunk/LayoutTests/ChangeLog	2014-01-24 04:12:23 UTC (rev 162683)
@@ -1,3 +1,16 @@
+2014-01-23  ChangSeok Oh  <changseok...@collabora.com>
+
+        Dragging from inner side of video to outside causes a crash
+        https://bugs.webkit.org/show_bug.cgi?id=126338
+
+        Reviewed by Jer Noble.
+
+        This tests that dragging through timeslider control to outside of video causes a crash.
+        The crash happened on both gtk+ and efl ports not using MEDIA_CONTROL_SCRIPT.
+
+        * media/media-controller-drag-crash-expected.txt: Added.
+        * media/media-controller-drag-crash.html: Added.
+
 2014-01-23  Jon Honeycutt  <jhoneyc...@apple.com>
 
         Assertion failure in WebCore::PseudoElement::didRecalcStyle()

Added: trunk/LayoutTests/media/media-controller-drag-crash-expected.txt (0 => 162683)


--- trunk/LayoutTests/media/media-controller-drag-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/media/media-controller-drag-crash-expected.txt	2014-01-24 04:12:23 UTC (rev 162683)
@@ -0,0 +1,9 @@
+Test that dragging through the timebar causes a crash.
+
+
+EVENT(canplaythrough)
+RUN(video.play())
+Mouse dragging.
+No crash. PASS.
+END OF TEST
+

Added: trunk/LayoutTests/media/media-controller-drag-crash.html (0 => 162683)


--- trunk/LayoutTests/media/media-controller-drag-crash.html	                        (rev 0)
+++ trunk/LayoutTests/media/media-controller-drag-crash.html	2014-01-24 04:12:23 UTC (rev 162683)
@@ -0,0 +1,59 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <title>Dragging through timebar test</title>
+    <script src=""
+    <script src=""
+    <script src=""
+    <script>
+      if (window.testRunner)
+        testRunner.dumpAsText();
+
+      function test()
+      {
+        run('video.play()');
+
+        if (window.eventSender) {
+          consoleWrite("Mouse dragging.");
+
+          var timelineCoordinate;
+          try {
+            timelineCoordinate = mediaControlsButtonCoordinates(video, "timeline");
+          } catch (exception) {
+            failTest(exception.description);
+            return;
+          }
+          var x = timelineCoordinate[0];
+          var y = timelineCoordinate[1];
+
+          eventSender.dragMode = false;
+          eventSender.mouseMoveTo(x, y - 100);
+          eventSender.mouseDown();
+          eventSender.mouseMoveTo(x, y);
+          eventSender.mouseMoveTo(x, y + 100);
+        }
+        window.setTimeout("finish()", 1000);
+      }
+
+      function finish()
+      {
+        consoleWrite("No crash. PASS.")
+        if (window.eventSender)
+          eventSender.mouseUp();
+        endTest();
+      }
+
+      function start()
+      {
+        findMediaElement();
+        waitForEvent('canplaythrough', test);
+        video.src = "" "content/test");
+      }
+    </script>
+  </head>
+  <body _onload_="start()">
+    <p>Test that dragging through the timebar causes a crash.</p>
+    <video controls></video>
+  </body>
+</html>
+

Modified: trunk/Source/WebCore/ChangeLog (162682 => 162683)


--- trunk/Source/WebCore/ChangeLog	2014-01-24 03:52:30 UTC (rev 162682)
+++ trunk/Source/WebCore/ChangeLog	2014-01-24 04:12:23 UTC (rev 162683)
@@ -1,3 +1,25 @@
+2014-01-23  ChangSeok Oh  <changseok...@collabora.com>
+
+        Dragging from inner side of video to outside causes a crash
+        https://bugs.webkit.org/show_bug.cgi?id=126338
+
+        Reviewed by Jer Noble.
+
+        The crash happens while dragging mouse cursor through timeline control to outside
+        of video region. This is beacause media controls are selected with the drag.
+        The media controls disappear when mouse cursor goes outside of video though
+        the dragging/selection proceeds. If once media controls are hidden, related element
+        lose their renderers. However the drag is still under going. it requires shadowPseudoId
+        of the selected controls. Untorntunately, SliderThumbElement/SliderContainerElement
+        don't return a static value for the shadowPseudoId unlike other media controls,
+        but they need a renderer to determine it. This is the reason of crash.
+
+        Test: media/media-controller-drag-crash.html
+
+        * html/shadow/SliderThumbElement.cpp:
+        (WebCore::SliderThumbElement::shadowPseudoId):
+        (WebCore::SliderContainerElement::shadowPseudoId):
+
 2014-01-23  Brady Eidson  <beid...@apple.com>
 
         IDB: Implement SQLite backing store 'get' support

Modified: trunk/Source/WebCore/html/shadow/SliderThumbElement.cpp (162682 => 162683)


--- trunk/Source/WebCore/html/shadow/SliderThumbElement.cpp	2014-01-24 03:52:30 UTC (rev 162682)
+++ trunk/Source/WebCore/html/shadow/SliderThumbElement.cpp	2014-01-24 04:12:23 UTC (rev 162683)
@@ -579,6 +579,8 @@
     HTMLInputElement* input = hostInput();
     if (!input)
         return sliderThumbShadowPseudoId();
+    if (!input->renderer())
+        return emptyAtom;
 
     const RenderStyle& sliderStyle = input->renderer()->style();
     switch (sliderStyle.appearance()) {
@@ -624,6 +626,8 @@
     HTMLInputElement* input = shadowHost()->toInputElement();
     if (!input)
         return sliderContainer;
+    if (!input->renderer())
+        return emptyAtom;
 
     const RenderStyle& sliderStyle = input->renderer()->style();
     switch (sliderStyle.appearance()) {

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes