Changeset 145423 in webkit
- Timestamp:
- Mar 11, 2013, 4:18:44 PM (12 years ago)
- Location:
- trunk
- Files:
-
- 2 added
- 8 edited
-
LayoutTests/ChangeLog (modified) (1 diff)
-
LayoutTests/fast/forms/image/image-error-event-modifies-type-crash-expected.txt (added)
-
LayoutTests/fast/forms/image/image-error-event-modifies-type-crash.html (added)
-
Source/WebCore/ChangeLog (modified) (1 diff)
-
Source/WebCore/html/HTMLInputElement.cpp (modified) (3 diffs)
-
Source/WebCore/html/HTMLInputElement.h (modified) (3 diffs)
-
Source/WebCore/html/ImageInputType.cpp (modified) (5 diffs)
-
Source/WebCore/html/ImageInputType.h (modified) (3 diffs)
-
Source/WebCore/html/InputType.cpp (modified) (1 diff)
-
Source/WebCore/html/InputType.h (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r145422 r145423 1 2013-03-11 Stephen Chenney <schenney@chromium.org> 2 3 HTMLInputElement can delete an ImageLoader while it's still needed 4 https://bugs.webkit.org/show_bug.cgi?id=110621 5 6 Reviewed by Darin Adler. 7 8 * fast/forms/image/image-error-event-modifies-type-crash-expected.txt: Added. 9 * fast/forms/image/image-error-event-modifies-type-crash.html: Added. 10 1 11 2013-03-11 Alok Priyadarshi <alokp@chromium.org> 2 12 -
trunk/Source/WebCore/ChangeLog
r145422 r145423 1 2013-03-11 Stephen Chenney <schenney@chromium.org> 2 3 HTMLInputElement can delete an ImageLoader while it's still needed 4 https://bugs.webkit.org/show_bug.cgi?id=110621 5 6 Reviewed by Darin Adler. 7 8 ImageLoader objects may fire events for HTMLInputElements that are of 9 type ImageInputType that own the loader. These events may cause script 10 to run that changes the type of the input element and hence causes the 11 ImageLoader to be deleted, while the image loader is still processing 12 the event dispatch. Bad things ensue. 13 14 This change moves ownership of the ImageLoader from the ImageInputType 15 onto the HTMLImageElement which is already protected from deletion during 16 event processing. 17 18 Test: fast/forms/image/image-error-event-modifies-type-crash.html 19 20 * html/HTMLInputElement.cpp: 21 (WebCore::HTMLInputElement::imageLoader): Method to return the 22 ImageLoader, creating it if not already created. 23 * html/HTMLInputElement.h: 24 (WebCore::HTMLInputElement::hasImageLoader): Return true if the 25 ImageLoader has been created. 26 (HTMLInputElement): Define ImageLoader access methods and the OwnPtr 27 for the HTMLImageLoader. 28 * html/ImageInputType.cpp: 29 (WebCore::ImageInputType::srcAttributeChanged): Use the element's ImageLoader. 30 (WebCore::ImageInputType::attach): Use the element's ImageLoader. 31 (WebCore::ImageInputType::willMoveToNewOwnerDocument): Use the element's ImageLoader. 32 (WebCore::ImageInputType::height): Use the element's ImageLoader. 33 (WebCore::ImageInputType::width): Use the element's ImageLoader. 34 * html/ImageInputType.h: 35 (ImageInputType): Remove the declaration of the ImageLoader. 36 1 37 2013-03-11 Alok Priyadarshi <alokp@chromium.org> 2 38 -
trunk/Source/WebCore/html/HTMLInputElement.cpp
r145055 r145423 48 48 #include "HTMLDataListElement.h" 49 49 #include "HTMLFormElement.h" 50 #include "HTMLImageLoader.h" 50 51 #include "HTMLNames.h" 51 52 #include "HTMLOptionElement.h" … … 146 147 inputElement->ensureUserAgentShadowRoot(); 147 148 return inputElement.release(); 149 } 150 151 HTMLImageLoader* HTMLInputElement::imageLoader() 152 { 153 if (!m_imageLoader) 154 m_imageLoader = adoptPtr(new HTMLImageLoader(this)); 155 return m_imageLoader.get(); 148 156 } 149 157 … … 1514 1522 void HTMLInputElement::didMoveToNewDocument(Document* oldDocument) 1515 1523 { 1516 m_inputType->willMoveToNewOwnerDocument(); 1524 if (hasImageLoader()) 1525 imageLoader()->elementDidMoveToNewDocument(); 1526 1517 1527 bool needsSuspensionCallback = this->needsSuspensionCallback(); 1518 1528 if (oldDocument) { -
trunk/Source/WebCore/html/HTMLInputElement.h
r145055 r145423 36 36 class FileList; 37 37 class HTMLDataListElement; 38 class HTMLImageLoader; 38 39 class HTMLOptionElement; 39 40 class Icon; … … 294 295 virtual void setRangeText(const String& replacement, ExceptionCode&) OVERRIDE; 295 296 virtual void setRangeText(const String& replacement, unsigned start, unsigned end, const String& selectionMode, ExceptionCode&) OVERRIDE; 297 298 bool hasImageLoader() const { return m_imageLoader; } 299 HTMLImageLoader* imageLoader(); 296 300 297 301 #if ENABLE(DATE_AND_TIME_INPUT_TYPES) … … 431 435 #endif 432 436 OwnPtr<InputType> m_inputType; 437 // The ImageLoader must be owned by this element because the loader code assumes 438 // that it lives as long as its owning element lives. If we move the loader into 439 // the ImageInput object we may delete the loader while this element lives on. 440 OwnPtr<HTMLImageLoader> m_imageLoader; 433 441 #if ENABLE(DATALIST_ELEMENT) 434 442 OwnPtr<ListAttributeTargetObserver> m_listAttributeTargetObserver; -
trunk/Source/WebCore/html/ImageInputType.cpp
r144568 r145423 121 121 if (!element()->renderer()) 122 122 return; 123 if (!m_imageLoader) 124 m_imageLoader = adoptPtr(new HTMLImageLoader(element())); 125 m_imageLoader->updateFromElementIgnoringPreviousError(); 123 element()->imageLoader()->updateFromElementIgnoringPreviousError(); 126 124 } 127 125 … … 130 128 BaseButtonInputType::attach(); 131 129 132 if (!m_imageLoader) 133 m_imageLoader = adoptPtr(new HTMLImageLoader(element())); 134 m_imageLoader->updateFromElement(); 130 HTMLImageLoader* imageLoader = element()->imageLoader(); 131 imageLoader->updateFromElement(); 135 132 136 133 RenderImage* renderer = toRenderImage(element()->renderer()); … … 138 135 return; 139 136 140 if ( m_imageLoader->hasPendingBeforeLoadEvent())137 if (imageLoader->hasPendingBeforeLoadEvent()) 141 138 return; 142 139 143 140 RenderImageResource* imageResource = renderer->imageResource(); 144 imageResource->setCachedImage( m_imageLoader->image());141 imageResource->setCachedImage(imageLoader->image()); 145 142 146 143 // If we have no image at all because we have no src attribute, set 147 144 // image height and width for the alt text instead. 148 if (! m_imageLoader->image() && !imageResource->cachedImage())145 if (!imageLoader->image() && !imageResource->cachedImage()) 149 146 renderer->setImageSizeForAltText(); 150 }151 152 void ImageInputType::willMoveToNewOwnerDocument()153 {154 BaseButtonInputType::willMoveToNewOwnerDocument();155 if (m_imageLoader)156 m_imageLoader->elementDidMoveToNewDocument();157 147 } 158 148 … … 193 183 194 184 // If the image is available, use its height. 195 if (m_imageLoader && m_imageLoader->image()) 196 return m_imageLoader->image()->imageSizeForRenderer(element->renderer(), 1).height(); 185 if (element->hasImageLoader()) { 186 HTMLImageLoader* imageLoader = element->imageLoader(); 187 if (imageLoader->image()) 188 return imageLoader->image()->imageSizeForRenderer(element->renderer(), 1).height(); 189 } 197 190 } 198 191 … … 214 207 215 208 // If the image is available, use its width. 216 if (m_imageLoader && m_imageLoader->image()) 217 return m_imageLoader->image()->imageSizeForRenderer(element->renderer(), 1).width(); 209 if (element->hasImageLoader()) { 210 HTMLImageLoader* imageLoader = element->imageLoader(); 211 if (imageLoader->image()) 212 return imageLoader->image()->imageSizeForRenderer(element->renderer(), 1).width(); 213 } 218 214 } 219 215 -
trunk/Source/WebCore/html/ImageInputType.h
r116389 r145423 40 40 namespace WebCore { 41 41 42 class HTMLImageLoader;43 44 42 class ImageInputType : public BaseButtonInputType { 45 43 public: … … 57 55 virtual void srcAttributeChanged() OVERRIDE; 58 56 virtual void attach() OVERRIDE; 59 virtual void willMoveToNewOwnerDocument() OVERRIDE;60 57 virtual bool shouldRespectAlignAttribute() OVERRIDE; 61 58 virtual bool canBeSuccessfulSubmitButton() OVERRIDE; … … 66 63 virtual unsigned width() const OVERRIDE; 67 64 68 OwnPtr<HTMLImageLoader> m_imageLoader;69 65 IntPoint m_clickLocation; // Valid only during HTMLFormElement::prepareForSubmission(). 70 66 }; -
trunk/Source/WebCore/html/InputType.cpp
r145362 r145423 597 597 } 598 598 599 void InputType::willMoveToNewOwnerDocument()600 {601 }602 603 599 bool InputType::shouldRespectAlignAttribute() 604 600 { -
trunk/Source/WebCore/html/InputType.h
r145055 r145423 246 246 virtual void altAttributeChanged(); 247 247 virtual void srcAttributeChanged(); 248 virtual void willMoveToNewOwnerDocument();249 248 virtual bool shouldRespectAlignAttribute(); 250 249 virtual FileList* files();
Note:
See TracChangeset
for help on using the changeset viewer.
