Changeset 230400 in webkit


Ignore:
Timestamp:
Apr 9, 2018 3:53:14 AM (6 years ago)
Author:
Carlos Garcia Campos
Message:

Merge r229393 - Invalid innerTextRenderer in RenderTextControlSingleLine::styleDidChange()
https://bugs.webkit.org/show_bug.cgi?id=183385
<rdar://problem/38085397>

Reviewed by Antti Koivisto.

Source/WebCore:

When HTMLInputElement::updateType() is called with a dirty value, we eagerly change the m_inputType first
and then we take care of the dirty value by calling setAttributeWithoutSynchronization().
With a DOMSubtreeModified event listener attached, setAttributeWithoutSynchronization() can end up running some
layout code (offsetHeight) with a renderer - m_inputType mismatch.

This patch ensures that we don't change the m_inputType until after we finished setting the new value.

Test: fast/DOM/HTMLInputElement/input-value-and-type-change-crash.html

  • html/HTMLInputElement.cpp:

(WebCore::HTMLInputElement::updateType):

LayoutTests:

  • fast/DOM/HTMLInputElement/input-value-and-type-change-crash-expected.txt: Added.
  • fast/DOM/HTMLInputElement/input-value-and-type-change-crash.html: Added.
Location:
releases/WebKitGTK/webkit-2.20
Files:
4 added
3 edited

Legend:

Unmodified
Added
Removed
  • releases/WebKitGTK/webkit-2.20/LayoutTests/ChangeLog

    r230399 r230400  
     12018-03-07  Zalan Bujtas  <zalan@apple.com>
     2
     3        Invalid innerTextRenderer in RenderTextControlSingleLine::styleDidChange()
     4        https://bugs.webkit.org/show_bug.cgi?id=183385
     5        <rdar://problem/38085397>
     6
     7        Reviewed by Antti Koivisto.
     8
     9        * fast/DOM/HTMLInputElement/input-value-and-type-change-crash-expected.txt: Added.
     10        * fast/DOM/HTMLInputElement/input-value-and-type-change-crash.html: Added.
     11
    1122018-03-07  Sihui Liu  <sihui_liu@apple.com>
    213
  • releases/WebKitGTK/webkit-2.20/Source/WebCore/ChangeLog

    r230399 r230400  
     12018-03-07  Zalan Bujtas  <zalan@apple.com>
     2
     3        Invalid innerTextRenderer in RenderTextControlSingleLine::styleDidChange()
     4        https://bugs.webkit.org/show_bug.cgi?id=183385
     5        <rdar://problem/38085397>
     6
     7        Reviewed by Antti Koivisto.
     8
     9        When HTMLInputElement::updateType() is called with a dirty value, we eagerly change the m_inputType first
     10        and then we take care of the dirty value by calling setAttributeWithoutSynchronization().
     11        With a DOMSubtreeModified event listener attached, setAttributeWithoutSynchronization() can end up running some
     12        layout code (offsetHeight) with a renderer - m_inputType mismatch.
     13
     14        This patch ensures that we don't change the m_inputType until after we finished setting the new value.
     15
     16        Test: fast/DOM/HTMLInputElement/input-value-and-type-change-crash.html
     17
     18        * html/HTMLInputElement.cpp:
     19        (WebCore::HTMLInputElement::updateType):
     20
    1212018-03-07  Sihui Liu  <sihui_liu@apple.com>
    222
  • releases/WebKitGTK/webkit-2.20/Source/WebCore/html/HTMLInputElement.cpp

    r227092 r230400  
    492492
    493493    bool didStoreValue = m_inputType->storesValueSeparateFromAttribute();
     494    bool willStoreValue = newType->storesValueSeparateFromAttribute();
    494495    bool neededSuspensionCallback = needsSuspensionCallback();
    495496    bool didRespectHeightAndWidth = m_inputType->shouldRespectHeightAndWidthAttributes();
    496497    bool wasSuccessfulSubmitButtonCandidate = m_inputType->canBeSuccessfulSubmitButton();
    497498
     499    if (didStoreValue && !willStoreValue && hasDirtyValue()) {
     500        setAttributeWithoutSynchronization(valueAttr, m_valueIfDirty);
     501        m_valueIfDirty = String();
     502    }
     503
    498504    m_inputType->destroyShadowSubtree();
    499505
     
    504510    setNeedsWillValidateCheck();
    505511
    506     bool willStoreValue = m_inputType->storesValueSeparateFromAttribute();
    507 
    508     if (didStoreValue && !willStoreValue && hasDirtyValue()) {
    509         setAttributeWithoutSynchronization(valueAttr, m_valueIfDirty);
    510         m_valueIfDirty = String();
    511     }
    512512    if (!didStoreValue && willStoreValue)
    513513        m_valueIfDirty = sanitizeValue(attributeWithoutSynchronization(valueAttr));
Note: See TracChangeset for help on using the changeset viewer.