Context Navigation

Changeset 202626 in webkit

Timestamp:

Jun 29, 2016 9:50:21 AM (8 years ago)

Author:

ddkilzer@apple.com

Message:

Crash when 'input' event handler for input[type=color] changes the input type
<https://webkit.org/b/159262>
<rdar://problem/27020404>

Reviewed by Daniel Bates.

Source/WebCore:

Test: fast/forms/color/color-type-change-on-input-crash.html

(WebCore::ColorInputType::didChooseColor): Add EventQueueScope
before setValueFromRenderer() to fix the bug.

(WebCore::HTMLInputElement::setValueFromRenderer): Add comment
about how to use this method.

LayoutTests:

Location:

trunk

Files:

-                      r202625
+                      r202626
+-06-29  David Kilzer  <ddkilzer@apple.com>
+        Crash when 'input' event handler for input[type=color] changes the input type
+        <https://webkit.org/b/159262>
+        <rdar://problem/27020404>
+        Reviewed by Daniel Bates.
+        Test based on a Blink change (patch by <tkent@chromium.org>):
+        <https://chromium.googlesource.com/chromium/src.git/+/a17cb3ecef49a078657524cdeaba33ad2083646c>
+        * fast/forms/color/color-type-change-on-input-crash-expected.txt: Added.
+        * fast/forms/color/color-type-change-on-input-crash.html: Added.
 -06-29  Adam Bergkvist  <adam.bergkvist@ericsson.com>

-                      r202625
+                      r202626
+-06-29  David Kilzer  <ddkilzer@apple.com>
+        Crash when 'input' event handler for input[type=color] changes the input type
+        <https://webkit.org/b/159262>
+        <rdar://problem/27020404>
+        Reviewed by Daniel Bates.
+        Fix based on a Blink change (patch by <tkent@chromium.org>):
+        <https://chromium.googlesource.com/chromium/src.git/+/a17cb3ecef49a078657524cdeaba33ad2083646c>
+        Test: fast/forms/color/color-type-change-on-input-crash.html
+        * html/ColorInputType.cpp:
+        (WebCore::ColorInputType::didChooseColor): Add EventQueueScope
+        before setValueFromRenderer() to fix the bug.
+        * html/HTMLInputElement.h:
+        (WebCore::HTMLInputElement::setValueFromRenderer): Add comment
+        about how to use this method.
 -06-29  Adam Bergkvist  <adam.bergkvist@ericsson.com>

-                      r200696
+                      r202626
 /*
  * Copyright (C) 2010 Google Inc. All rights reserved.
  * Copyright (C) 2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2016 Apple Inc. All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
 …
 #include "RenderObject.h"
 #include "RenderView.h"
+#include "ScopedEventQueue.h"
 #include "ScriptController.h"
 #include "ShadowRoot.h"
 …
     if (element().isDisabledOrReadOnly() || color == valueAsColor())
         return;
+    EventQueueScope scope;
     element().setValueFromRenderer(color.serialized());
     updateColorSwatch();

-                      r202245
+                      r202626
  *           (C) 1999 Antti Koivisto (koivisto@kde.org)
  *           (C) 2000 Dirk Mueller (mueller@kde.org)
  * Copyright (C) 2004, 2005, 2006, 2007, 2010, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2004-2016 Apple Inc. All rights reserved.
  * Copyright (C) 2012 Samsung Electronics. All rights reserved.
+ *
 …
     String valueWithDefault() const;
+    // This function dispatches 'input' event for non-textfield types. Callers
+    // need to handle any DOM structure changes by event handlers, or need to
+    // delay the 'input' event with EventQueueScope.
     void setValueFromRenderer(const String&);

Note: See TracChangeset for help on using the changeset viewer.