Context Navigation

← Previous Changeset
Next Changeset →

Changeset 252062 in webkit

Timestamp:

Nov 5, 2019 10:52:12 AM (4 years ago)

Author:

Wenson Hsieh

Message:

Native text substitutions interfere with HTML <datalist> options resulting in crash
https://bugs.webkit.org/show_bug.cgi?id=203116
<rdar://problem/49875932>

Reviewed by Tim Horton.

Source/WebKit:

On macOS, an NSTableView inside a separate window is used to render suggestions when showing a datalist. The
crash happens when this table view is reloaded while clicking a datalist suggestion; that is, if -[NSTableView
reloadData] is invoked after the user sends a platform MouseDown event on the table view cell but before the
MouseUp is received, the selected row of the table view will be -1 when the action, -selectedRow:, is invoked.

In this particular case, the table view reload is triggered as a result of hiding the autocorrection bubble on
macOS, thereby committing the alternative text suggestion and changing the value of the text field via an
editing command.

To avoid crashing, we simply make -selectedRow: robust in the case where the index is invalid.

Test: fast/forms/datalist/datalist-click-crash.html

UIProcess/mac/WebDataListSuggestionsDropdownMac.mm:

(-[WKDataListSuggestionsController selectedRow:]):

Tools:

Add a new testing hook to wait for datalist suggestions to show up and choose the suggestion at the given index.

DumpRenderTree/mac/UIScriptControllerMac.h:
DumpRenderTree/mac/UIScriptControllerMac.mm:

(WTR::UIScriptControllerMac::activateDataListSuggestion):

TestRunnerShared/UIScriptContext/Bindings/UIScriptController.idl:
TestRunnerShared/UIScriptContext/UIScriptController.h:

(WTR::UIScriptController::activateDataListSuggestion):

WebKitTestRunner/ios/UIScriptControllerIOS.h:
WebKitTestRunner/ios/UIScriptControllerIOS.mm:

(WTR::UIScriptControllerIOS::activateDataListSuggestion):

WebKitTestRunner/mac/UIScriptControllerMac.h:
WebKitTestRunner/mac/UIScriptControllerMac.mm:

(WTR::UIScriptControllerMac::isShowingDataListSuggestions const):
(WTR::UIScriptControllerMac::activateDataListSuggestion):

Dig through the view hierarchy of the NSWindow subclass used to show datalist suggestions for the table view
containing the suggestions; then, select the given row, and invoke the action on the target.

(WTR::UIScriptControllerMac::dataListSuggestionsTableView const):

LayoutTests:

Add a new layout test to exercise the crash.

fast/forms/datalist/datalist-click-crash-expected.txt: Added.
fast/forms/datalist/datalist-click-crash.html: Added.
resources/ui-helper.js:

(window.UIHelper.activateDataListSuggestion):

Location:

trunk

Files:

: 2 added
: 13 edited

LayoutTests/ChangeLog (modified) (1 diff)
LayoutTests/fast/forms/datalist/datalist-click-crash-expected.txt (added)
LayoutTests/fast/forms/datalist/datalist-click-crash.html (added)
LayoutTests/resources/ui-helper.js (modified) (1 diff)
Source/WebKit/ChangeLog (modified) (1 diff)
Source/WebKit/UIProcess/mac/WebDataListSuggestionsDropdownMac.mm (modified) (1 diff)
Tools/ChangeLog (modified) (1 diff)
Tools/DumpRenderTree/mac/UIScriptControllerMac.h (modified) (1 diff)
Tools/DumpRenderTree/mac/UIScriptControllerMac.mm (modified) (1 diff)
Tools/TestRunnerShared/UIScriptContext/Bindings/UIScriptController.idl (modified) (1 diff)
Tools/TestRunnerShared/UIScriptContext/UIScriptController.h (modified) (1 diff)
Tools/WebKitTestRunner/ios/UIScriptControllerIOS.h (modified) (1 diff)
Tools/WebKitTestRunner/ios/UIScriptControllerIOS.mm (modified) (1 diff)
Tools/WebKitTestRunner/mac/UIScriptControllerMac.h (modified) (2 diffs)
Tools/WebKitTestRunner/mac/UIScriptControllerMac.mm (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk/LayoutTests/ChangeLog

-                      r252057
+                      r252062
+-11-05  Wenson Hsieh  <wenson_hsieh@apple.com>
+        Native text substitutions interfere with HTML <datalist> options resulting in crash
+        https://bugs.webkit.org/show_bug.cgi?id=203116
+        <rdar://problem/49875932>
+        Reviewed by Tim Horton.
+        Add a new layout test to exercise the crash.
+        * fast/forms/datalist/datalist-click-crash-expected.txt: Added.
+        * fast/forms/datalist/datalist-click-crash.html: Added.
+        * resources/ui-helper.js:
+        (window.UIHelper.activateDataListSuggestion):
 -11-05  Andy Estes  <aestes@apple.com>

trunk/LayoutTests/resources/ui-helper.js

-                      r251522
+                      r252062
+    }
+    static activateDataListSuggestion(index) {
+        const script = `uiController.activateDataListSuggestion(${index}, () => {
+            uiController.uiScriptComplete("");
+        });`;
+        return new Promise(resolve => testRunner.runUIScript(script, resolve));
+    }
     static isShowingDataListSuggestions()
+    {

trunk/Source/WebKit/ChangeLog

-                      r252060
+                      r252062
+-11-05  Wenson Hsieh  <wenson_hsieh@apple.com>
+        Native text substitutions interfere with HTML <datalist> options resulting in crash
+        https://bugs.webkit.org/show_bug.cgi?id=203116
+        <rdar://problem/49875932>
+        Reviewed by Tim Horton.
+        On macOS, an NSTableView inside a separate window is used to render suggestions when showing a datalist. The
+        crash happens when this table view is reloaded while clicking a datalist suggestion; that is, if -[NSTableView
+        reloadData] is invoked after the user sends a platform MouseDown event on the table view cell but before the
+        MouseUp is received, the selected row of the table view will be -1 when the action, `-selectedRow:`, is invoked.
+        In this particular case, the table view reload is triggered as a result of hiding the autocorrection bubble on
+        macOS, thereby committing the alternative text suggestion and changing the value of the text field via an
+        editing command.
+        To avoid crashing, we simply make `-selectedRow:` robust in the case where the index is invalid.
+        Test: fast/forms/datalist/datalist-click-crash.html
+        * UIProcess/mac/WebDataListSuggestionsDropdownMac.mm:
+        (-[WKDataListSuggestionsController selectedRow:]):
 -11-05  Sihui Liu  <sihui_liu@apple.com>

trunk/Source/WebKit/UIProcess/mac/WebDataListSuggestionsDropdownMac.mm

r250260	r252062
403	403	- (void)selectedRow:(NSTableView *)sender
404	404	{
405		_dropdown->didSelectOption(_suggestions.at([sender selectedRow]));
	405	auto selectedString = self.currentSelectedString;
	406	if (!selectedString)
	407	return;
	408
	409	_dropdown->didSelectOption(selectedString);
406	410	}
407	411

trunk/Tools/ChangeLog

-                      r252061
+                      r252062
+-11-05  Wenson Hsieh  <wenson_hsieh@apple.com>
+        Native text substitutions interfere with HTML <datalist> options resulting in crash
+        https://bugs.webkit.org/show_bug.cgi?id=203116
+        <rdar://problem/49875932>
+        Reviewed by Tim Horton.
+        Add a new testing hook to wait for datalist suggestions to show up and choose the suggestion at the given index.
+        * DumpRenderTree/mac/UIScriptControllerMac.h:
+        * DumpRenderTree/mac/UIScriptControllerMac.mm:
+        (WTR::UIScriptControllerMac::activateDataListSuggestion):
+        * TestRunnerShared/UIScriptContext/Bindings/UIScriptController.idl:
+        * TestRunnerShared/UIScriptContext/UIScriptController.h:
+        (WTR::UIScriptController::activateDataListSuggestion):
+        * WebKitTestRunner/ios/UIScriptControllerIOS.h:
+        * WebKitTestRunner/ios/UIScriptControllerIOS.mm:
+        (WTR::UIScriptControllerIOS::activateDataListSuggestion):
+        * WebKitTestRunner/mac/UIScriptControllerMac.h:
+        * WebKitTestRunner/mac/UIScriptControllerMac.mm:
+        (WTR::UIScriptControllerMac::isShowingDataListSuggestions const):
+        (WTR::UIScriptControllerMac::activateDataListSuggestion):
+        Dig through the view hierarchy of the NSWindow subclass used to show datalist suggestions for the table view
+        containing the suggestions; then, select the given row, and invoke the action on the target.
+        (WTR::UIScriptControllerMac::dataListSuggestionsTableView const):
 -11-05  Daniel Bates  <dabates@apple.com>

trunk/Tools/DumpRenderTree/mac/UIScriptControllerMac.h

r251377	r252062
51	51	NSUndoManager *platformUndoManager() const override;
52	52	void copyText(JSStringRef) override;
	53	void activateDataListSuggestion(long, JSValueRef) override;
53	54	};
54	55

trunk/Tools/DumpRenderTree/mac/UIScriptControllerMac.mm

-                      r251377
+                      r252062
+}
+void UIScriptControllerMac::activateDataListSuggestion(long index, JSValueRef callback)
+{
+    // FIXME: Not implemented.
+    UNUSED_PARAM(index);
+    unsigned callbackID = m_context->prepareForAsyncTask(callback, CallbackTypeNonPersistent);
+    dispatch_async(dispatch_get_main_queue(), ^{
+        if (!m_context)
+            return;
+        m_context->asyncTaskComplete(callbackID);
+    });
+}
 void UIScriptControllerMac::overridePreference(JSStringRef preferenceRef, JSStringRef valueRef)
+{

trunk/Tools/TestRunnerShared/UIScriptContext/Bindings/UIScriptController.idl

r251522	r252062
220	220	// <datalist>
221	221	readonly attribute boolean isShowingDataListSuggestions;
	222	void activateDataListSuggestion(unsigned long index, object callback);
222	223
223	224	void keyboardAccessoryBarNext();

trunk/Tools/TestRunnerShared/UIScriptContext/UIScriptController.h

r251522	r252062
202	202	virtual void setDefaultCalendarType(JSStringRef calendarIdentifier) { notImplemented(); }
203	203	virtual JSObjectRef inputViewBounds() const { notImplemented(); return nullptr; }
	204	virtual void activateDataListSuggestion(long, JSValueRef) { notImplemented(); }
204	205
205	206	// Share Sheet

trunk/Tools/WebKitTestRunner/ios/UIScriptControllerIOS.h

r252012	r252062
130	130	void completeBackSwipe(JSValueRef) override;
131	131	bool isShowingDataListSuggestions() const override;
	132	void activateDataListSuggestion(long, JSValueRef) override;
132	133	void drawSquareInEditableImage() override;
133	134	long numberOfStrokesInEditableImage() override;

trunk/Tools/WebKitTestRunner/ios/UIScriptControllerIOS.mm

-                      r252012
+                      r252062
+}
+void UIScriptControllerIOS::activateDataListSuggestion(long index, JSValueRef callback)
+{
+    // FIXME: Not implemented.
+    UNUSED_PARAM(index);
+    unsigned callbackID = m_context->prepareForAsyncTask(callback, CallbackTypeNonPersistent);
+    dispatch_async(dispatch_get_main_queue(), ^{
+        if (!m_context)
+            return;
+        m_context->asyncTaskComplete(callbackID);
+    });
+}
 bool UIScriptControllerIOS::isShowingDataListSuggestions() const
+{

trunk/Tools/WebKitTestRunner/mac/UIScriptControllerMac.h

-                      r251279
+                      r252062
     void simulateAccessibilitySettingsChangeNotification(JSValueRef) override;
     bool isShowingDataListSuggestions() const override;
+    void activateDataListSuggestion(long index, JSValueRef callback) override;
     void beginBackSwipe(JSValueRef) override;
     void completeBackSwipe(JSValueRef) override;
 …
     void activateAtPoint(long x, long y, JSValueRef callback) override;
+private:
+    NSTableView *dataListSuggestionsTableView() const;
 };

trunk/Tools/WebKitTestRunner/mac/UIScriptControllerMac.mm

-                      r251279
+                      r252062
 #import "EventSenderProxy.h"
 #import "EventSerializerMac.h"
+#import "PlatformViewHelpers.h"
 #import "PlatformWebView.h"
 #import "SharedEventStreamsMac.h"
 …
 bool UIScriptControllerMac::isShowingDataListSuggestions() const
+{
+    return dataListSuggestionsTableView();
+}
+void UIScriptControllerMac::activateDataListSuggestion(long index, JSValueRef callback)
+{
+    unsigned callbackID = m_context->prepareForAsyncTask(callback, CallbackTypeNonPersistent);
+    RetainPtr<NSTableView> table;
+    do {
+        table = dataListSuggestionsTableView();
+    } while (index >= [table numberOfRows] && [[NSRunLoop currentRunLoop] runMode:NSDefaultRunLoopMode beforeDate:[NSDate distantPast]]);
+    [table selectRowIndexes:[NSIndexSet indexSetWithIndex:index] byExtendingSelection:NO];
+    // Send the action after a short delay to simulate normal user interaction.
+    dispatch_after(dispatch_time(DISPATCH_TIME_NOW, (int64_t)(0.05 * NSEC_PER_SEC)), dispatch_get_main_queue(), [this, protectedThis = makeRefPtr(*this), callbackID, table] {
+        if ([table window])
+            [table sendAction:[table action] to:[table target]];
+        if (!m_context)
+            return;
+        m_context->asyncTaskComplete(callbackID);
+    });
+}
+NSTableView *UIScriptControllerMac::dataListSuggestionsTableView() const
+{
     for (NSWindow *childWindow in webView().window.childWindows) {
         if ([childWindow isKindOfClass:NSClassFromString(@"WKDataListSuggestionWindow")])
             return true;
+    }
     return false;
+            return (NSTableView *)[findAllViewsInHierarchyOfType(childWindow.contentView, NSClassFromString(@"WKDataListSuggestionTableView")) firstObject];
+    }
+    return nil;
+}

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 252062 in webkit

Legend:

Download in other formats: