Changeset 252478 in webkit
- Timestamp:
- Nov 14, 2019 7:26:51 PM (4 years ago)
- Location:
- trunk
- Files:
-
- 2 added
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r252472 r252478 1 2019-11-14 Wenson Hsieh <wenson_hsieh@apple.com> 2 3 Crash when setting HTMLInputElement.checked for a disconnected radio button in a shadow root 4 https://bugs.webkit.org/show_bug.cgi?id=204208 5 <rdar://problem/57045830> 6 7 Reviewed by Tim Horton. 8 9 Adds a new layout test to verify that we don't crash in this scenario. 10 11 * fast/forms/radio-input-in-shadow-root-crash-expected.txt: Added. 12 * fast/forms/radio-input-in-shadow-root-crash.html: Added. 13 1 14 2019-11-07 Youenn Fablet <youenn@apple.com> 2 15 -
trunk/Source/WebCore/ChangeLog
r252474 r252478 1 2019-11-14 Wenson Hsieh <wenson_hsieh@apple.com> 2 3 Crash when setting HTMLInputElement.checked for a disconnected radio button in a shadow root 4 https://bugs.webkit.org/show_bug.cgi?id=204208 5 <rdar://problem/57045830> 6 7 Reviewed by Tim Horton. 8 9 r251110 refactored logic in RadioButtonGroup::updateCheckedState, such that it assumes that m_nameToGroupMap 10 always contains an entry for the given input element's name. Prior to r251110, it would bail if m_nameToGroupMap 11 didn't exist. In this particular case, a named input element is added to a shadow root that is disconnected from 12 the document. This means that in HTMLInputElement::didFinishInsertingNode(), we will avoid adding the element to 13 the radio button group, even though it has a tree scope due to the `isConnected()` check. 14 15 Later, when we try to set the `checked` attribute, we invoke updateCheckedState which sees that we have a tree 16 scope and assumes that we must have previously added the input element to the radio button map; this leads to a 17 nullptr deref, as the map is empty. Thus, to fix this, we change the `isConnected()` check to `isInTreeScope()`. 18 19 Test: fast/forms/radio-input-in-shadow-root-crash.html 20 21 * html/HTMLInputElement.cpp: 22 (WebCore::HTMLInputElement::didFinishInsertingNode): 23 1 24 2019-11-14 Jiewen Tan <jiewen_tan@apple.com> 2 25 -
trunk/Source/WebCore/html/HTMLInputElement.cpp
r252392 r252478 1551 1551 { 1552 1552 HTMLTextFormControlElement::didFinishInsertingNode(); 1553 if (is Connected() && !form())1553 if (isInTreeScope() && !form()) 1554 1554 addToRadioButtonGroup(); 1555 1555 }
Note: See TracChangeset
for help on using the changeset viewer.