Changeset 252478 in webkit


Ignore:
Timestamp:
Nov 14, 2019 7:26:51 PM (4 years ago)
Author:
Wenson Hsieh
Message:

Crash when setting HTMLInputElement.checked for a disconnected radio button in a shadow root
https://bugs.webkit.org/show_bug.cgi?id=204208
<rdar://problem/57045830>

Reviewed by Tim Horton.

Source/WebCore:

r251110 refactored logic in RadioButtonGroup::updateCheckedState, such that it assumes that m_nameToGroupMap
always contains an entry for the given input element's name. Prior to r251110, it would bail if m_nameToGroupMap
didn't exist. In this particular case, a named input element is added to a shadow root that is disconnected from
the document. This means that in HTMLInputElement::didFinishInsertingNode(), we will avoid adding the element to
the radio button group, even though it has a tree scope due to the isConnected() check.

Later, when we try to set the checked attribute, we invoke updateCheckedState which sees that we have a tree
scope and assumes that we must have previously added the input element to the radio button map; this leads to a
nullptr deref, as the map is empty. Thus, to fix this, we change the isConnected() check to isInTreeScope().

Test: fast/forms/radio-input-in-shadow-root-crash.html

  • html/HTMLInputElement.cpp:

(WebCore::HTMLInputElement::didFinishInsertingNode):

LayoutTests:

Adds a new layout test to verify that we don't crash in this scenario.

  • fast/forms/radio-input-in-shadow-root-crash-expected.txt: Added.
  • fast/forms/radio-input-in-shadow-root-crash.html: Added.

2019-11-07 Youenn Fablet <youenn@apple.com>

Update libwebrtc to M78
https://bugs.webkit.org/show_bug.cgi?id=203897

Reviewed by Eric Carlson.

  • webrtc/simulcast-h264.html:

Update test to remove rid information from answer.

Location:
trunk
Files:
2 added
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r252472 r252478  
     12019-11-14  Wenson Hsieh  <wenson_hsieh@apple.com>
     2
     3        Crash when setting HTMLInputElement.checked for a disconnected radio button in a shadow root
     4        https://bugs.webkit.org/show_bug.cgi?id=204208
     5        <rdar://problem/57045830>
     6
     7        Reviewed by Tim Horton.
     8
     9        Adds a new layout test to verify that we don't crash in this scenario.
     10
     11        * fast/forms/radio-input-in-shadow-root-crash-expected.txt: Added.
     12        * fast/forms/radio-input-in-shadow-root-crash.html: Added.
     13
    114 2019-11-07  Youenn Fablet  <youenn@apple.com>
    215
  • trunk/Source/WebCore/ChangeLog

    r252474 r252478  
     12019-11-14  Wenson Hsieh  <wenson_hsieh@apple.com>
     2
     3        Crash when setting HTMLInputElement.checked for a disconnected radio button in a shadow root
     4        https://bugs.webkit.org/show_bug.cgi?id=204208
     5        <rdar://problem/57045830>
     6
     7        Reviewed by Tim Horton.
     8
     9        r251110 refactored logic in RadioButtonGroup::updateCheckedState, such that it assumes that m_nameToGroupMap
     10        always contains an entry for the given input element's name. Prior to r251110, it would bail if m_nameToGroupMap
     11        didn't exist. In this particular case, a named input element is added to a shadow root that is disconnected from
     12        the document. This means that in HTMLInputElement::didFinishInsertingNode(), we will avoid adding the element to
     13        the radio button group, even though it has a tree scope due to the `isConnected()` check.
     14
     15        Later, when we try to set the `checked` attribute, we invoke updateCheckedState which sees that we have a tree
     16        scope and assumes that we must have previously added the input element to the radio button map; this leads to a
     17        nullptr deref, as the map is empty. Thus, to fix this, we change the `isConnected()` check to `isInTreeScope()`.
     18
     19        Test: fast/forms/radio-input-in-shadow-root-crash.html
     20
     21        * html/HTMLInputElement.cpp:
     22        (WebCore::HTMLInputElement::didFinishInsertingNode):
     23
    1242019-11-14  Jiewen Tan  <jiewen_tan@apple.com>
    225
  • trunk/Source/WebCore/html/HTMLInputElement.cpp

    r252392 r252478  
    15511551{
    15521552    HTMLTextFormControlElement::didFinishInsertingNode();
    1553     if (isConnected() && !form())
     1553    if (isInTreeScope() && !form())
    15541554        addToRadioButtonGroup();
    15551555}
Note: See TracChangeset for help on using the changeset viewer.