Changeset 57116 in webkit

Timestamp:

Apr 5, 2010 8:08:45 PM (14 years ago)

Author:

jamesr@google.com

Message:

2010-04-05 Dimitri Glazkov <Dimitri Glazkov> and James Robinson <​jamesr@chromium.org>

Reviewed by Darin Adler and Dimitri Glazkov.

Style update done due to mutation event dispatching in textarea can be
used to corrupt the render tree.
​https://bugs.webkit.org/show_bug.cgi?id=36864

Tests: fast/forms/select-change-listbox-to-popup-roundtrip.html

fast/forms/select-change-popup-to-listbox-roundtrip.html
fast/forms/textarea-and-mutation-events.html

• dom/Document.cpp: (WebCore::Document::finishedParsing): Added updateStyleIfNeeded()

call to ensure that object loads start before firing window load.

• dom/Node.cpp: (WebCore::Node::dispatchGenericEvent): Removed invocation of

Document::updateStyleForAllDocuments

• html/HTMLSelectElement.cpp: (WebCore::HTMLSelectElement::parseMappedAttribute): Added explicit

recalc to ensure accuracy of representation, especially for
menuList/listBox switches.

2010-04-05 Dimitri Glazkov <Dimitri Glazkov>

Reviewed by Darin Adler

Style update done due to mutation event dispatching in textarea can be
used to corrupt the render tree.
​https://bugs.webkit.org/show_bug.cgi?id=36864

Modified listbox-selection.html to correctly set the size during
creation. Otherwise, options added to it as a menuList, resulting
in a default selection of the first item.

Added a few more tests to ensure we capture correct behavior for
select elements and their default selection, as well as the influence
of when layout occurs.

• fast/forms/listbox-selection.html:
• fast/forms/select-change-listbox-to-popup-roundtrip.html: Added.
• fast/forms/select-change-popup-to-listbox-roundtrip.html: Added.
• fast/forms/textarea-and-mutation-events.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/forms/listbox-selection.html (modified) (1 diff)
• LayoutTests/fast/forms/select-change-listbox-to-popup-roundtrip-expected.txt (added)
• LayoutTests/fast/forms/select-change-listbox-to-popup-roundtrip.html (added)
• LayoutTests/fast/forms/select-change-popup-to-listbox-roundtrip-expected.txt (added)
• LayoutTests/fast/forms/select-change-popup-to-listbox-roundtrip.html (added)
• LayoutTests/fast/forms/textarea-and-mutation-events-expected.txt (added)
• LayoutTests/fast/forms/textarea-and-mutation-events.html (added)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/dom/Document.cpp (modified) (1 diff)
• WebCore/dom/Node.cpp (modified) (1 diff)
• WebCore/html/HTMLSelectElement.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2010-04-05  Dimitri Glazkov  <dglazkov@chromium.org>
+
+        Reviewed by Darin Adler
+
+        Style update done due to mutation event dispatching in textarea can be
+        used to corrupt the render tree.
+        https://bugs.webkit.org/show_bug.cgi?id=36864
+
+        Modified listbox-selection.html to correctly set the size during
+        creation. Otherwise, options added to it as a menuList, resulting
+        in a default selection of the first item.
+
+        Added a few more tests to ensure we capture correct behavior for
+        select elements and their default selection, as well as the influence
+        of when layout occurs.
+
+        * fast/forms/listbox-selection.html:
+        * fast/forms/select-change-listbox-to-popup-roundtrip.html: Added.
+        * fast/forms/select-change-popup-to-listbox-roundtrip.html: Added.
+        * fast/forms/textarea-and-mutation-events.html: Added.
+
 2010-04-05  Mark Rowe  <mrowe@apple.com>
 

trunk/LayoutTests/fast/forms/listbox-selection.html

@@ -151 +151 @@
                 var sl = document.createElement("select");
                 var i = 0;
+                sl.size = sz;
                 while (i < sz) {
                     var opt = document.createElement("option");
                     if (i == selIndex)
                         opt.selected = true;
-                    opt.innerText = "item " + i;
+                    opt.textContent = "item " + i;
                     sl.appendChild(opt);
                     i++;
                 }
-                sl.size = sz;
                 sl.multiple = mlt;
                 sl.id = idName;

trunk/WebCore/ChangeLog

@@ +1 @@
+2010-04-05  Dimitri Glazkov  <dglazkov@chromium.org> and James Robinson <jamesr@chromium.org>
+
+        Reviewed by Darin Adler and Dimitri Glazkov.
+
+        Style update done due to mutation event dispatching in textarea can be
+        used to corrupt the render tree.
+        https://bugs.webkit.org/show_bug.cgi?id=36864
+
+        Tests: fast/forms/select-change-listbox-to-popup-roundtrip.html
+               fast/forms/select-change-popup-to-listbox-roundtrip.html
+               fast/forms/textarea-and-mutation-events.html
+
+        * dom/Document.cpp:
+        (WebCore::Document::finishedParsing): Added updateStyleIfNeeded()
+            call to ensure that object loads start before firing window load.
+        * dom/Node.cpp:
+        (WebCore::Node::dispatchGenericEvent): Removed invocation of
+            Document::updateStyleForAllDocuments
+        * html/HTMLSelectElement.cpp:
+        (WebCore::HTMLSelectElement::parseMappedAttribute): Added explicit
+            recalc to ensure accuracy of representation, especially for
+            menuList/listBox switches.
+
 2010-04-05  Antonio Gomes  <tonikitoo@webkit.org>
 

trunk/WebCore/dom/Document.cpp

@@ -4190 +4190 @@
     setParsing(false);
     dispatchEvent(Event::create(eventNames().DOMContentLoadedEvent, true, false));
+
     if (Frame* f = frame()) {
+        // FrameLoader::finishedParsing() might end up calling Document::implicitClose() if all
+        // resource loads are complete. HTMLObjectElements can start loading their resources from
+        // post attach callbacks triggered by recalcStyle().  This means if we parse out an <object>
+        // tag and then reach the end of the document without updating styles, we might not have yet
+        // started the resource load and might fire the window load event too early.  To avoid this
+        // we force the styles to be up to date before calling FrameLoader::finishedParsing().
+        // See https://bugs.webkit.org/show_bug.cgi?id=36864 starting around comment 35.
+        updateStyleIfNeeded();
+
         f->loader()->finishedParsing();
 

trunk/WebCore/dom/Node.cpp

@@ -2706 +2706 @@
 #endif
 
-    Document::updateStyleForAllDocuments();
-
     return !event->defaultPrevented();
 }

trunk/WebCore/html/HTMLSelectElement.cpp

@@ -201 +201 @@
         if (attrSize != attr->value())
             attr->setValue(attrSize);
-
-        m_data.setSize(max(size, 1));
+        size = max(size, 1);
+
+        // Ensure that we've determined selectedness of the items at least once prior to changing the size.
+        if (oldSize != size)
+            recalcListItemsIfNeeded();
+
+        m_data.setSize(size);
         if ((oldUsesMenuList != m_data.usesMenuList() || (!oldUsesMenuList && m_data.size() != oldSize)) && attached()) {
             detach();