Crash when 'input' event handler for input[type=color] changes the input type
authorddkilzer@apple.com <ddkilzer@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 29 Jun 2016 16:50:21 +0000 (16:50 +0000)
committerddkilzer@apple.com <ddkilzer@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 29 Jun 2016 16:50:21 +0000 (16:50 +0000)
commita800ed64ff905ca4ecb59c65e444ce61359d14c4
treec7c27f1137cfa14369ac807899330af6b949cf48
parentc709e32129556c7edfb66edb088f85b41d411c0d
Crash when 'input' event handler for input[type=color] changes the input type
<https://webkit.org/b/159262>
<rdar://problem/27020404>

Reviewed by Daniel Bates.

Source/WebCore:

Fix based on a Blink change (patch by <tkent@chromium.org>):
<https://chromium.googlesource.com/chromium/src.git/+/a17cb3ecef49a078657524cdeaba33ad2083646c>

Test: fast/forms/color/color-type-change-on-input-crash.html

* html/ColorInputType.cpp:
(WebCore::ColorInputType::didChooseColor): Add EventQueueScope
before setValueFromRenderer() to fix the bug.
* html/HTMLInputElement.h:
(WebCore::HTMLInputElement::setValueFromRenderer): Add comment
about how to use this method.

LayoutTests:

Test based on a Blink change (patch by <tkent@chromium.org>):
<https://chromium.googlesource.com/chromium/src.git/+/a17cb3ecef49a078657524cdeaba33ad2083646c>

* fast/forms/color/color-type-change-on-input-crash-expected.txt: Added.
* fast/forms/color/color-type-change-on-input-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@202626 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/fast/forms/color/color-type-change-on-input-crash-expected.txt [new file with mode: 0644]
LayoutTests/fast/forms/color/color-type-change-on-input-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/html/ColorInputType.cpp
Source/WebCore/html/HTMLInputElement.h