Crash when attempting to change input type while dismissing datalist suggestions
authorwenson_hsieh@apple.com <wenson_hsieh@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 7 Mar 2019 03:11:38 +0000 (03:11 +0000)
committerwenson_hsieh@apple.com <wenson_hsieh@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 7 Mar 2019 03:11:38 +0000 (03:11 +0000)
https://bugs.webkit.org/show_bug.cgi?id=195384
<rdar://problem/48563718>

Reviewed by Brent Fulgham.

Source/WebCore:

When closing a datalist suggestion menu, WebPageProxy sends a message to WebPage instructing it to tell its
active datalist suggestions picker to close. However, for a myriad of reasons, the suggestions picker (kept
alive by its text input type) may have already gone away by this point. To mitigate this, make WebPage weakly
reference its active datalist suggestions picker.

Test: fast/forms/datalist/change-input-type-after-closing-datalist-suggestions.html

* platform/DataListSuggestionPicker.h:

Make DataListSuggestionPicker capable of being weakly referenced. Additionally, fix some minor preexisting
issues in this header (#imports instead of #includes, as well as an unnecessary include of IntRect.h).

Source/WebKit:

See WebCore ChangeLog for more details.

* WebProcess/WebPage/WebPage.cpp:
(WebKit::WebPage::setActiveDataListSuggestionPicker):
(WebKit::WebPage::didSelectDataListOption):
(WebKit::WebPage::didCloseSuggestions):
* WebProcess/WebPage/WebPage.h:

Turn m_activeDataListSuggestionPicker from a raw pointer into a WeakPtr.

LayoutTests:

Add a new layout test to exercise this scenario.

* fast/forms/datalist/change-input-type-after-closing-datalist-suggestions-expected.txt: Added.
* fast/forms/datalist/change-input-type-after-closing-datalist-suggestions.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@242587 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/forms/datalist/change-input-type-after-closing-datalist-suggestions-expected.txt [new file with mode: 0644]
LayoutTests/fast/forms/datalist/change-input-type-after-closing-datalist-suggestions.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/platform/DataListSuggestionPicker.h
Source/WebKit/ChangeLog
Source/WebKit/WebProcess/WebPage/WebPage.cpp
Source/WebKit/WebProcess/WebPage/WebPage.h

index 37ca95a..0b83f07 100644 (file)
@@ -1,3 +1,16 @@
+2019-03-06  Wenson Hsieh  <wenson_hsieh@apple.com>
+
+        Crash when attempting to change input type while dismissing datalist suggestions
+        https://bugs.webkit.org/show_bug.cgi?id=195384
+        <rdar://problem/48563718>
+
+        Reviewed by Brent Fulgham.
+
+        Add a new layout test to exercise this scenario.
+
+        * fast/forms/datalist/change-input-type-after-closing-datalist-suggestions-expected.txt: Added.
+        * fast/forms/datalist/change-input-type-after-closing-datalist-suggestions.html: Added.
+
 2019-03-06  Justin Fan  <justin_fan@apple.com>
 
         [Web GPU] GPUTexture and GPUTextureView updates, and related GPUBindGroup updates
diff --git a/LayoutTests/fast/forms/datalist/change-input-type-after-closing-datalist-suggestions-expected.txt b/LayoutTests/fast/forms/datalist/change-input-type-after-closing-datalist-suggestions-expected.txt
new file mode 100644 (file)
index 0000000..bfb9505
--- /dev/null
@@ -0,0 +1,3 @@
+This test verifies that the type of an input with an associated datalist can be changed immediately after the datalist suggestions menu is closed. To test manually, load this page and check that it does not crash.
+
+
diff --git a/LayoutTests/fast/forms/datalist/change-input-type-after-closing-datalist-suggestions.html b/LayoutTests/fast/forms/datalist/change-input-type-after-closing-datalist-suggestions.html
new file mode 100644 (file)
index 0000000..8932435
--- /dev/null
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html>
+<body>
+    <p>This test verifies that the type of an input with an associated datalist can be changed immediately after the datalist suggestions menu is closed. To test manually, load this page and check that it does not crash.</p>
+    <input value="a" id="input" list="datalist">
+    <datalist id="datalist">
+        <option>a</option>
+    </datalist>
+</body>
+<script>
+    if (window.testRunner)
+        testRunner.dumpAsText();
+
+    input.select();
+    document.execCommand("Delete");
+    input.type = "button";
+</script>
+</html>
index 0504256..17893ea 100644 (file)
@@ -1,3 +1,23 @@
+2019-03-06  Wenson Hsieh  <wenson_hsieh@apple.com>
+
+        Crash when attempting to change input type while dismissing datalist suggestions
+        https://bugs.webkit.org/show_bug.cgi?id=195384
+        <rdar://problem/48563718>
+
+        Reviewed by Brent Fulgham.
+
+        When closing a datalist suggestion menu, WebPageProxy sends a message to WebPage instructing it to tell its
+        active datalist suggestions picker to close. However, for a myriad of reasons, the suggestions picker (kept
+        alive by its text input type) may have already gone away by this point. To mitigate this, make WebPage weakly
+        reference its active datalist suggestions picker.
+
+        Test: fast/forms/datalist/change-input-type-after-closing-datalist-suggestions.html
+
+        * platform/DataListSuggestionPicker.h:
+
+        Make DataListSuggestionPicker capable of being weakly referenced. Additionally, fix some minor preexisting
+        issues in this header (#imports instead of #includes, as well as an unnecessary include of IntRect.h).
+
 2019-03-06  Ryan Haddad  <ryanhaddad@apple.com>
 
         Remove an unneeded assert that was added with r242113
index 468ca66..dbdcd01 100644 (file)
 
 #if ENABLE(DATALIST_ELEMENT)
 
-#import "DataListSuggestionInformation.h"
-#import "IntRect.h"
-
-#import <wtf/text/WTFString.h>
+#include "DataListSuggestionInformation.h"
+#include <wtf/WeakPtr.h>
+#include <wtf/text/WTFString.h>
 
 namespace WebCore {
 
-class DataListSuggestionPicker {
+class DataListSuggestionPicker : public CanMakeWeakPtr<DataListSuggestionPicker> {
     WTF_MAKE_FAST_ALLOCATED;
 public:
     virtual ~DataListSuggestionPicker() = default;
index a162030..df04689 100644 (file)
@@ -1,3 +1,21 @@
+2019-03-06  Wenson Hsieh  <wenson_hsieh@apple.com>
+
+        Crash when attempting to change input type while dismissing datalist suggestions
+        https://bugs.webkit.org/show_bug.cgi?id=195384
+        <rdar://problem/48563718>
+
+        Reviewed by Brent Fulgham.
+
+        See WebCore ChangeLog for more details.
+
+        * WebProcess/WebPage/WebPage.cpp:
+        (WebKit::WebPage::setActiveDataListSuggestionPicker):
+        (WebKit::WebPage::didSelectDataListOption):
+        (WebKit::WebPage::didCloseSuggestions):
+        * WebProcess/WebPage/WebPage.h:
+
+        Turn m_activeDataListSuggestionPicker from a raw pointer into a WeakPtr.
+
 2019-03-06  Chris Dumez  <cdumez@apple.com>
 
         [iOS] ProcessDidResume() IPC should be sent upon resuming when ProcessWillSuspendImminently() IPC was sent
index c64ecdd..840a02d 100644 (file)
@@ -3899,19 +3899,19 @@ void WebPage::didChooseColor(const WebCore::Color& color)
 
 void WebPage::setActiveDataListSuggestionPicker(WebDataListSuggestionPicker* dataListSuggestionPicker)
 {
-    m_activeDataListSuggestionPicker = dataListSuggestionPicker;
+    m_activeDataListSuggestionPicker = makeWeakPtr(dataListSuggestionPicker);
 }
 
 void WebPage::didSelectDataListOption(const String& selectedOption)
 {
-    m_activeDataListSuggestionPicker->didSelectOption(selectedOption);
+    if (m_activeDataListSuggestionPicker)
+        m_activeDataListSuggestionPicker->didSelectOption(selectedOption);
 }
 
 void WebPage::didCloseSuggestions()
 {
-    if (m_activeDataListSuggestionPicker)
-        m_activeDataListSuggestionPicker->didCloseSuggestions();
-    m_activeDataListSuggestionPicker = nullptr;
+    if (auto picker = std::exchange(m_activeDataListSuggestionPicker, nullptr))
+        picker->didCloseSuggestions();
 }
 
 #endif
index 2dc9e51..1d010a8 100644 (file)
@@ -1657,7 +1657,7 @@ private:
 #endif
 
 #if ENABLE(DATALIST_ELEMENT)
-    WebDataListSuggestionPicker* m_activeDataListSuggestionPicker { nullptr };
+    WeakPtr<WebDataListSuggestionPicker> m_activeDataListSuggestionPicker;
 #endif
 
     RefPtr<WebOpenPanelResultListener> m_activeOpenPanelResultListener;