Fix crashes for <input> and <textarea> with display:run-in.
authortkent@chromium.org <tkent@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 3 Aug 2012 03:31:22 +0000 (03:31 +0000)
committertkent@chromium.org <tkent@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 3 Aug 2012 03:31:22 +0000 (03:31 +0000)
https://bugs.webkit.org/show_bug.cgi?id=87300

Reviewed by Abhishek Arya.

Source/WebCore:

Introduce RenderObject::canBeReplacedWithInlineRunIn, and renderers which
should not be run-in override it so that it returns false.

Test: fast/runin/input-text-runin.html
      fast/runin/textarea-runin.html

* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::moveRunInUnderSiblingBlockIfNeeded):
Checks canBeReplacedWithInlineRunIn instead of checking tag names.
* rendering/RenderFileUploadControl.cpp:
(WebCore::RenderFileUploadControl::canBeReplacedWithInlineRunIn):
Added. Disallow run-in.
* rendering/RenderFileUploadControl.h:
(RenderFileUploadControl): Declare canBeReplacedWithInlineRunIn.
* rendering/RenderListBox.cpp:
(WebCore::RenderListBox::canBeReplacedWithInlineRunIn):
Added. Disallow run-in. This is not a behavior change.
* rendering/RenderListBox.h:
(RenderListBox): Declare canBeReplacedWithInlineRunIn.
* rendering/RenderMenuList.cpp:
(WebCore::RenderMenuList::canBeReplacedWithInlineRunIn):
Added. Disallow run-in. This is not a behavior change.
* rendering/RenderMenuList.h:
(RenderMenuList): Declare canBeReplacedWithInlineRunIn.
* rendering/RenderObject.cpp:
(WebCore::RenderObject::canBeReplacedWithInlineRunIn):
Added. Allow run-in by default.
* rendering/RenderObject.h:
(RenderObject): Declare canBeReplacedWithInlineRunIn.
* rendering/RenderProgress.cpp:
(WebCore::RenderProgress::canBeReplacedWithInlineRunIn):
Added. Disallow run-in. This is not a behavior change.
* rendering/RenderProgress.h:
(RenderProgress): Declare canBeReplacedWithInlineRunIn.
* rendering/RenderSlider.cpp:
(WebCore::RenderSlider::canBeReplacedWithInlineRunIn):
Added. Disallow run-in.
* rendering/RenderSlider.h:
(RenderSlider): Declare canBeReplacedWithInlineRunIn.
* rendering/RenderTextControl.cpp:
(WebCore::RenderTextControl::canBeReplacedWithInlineRunIn):
Added. Disallow run-in.
* rendering/RenderTextControl.h:
(RenderTextControl): Declare canBeReplacedWithInlineRunIn.

LayoutTests:

* fast/runin/input-text-runin-expected.txt: Added.
* fast/runin/input-text-runin.html: Added.
* fast/runin/textarea-runin-expected.txt: Added.
* fast/runin/textarea-text-runin.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@124556 268f45cc-cd09-0410-ab3c-d52691b4dbfc

21 files changed:
LayoutTests/ChangeLog
LayoutTests/fast/runin/input-text-runin-expected.txt [new file with mode: 0644]
LayoutTests/fast/runin/input-text-runin.html [new file with mode: 0644]
LayoutTests/fast/runin/textarea-runin-expected.txt [new file with mode: 0644]
LayoutTests/fast/runin/textarea-runin.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/rendering/RenderBlock.cpp
Source/WebCore/rendering/RenderFileUploadControl.cpp
Source/WebCore/rendering/RenderFileUploadControl.h
Source/WebCore/rendering/RenderListBox.cpp
Source/WebCore/rendering/RenderListBox.h
Source/WebCore/rendering/RenderMenuList.cpp
Source/WebCore/rendering/RenderMenuList.h
Source/WebCore/rendering/RenderObject.cpp
Source/WebCore/rendering/RenderObject.h
Source/WebCore/rendering/RenderProgress.cpp
Source/WebCore/rendering/RenderProgress.h
Source/WebCore/rendering/RenderSlider.cpp
Source/WebCore/rendering/RenderSlider.h
Source/WebCore/rendering/RenderTextControl.cpp
Source/WebCore/rendering/RenderTextControl.h

index d156d7f..0f547c4 100644 (file)
@@ -1,3 +1,15 @@
+2012-08-02  Kent Tamura  <tkent@chromium.org>
+
+        Fix crashes for <input> and <textarea> with display:run-in.
+        https://bugs.webkit.org/show_bug.cgi?id=87300
+
+        Reviewed by Abhishek Arya.
+
+        * fast/runin/input-text-runin-expected.txt: Added.
+        * fast/runin/input-text-runin.html: Added.
+        * fast/runin/textarea-runin-expected.txt: Added.
+        * fast/runin/textarea-text-runin.html: Added.
+
 2012-08-02  Filip Pizlo  <fpizlo@apple.com>
 
         ASSERTION FAILED: at(m_compileIndex).canExit() || m_isCheckingArgumentTypes
diff --git a/LayoutTests/fast/runin/input-text-runin-expected.txt b/LayoutTests/fast/runin/input-text-runin-expected.txt
new file mode 100644 (file)
index 0000000..0724b25
--- /dev/null
@@ -0,0 +1 @@
+PASS if not crashed
diff --git a/LayoutTests/fast/runin/input-text-runin.html b/LayoutTests/fast/runin/input-text-runin.html
new file mode 100644 (file)
index 0000000..32243e8
--- /dev/null
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<head>
+<style>
+#el0 { -webkit-appearance: none; }
+.c0 { display: run-in; }
+</style>
+</head>
+<body><input type=text id=el0>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+document.body.appendChild(el0);
+document.body.appendChild(document.createElement('div'));
+document.body.offsetTop;
+el0.classList.add('c0');
+document.body.offsetTop;
+document.body.innerHTML = 'PASS if not crashed';
+</script>
+</body>
diff --git a/LayoutTests/fast/runin/textarea-runin-expected.txt b/LayoutTests/fast/runin/textarea-runin-expected.txt
new file mode 100644 (file)
index 0000000..0724b25
--- /dev/null
@@ -0,0 +1 @@
+PASS if not crashed
diff --git a/LayoutTests/fast/runin/textarea-runin.html b/LayoutTests/fast/runin/textarea-runin.html
new file mode 100644 (file)
index 0000000..14ff982
--- /dev/null
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<head>
+<style>
+#el0 { -webkit-appearance: none; }
+.c0 { display: run-in; }
+</style>
+</head>
+<body><textarea id=el0></textarea>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+document.body.appendChild(el0);
+document.body.appendChild(document.createElement('div'));
+document.body.offsetTop;
+el0.classList.add('c0');
+eventSender.mouseMoveTo(20, 10);
+eventSender.mouseDown();
+eventSender.mouseUp();
+document.body.innerHTML = 'PASS if not crashed';
+</script>
+</body>
index 72725cf..5a106d1 100644 (file)
@@ -1,3 +1,55 @@
+2012-08-02  Kent Tamura  <tkent@chromium.org>
+
+        Fix crashes for <input> and <textarea> with display:run-in.
+        https://bugs.webkit.org/show_bug.cgi?id=87300
+
+        Reviewed by Abhishek Arya.
+
+        Introduce RenderObject::canBeReplacedWithInlineRunIn, and renderers which
+        should not be run-in override it so that it returns false.
+
+        Test: fast/runin/input-text-runin.html
+              fast/runin/textarea-runin.html
+
+        * rendering/RenderBlock.cpp:
+        (WebCore::RenderBlock::moveRunInUnderSiblingBlockIfNeeded):
+        Checks canBeReplacedWithInlineRunIn instead of checking tag names.
+        * rendering/RenderFileUploadControl.cpp:
+        (WebCore::RenderFileUploadControl::canBeReplacedWithInlineRunIn):
+        Added. Disallow run-in.
+        * rendering/RenderFileUploadControl.h:
+        (RenderFileUploadControl): Declare canBeReplacedWithInlineRunIn.
+        * rendering/RenderListBox.cpp:
+        (WebCore::RenderListBox::canBeReplacedWithInlineRunIn):
+        Added. Disallow run-in. This is not a behavior change.
+        * rendering/RenderListBox.h:
+        (RenderListBox): Declare canBeReplacedWithInlineRunIn.
+        * rendering/RenderMenuList.cpp:
+        (WebCore::RenderMenuList::canBeReplacedWithInlineRunIn):
+        Added. Disallow run-in. This is not a behavior change.
+        * rendering/RenderMenuList.h:
+        (RenderMenuList): Declare canBeReplacedWithInlineRunIn.
+        * rendering/RenderObject.cpp:
+        (WebCore::RenderObject::canBeReplacedWithInlineRunIn):
+        Added. Allow run-in by default.
+        * rendering/RenderObject.h:
+        (RenderObject): Declare canBeReplacedWithInlineRunIn.
+        * rendering/RenderProgress.cpp:
+        (WebCore::RenderProgress::canBeReplacedWithInlineRunIn):
+        Added. Disallow run-in. This is not a behavior change.
+        * rendering/RenderProgress.h:
+        (RenderProgress): Declare canBeReplacedWithInlineRunIn.
+        * rendering/RenderSlider.cpp:
+        (WebCore::RenderSlider::canBeReplacedWithInlineRunIn):
+        Added. Disallow run-in.
+        * rendering/RenderSlider.h:
+        (RenderSlider): Declare canBeReplacedWithInlineRunIn.
+        * rendering/RenderTextControl.cpp:
+        (WebCore::RenderTextControl::canBeReplacedWithInlineRunIn):
+        Added. Disallow run-in.
+        * rendering/RenderTextControl.h:
+        (RenderTextControl): Declare canBeReplacedWithInlineRunIn.
+
 2012-08-02  Kihong Kwon  <kihong.kwon@samsung.com>
 
         [EFL] Fix wrong assigned value of BatteryStatus
index 56c2b24..27e8e63 100755 (executable)
@@ -1834,11 +1834,7 @@ void RenderBlock::moveRunInUnderSiblingBlockIfNeeded(RenderObject* runIn)
 
     // Check if this node is allowed to run-in. E.g. <select> expects its renderer to
     // be a RenderListBox or RenderMenuList, and hence cannot be a RenderInline run-in.
-    Node* runInNode = runIn->node();
-    if (runInNode && runInNode->hasTagName(selectTag))
-        return;
-
-    if (runInNode && runInNode->hasTagName(progressTag))
+    if (!runIn->canBeReplacedWithInlineRunIn())
         return;
 
     RenderObject* curr = runIn->nextSibling();
index 3b880cc..49c0af1 100644 (file)
@@ -60,6 +60,11 @@ RenderFileUploadControl::~RenderFileUploadControl()
 {
 }
 
+bool RenderFileUploadControl::canBeReplacedWithInlineRunIn() const
+{
+    return false;
+}
+
 void RenderFileUploadControl::updateFromElement()
 {
     HTMLInputElement* input = static_cast<HTMLInputElement*>(node());
index 11015eb..2ce4ca6 100644 (file)
@@ -44,6 +44,7 @@ public:
 private:
     virtual const char* renderName() const { return "RenderFileUploadControl"; }
 
+    virtual bool canBeReplacedWithInlineRunIn() const OVERRIDE;
     virtual void updateFromElement();
     virtual void computePreferredLogicalWidths();
     virtual void paintObject(PaintInfo&, const LayoutPoint&);
index 21b5977..dffb8d9 100644 (file)
@@ -146,6 +146,11 @@ void RenderListBox::updateFromElement()
     }
 }
 
+bool RenderListBox::canBeReplacedWithInlineRunIn() const
+{
+    return false;
+}
+
 void RenderListBox::selectionChanged()
 {
     repaint();
index 10b1945..95f3989 100644 (file)
@@ -61,7 +61,7 @@ private:
     virtual bool isListBox() const { return true; }
 
     virtual void updateFromElement();
-
+    virtual bool canBeReplacedWithInlineRunIn() const OVERRIDE;
     virtual bool hasControlClip() const { return true; }
     virtual void paintObject(PaintInfo&, const LayoutPoint&);
     virtual LayoutRect controlClipRect(const LayoutPoint&) const;
index 56eccf8..521cc03 100644 (file)
@@ -74,6 +74,11 @@ RenderMenuList::~RenderMenuList()
     m_popup = 0;
 }
 
+bool RenderMenuList::canBeReplacedWithInlineRunIn() const
+{
+    return false;
+}
+
 void RenderMenuList::createInnerBlock()
 {
     if (m_innerBlock) {
index 7466b1f..0b43008 100644 (file)
@@ -68,6 +68,7 @@ private:
     virtual LayoutRect controlClipRect(const LayoutPoint&) const;
     virtual bool hasControlClip() const { return true; }
     virtual bool canHaveGeneratedChildren() const OVERRIDE { return false; }
+    virtual bool canBeReplacedWithInlineRunIn() const OVERRIDE;
 
     virtual const char* renderName() const { return "RenderMenuList"; }
 
index aa7b6bf..909ecb3 100755 (executable)
@@ -2899,6 +2899,11 @@ bool RenderObject::canHaveGeneratedChildren() const
     return canHaveChildren();
 }
 
+bool RenderObject::canBeReplacedWithInlineRunIn() const
+{
+    return true;
+}
+
 #if ENABLE(SVG)
 
 RenderSVGResourceContainer* RenderObject::toRenderSVGResourceContainer()
index e303625..e6e6e50 100644 (file)
@@ -927,6 +927,8 @@ protected:
 
     virtual LayoutRect outlineBoundsForRepaint(RenderBoxModelObject* /*repaintContainer*/, LayoutPoint* /*cachedOffsetToRepaintContainer*/ = 0) const { return LayoutRect(); }
 
+    virtual bool canBeReplacedWithInlineRunIn() const;
+
 private:
     RenderStyle* firstLineStyleSlowCase() const;
     StyleDifference adjustStyleDifference(StyleDifference, unsigned contextSensitiveProperties) const;
index d004506..24a208a 100644 (file)
@@ -59,6 +59,11 @@ void RenderProgress::updateFromElement()
     RenderBlock::updateFromElement();
 }
 
+bool RenderProgress::canBeReplacedWithInlineRunIn() const
+{
+    return false;
+}
+
 double RenderProgress::animationProgress() const
 {
     return m_animating ? (fmod((currentTime() - m_animationStartTime), m_animationDuration) / m_animationDuration) : 0;
index 96921bd..cb06381 100644 (file)
@@ -46,6 +46,7 @@ private:
     virtual bool isProgress() const { return true; }
     virtual bool requiresForcedStyleRecalcPropagation() const { return true; }
     virtual void updateFromElement();
+    virtual bool canBeReplacedWithInlineRunIn() const OVERRIDE;
 
     void animationTimerFired(Timer<RenderProgress>*);
     void updateAnimationState();
index f78ba5c..1abca2f 100644 (file)
@@ -59,6 +59,11 @@ RenderSlider::~RenderSlider()
 {
 }
 
+bool RenderSlider::canBeReplacedWithInlineRunIn() const
+{
+    return false;
+}
+
 LayoutUnit RenderSlider::baselinePosition(FontBaseline, bool /*firstLine*/, LineDirectionMode, LinePositionMode) const
 {
     // FIXME: Patch this function for writing-mode.
index 5709e2d..ebd0bd8 100644 (file)
@@ -39,6 +39,7 @@ namespace WebCore {
     private:
         virtual const char* renderName() const { return "RenderSlider"; }
         virtual bool isSlider() const { return true; }
+        virtual bool canBeReplacedWithInlineRunIn() const OVERRIDE;
 
         virtual LayoutUnit baselinePosition(FontBaseline, bool firstLine, LineDirectionMode, LinePositionMode = PositionOnContainingLine) const;
         virtual void computePreferredLogicalWidths();
index d07c811..10a420a 100644 (file)
@@ -299,4 +299,9 @@ RenderObject* RenderTextControl::layoutSpecialExcludedChild(bool relayoutChildre
     return placeholderRenderer;
 }
 
+bool RenderTextControl::canBeReplacedWithInlineRunIn() const
+{
+    return false;
+}
+
 } // namespace WebCore
index 1a48f5d..b8f1f30 100644 (file)
@@ -72,6 +72,7 @@ private:
     virtual void removeLeftoverAnonymousBlock(RenderBlock*) { }
     virtual bool avoidsFloats() const { return true; }
     virtual bool canHaveGeneratedChildren() const OVERRIDE { return false; }
+    virtual bool canBeReplacedWithInlineRunIn() const OVERRIDE;
     
     virtual void addFocusRingRects(Vector<IntRect>&, const LayoutPoint&);