Dragging from inner side of video to outside causes a crash
authorchangseok.oh@collabora.com <changseok.oh@collabora.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 24 Jan 2014 04:12:23 +0000 (04:12 +0000)
committerchangseok.oh@collabora.com <changseok.oh@collabora.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 24 Jan 2014 04:12:23 +0000 (04:12 +0000)
https://bugs.webkit.org/show_bug.cgi?id=126338

Reviewed by Jer Noble.

Source/WebCore:

The crash happens while dragging mouse cursor through timeline control to outside
of video region. This is beacause media controls are selected with the drag.
The media controls disappear when mouse cursor goes outside of video though
the dragging/selection proceeds. If once media controls are hidden, related element
lose their renderers. However the drag is still under going. it requires shadowPseudoId
of the selected controls. Untorntunately, SliderThumbElement/SliderContainerElement
don't return a static value for the shadowPseudoId unlike other media controls,
but they need a renderer to determine it. This is the reason of crash.

Test: media/media-controller-drag-crash.html

* html/shadow/SliderThumbElement.cpp:
(WebCore::SliderThumbElement::shadowPseudoId):
(WebCore::SliderContainerElement::shadowPseudoId):

LayoutTests:

This tests that dragging through timeslider control to outside of video causes a crash.
The crash happened on both gtk+ and efl ports not using MEDIA_CONTROL_SCRIPT.

* media/media-controller-drag-crash-expected.txt: Added.
* media/media-controller-drag-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@162683 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/media/media-controller-drag-crash-expected.txt [new file with mode: 0644]
LayoutTests/media/media-controller-drag-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/html/shadow/SliderThumbElement.cpp

index 2d3a739..abd3581 100644 (file)
@@ -1,3 +1,16 @@
+2014-01-23  ChangSeok Oh  <changseok.oh@collabora.com>
+
+        Dragging from inner side of video to outside causes a crash
+        https://bugs.webkit.org/show_bug.cgi?id=126338
+
+        Reviewed by Jer Noble.
+
+        This tests that dragging through timeslider control to outside of video causes a crash.
+        The crash happened on both gtk+ and efl ports not using MEDIA_CONTROL_SCRIPT.
+
+        * media/media-controller-drag-crash-expected.txt: Added.
+        * media/media-controller-drag-crash.html: Added.
+
 2014-01-23  Jon Honeycutt  <jhoneycutt@apple.com>
 
         Assertion failure in WebCore::PseudoElement::didRecalcStyle()
diff --git a/LayoutTests/media/media-controller-drag-crash-expected.txt b/LayoutTests/media/media-controller-drag-crash-expected.txt
new file mode 100644 (file)
index 0000000..bb54cdb
--- /dev/null
@@ -0,0 +1,9 @@
+Test that dragging through the timebar causes a crash.
+
+
+EVENT(canplaythrough)
+RUN(video.play())
+Mouse dragging.
+No crash. PASS.
+END OF TEST
+
diff --git a/LayoutTests/media/media-controller-drag-crash.html b/LayoutTests/media/media-controller-drag-crash.html
new file mode 100644 (file)
index 0000000..c7fbad1
--- /dev/null
@@ -0,0 +1,59 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <title>Dragging through timebar test</title>
+    <script src=media-controls.js></script>
+    <script src=media-file.js></script>
+    <script src=video-test.js></script>
+    <script>
+      if (window.testRunner)
+        testRunner.dumpAsText();
+
+      function test()
+      {
+        run('video.play()');
+
+        if (window.eventSender) {
+          consoleWrite("Mouse dragging.");
+
+          var timelineCoordinate;
+          try {
+            timelineCoordinate = mediaControlsButtonCoordinates(video, "timeline");
+          } catch (exception) {
+            failTest(exception.description);
+            return;
+          }
+          var x = timelineCoordinate[0];
+          var y = timelineCoordinate[1];
+
+          eventSender.dragMode = false;
+          eventSender.mouseMoveTo(x, y - 100);
+          eventSender.mouseDown();
+          eventSender.mouseMoveTo(x, y);
+          eventSender.mouseMoveTo(x, y + 100);
+        }
+        window.setTimeout("finish()", 1000);
+      }
+
+      function finish()
+      {
+        consoleWrite("No crash. PASS.")
+        if (window.eventSender)
+          eventSender.mouseUp();
+        endTest();
+      }
+
+      function start()
+      {
+        findMediaElement();
+        waitForEvent('canplaythrough', test);
+        video.src = findMediaFile("video", "content/test");
+      }
+    </script>
+  </head>
+  <body onload="start()">
+    <p>Test that dragging through the timebar causes a crash.</p>
+    <video controls></video>
+  </body>
+</html>
+
index e0dd867..190d5b3 100644 (file)
@@ -1,3 +1,25 @@
+2014-01-23  ChangSeok Oh  <changseok.oh@collabora.com>
+
+        Dragging from inner side of video to outside causes a crash
+        https://bugs.webkit.org/show_bug.cgi?id=126338
+
+        Reviewed by Jer Noble.
+
+        The crash happens while dragging mouse cursor through timeline control to outside
+        of video region. This is beacause media controls are selected with the drag.
+        The media controls disappear when mouse cursor goes outside of video though
+        the dragging/selection proceeds. If once media controls are hidden, related element
+        lose their renderers. However the drag is still under going. it requires shadowPseudoId
+        of the selected controls. Untorntunately, SliderThumbElement/SliderContainerElement
+        don't return a static value for the shadowPseudoId unlike other media controls,
+        but they need a renderer to determine it. This is the reason of crash.
+
+        Test: media/media-controller-drag-crash.html
+
+        * html/shadow/SliderThumbElement.cpp:
+        (WebCore::SliderThumbElement::shadowPseudoId):
+        (WebCore::SliderContainerElement::shadowPseudoId):
+
 2014-01-23  Brady Eidson  <beidson@apple.com>
 
         IDB: Implement SQLite backing store 'get' support
index fab77fc..33dbf2e 100644 (file)
@@ -579,6 +579,8 @@ const AtomicString& SliderThumbElement::shadowPseudoId() const
     HTMLInputElement* input = hostInput();
     if (!input)
         return sliderThumbShadowPseudoId();
+    if (!input->renderer())
+        return emptyAtom;
 
     const RenderStyle& sliderStyle = input->renderer()->style();
     switch (sliderStyle.appearance()) {
@@ -624,6 +626,8 @@ const AtomicString& SliderContainerElement::shadowPseudoId() const
     HTMLInputElement* input = shadowHost()->toInputElement();
     if (!input)
         return sliderContainer;
+    if (!input->renderer())
+        return emptyAtom;
 
     const RenderStyle& sliderStyle = input->renderer()->style();
     switch (sliderStyle.appearance()) {