Regression(r236779): Crash when changing the input element type from inside an 'input...
authorcdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 3 Oct 2018 18:26:29 +0000 (18:26 +0000)
committercdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 3 Oct 2018 18:26:29 +0000 (18:26 +0000)
https://bugs.webkit.org/show_bug.cgi?id=190252

Reviewed by Alex Christensen.

Source/WebCore:

Add a null check for element() after firing the 'input' event and before firing the 'change' event
in case the input event listener changes the input type.

Tests: fast/dom/HTMLInputElement/change-type-in-click-event-listener.html
       fast/dom/HTMLInputElement/change-type-in-input-event-listener.html

* html/BaseCheckableInputType.cpp:
(WebCore::BaseCheckableInputType::fireInputAndChangeEvents):

LayoutTests:

Add layout test coverage.

* fast/dom/HTMLInputElement/change-type-in-click-event-listener-expected.txt: Added.
* fast/dom/HTMLInputElement/change-type-in-click-event-listener.html: Added.
* fast/dom/HTMLInputElement/change-type-in-input-event-listener-expected.txt: Added.
* fast/dom/HTMLInputElement/change-type-in-input-event-listener.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@236803 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/dom/HTMLInputElement/change-type-in-click-event-listener-expected.txt [new file with mode: 0644]
LayoutTests/fast/dom/HTMLInputElement/change-type-in-click-event-listener.html [new file with mode: 0644]
LayoutTests/fast/dom/HTMLInputElement/change-type-in-input-event-listener-expected.txt [new file with mode: 0644]
LayoutTests/fast/dom/HTMLInputElement/change-type-in-input-event-listener.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/html/BaseCheckableInputType.cpp

index 88aaa25..3eabb89 100644 (file)
@@ -1,3 +1,17 @@
+2018-10-03  Chris Dumez  <cdumez@apple.com>
+
+        Regression(r236779): Crash when changing the input element type from inside an 'input' event listener
+        https://bugs.webkit.org/show_bug.cgi?id=190252
+
+        Reviewed by Alex Christensen.
+
+        Add layout test coverage.
+
+        * fast/dom/HTMLInputElement/change-type-in-click-event-listener-expected.txt: Added.
+        * fast/dom/HTMLInputElement/change-type-in-click-event-listener.html: Added.
+        * fast/dom/HTMLInputElement/change-type-in-input-event-listener-expected.txt: Added.
+        * fast/dom/HTMLInputElement/change-type-in-input-event-listener.html: Added.
+
 2018-10-03  Matt Lewis  <jlewis3@apple.com>
 
         Unreviewed, rolling out r236781.
diff --git a/LayoutTests/fast/dom/HTMLInputElement/change-type-in-click-event-listener-expected.txt b/LayoutTests/fast/dom/HTMLInputElement/change-type-in-click-event-listener-expected.txt
new file mode 100644 (file)
index 0000000..74c5f8b
--- /dev/null
@@ -0,0 +1,10 @@
+Make sure we do not crash if the 'click' event listener changes the input type.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS Click event was fired
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/fast/dom/HTMLInputElement/change-type-in-click-event-listener.html b/LayoutTests/fast/dom/HTMLInputElement/change-type-in-click-event-listener.html
new file mode 100644 (file)
index 0000000..62456dd
--- /dev/null
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src="../../../resources/js-test.js"></script>
+</head>
+<body>
+<script>
+description("Make sure we do not crash if the 'click' event listener changes the input type.");
+
+onload = () => {
+    testInput.addEventListener("click", () => {
+        testPassed("Click event was fired");
+        testInput.type = "text";
+    });
+
+    testInput.addEventListener("input", () => {
+        testFailed("input event should not have fired");
+    });
+    testInput.addEventListener("change", () => {
+        testFailed("change event should not have fired");
+    });
+    testInput.click();
+    setTimeout(finishJSTest, 0);
+};
+</script>
+<input type="checkbox" id="testInput"></input>
+</body>
+</html>
diff --git a/LayoutTests/fast/dom/HTMLInputElement/change-type-in-input-event-listener-expected.txt b/LayoutTests/fast/dom/HTMLInputElement/change-type-in-input-event-listener-expected.txt
new file mode 100644 (file)
index 0000000..61a34ba
--- /dev/null
@@ -0,0 +1,10 @@
+Make sure we do not crash if the 'input' event listener changes the input type.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS Input event was fired
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/fast/dom/HTMLInputElement/change-type-in-input-event-listener.html b/LayoutTests/fast/dom/HTMLInputElement/change-type-in-input-event-listener.html
new file mode 100644 (file)
index 0000000..605da1f
--- /dev/null
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src="../../../resources/js-test.js"></script>
+</head>
+<body>
+<script>
+description("Make sure we do not crash if the 'input' event listener changes the input type.");
+
+onload = () => {
+    testInput.addEventListener("input", () => {
+        testPassed("Input event was fired");
+        testInput.type = "text";
+    });
+    testInput.addEventListener("change", () => {
+        testFailed("change event should not have fired");
+    });
+    testInput.click();
+    setTimeout(finishJSTest, 0);
+};
+</script>
+<input type="checkbox" id="testInput"></input>
+</body>
+</html>
index 21581a1..64636c1 100644 (file)
@@ -1,5 +1,21 @@
 2018-10-03  Chris Dumez  <cdumez@apple.com>
 
+        Regression(r236779): Crash when changing the input element type from inside an 'input' event listener
+        https://bugs.webkit.org/show_bug.cgi?id=190252
+
+        Reviewed by Alex Christensen.
+
+        Add a null check for element() after firing the 'input' event and before firing the 'change' event
+        in case the input event listener changes the input type.
+
+        Tests: fast/dom/HTMLInputElement/change-type-in-click-event-listener.html
+               fast/dom/HTMLInputElement/change-type-in-input-event-listener.html
+
+        * html/BaseCheckableInputType.cpp:
+        (WebCore::BaseCheckableInputType::fireInputAndChangeEvents):
+
+2018-10-03  Chris Dumez  <cdumez@apple.com>
+
         Passing noopener=NOOPENER to window.open() should cause the new window to not have an opener
         https://bugs.webkit.org/show_bug.cgi?id=190251
 
index 4403d60..7350e7e 100644 (file)
@@ -129,7 +129,8 @@ void BaseCheckableInputType::fireInputAndChangeEvents()
 
     element()->setTextAsOfLastFormControlChangeEvent(String());
     element()->dispatchInputEvent();
-    element()->dispatchFormControlChangeEvent();
+    if (auto* element = this->element())
+        element->dispatchFormControlChangeEvent();
 }
 
 } // namespace WebCore