https://bugs.webkit.org/show_bug.cgi?id=171547
<rdar://problem/
31935047>
Reviewed by Antti Koivisto.
Source/WebCore:
Normally we've got the correct renderer by the time we call into SearchInputType.
However, since HTMLInputElement::updateType() eagerly updates the type while the associated renderers are done lazily
(so we don't get them updated until after the next tree update), we could actually end up
with a mismatched renderer (e.g. through form submission).
Test: fast/forms/change-input-type-and-submit-form-crash.html
* html/SearchInputType.cpp:
(WebCore::SearchInputType::addSearchResult):
(WebCore::SearchInputType::didSetValueByUserEdit):
LayoutTests:
* fast/forms/change-input-type-and-submit-form-crash-expected.txt: Added.
* fast/forms/change-input-type-and-submit-form-crash.html: Added.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@216159
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2017-05-03 Zalan Bujtas <zalan@apple.com>
+
+ SearchInputType could end up with a mismatched renderer.
+ https://bugs.webkit.org/show_bug.cgi?id=171547
+ <rdar://problem/31935047>
+
+ Reviewed by Antti Koivisto.
+
+ * fast/forms/change-input-type-and-submit-form-crash-expected.txt: Added.
+ * fast/forms/change-input-type-and-submit-form-crash.html: Added.
+
2017-05-03 Ryan Haddad <ryanhaddad@apple.com>
Mark media/modern-media-controls/slider/slider-styles.html as flaky on mac-wk1.
--- /dev/null
+PASS if no crash or assert.
+
--- /dev/null
+<!DOCTYPE html>
+<html>
+<head>
+<title>This tests that submitting a form soon after changing the input type is ok.</title>
+</head>
+<body>
+PASS if no crash or assert.
+<form id=formToSubmit><input id=inputToChange results="1"></form>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+document.body.offsetHeight;
+inputToChange.value = "1";
+inputToChange.type = "search";
+formToSubmit.submit();
+</script>
+<body>
+</html>
+2017-05-03 Zalan Bujtas <zalan@apple.com>
+
+ SearchInputType could end up with a mismatched renderer.
+ https://bugs.webkit.org/show_bug.cgi?id=171547
+ <rdar://problem/31935047>
+
+ Reviewed by Antti Koivisto.
+
+ Normally we've got the correct renderer by the time we call into SearchInputType.
+ However, since HTMLInputElement::updateType() eagerly updates the type while the associated renderers are done lazily
+ (so we don't get them updated until after the next tree update), we could actually end up
+ with a mismatched renderer (e.g. through form submission).
+
+ Test: fast/forms/change-input-type-and-submit-form-crash.html
+
+ * html/SearchInputType.cpp:
+ (WebCore::SearchInputType::addSearchResult):
+ (WebCore::SearchInputType::didSetValueByUserEdit):
+
2017-05-03 Jer Noble <jer.noble@apple.com>
Make the VPIO audio unit a singleton, shared between multiple CaptureSources
void SearchInputType::addSearchResult()
{
#if !PLATFORM(IOS)
- if (auto* renderer = element().renderer())
- downcast<RenderSearchField>(*renderer).addSearchResult();
+ // Normally we've got the correct renderer by the time we get here. However when the input type changes
+ // we don't update the associated renderers until after the next tree update, so we could actually end up here
+ // with a mismatched renderer (e.g. through form submission).
+ if (is<RenderSearchField>(element().renderer()))
+ downcast<RenderSearchField>(*element().renderer()).addSearchResult();
#endif
}
void SearchInputType::didSetValueByUserEdit()
{
- if (m_cancelButton && element().renderer())
+ if (m_cancelButton && is<RenderSearchField>(element().renderer()))
downcast<RenderSearchField>(*element().renderer()).updateCancelButtonVisibility();
-
// If the incremental attribute is set, then dispatch the search event
if (searchEventsShouldBeDispatched())
startSearchEventTimer();
git://git.webkit.org / WebKit-https.git / commitdiff