Crash when 'input' event handler for input[type=color] changes the input type
authorddkilzer@apple.com <ddkilzer@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 29 Jun 2016 16:50:21 +0000 (16:50 +0000)
committerddkilzer@apple.com <ddkilzer@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 29 Jun 2016 16:50:21 +0000 (16:50 +0000)
<https://webkit.org/b/159262>
<rdar://problem/27020404>

Reviewed by Daniel Bates.

Source/WebCore:

Fix based on a Blink change (patch by <tkent@chromium.org>):
<https://chromium.googlesource.com/chromium/src.git/+/a17cb3ecef49a078657524cdeaba33ad2083646c>

Test: fast/forms/color/color-type-change-on-input-crash.html

* html/ColorInputType.cpp:
(WebCore::ColorInputType::didChooseColor): Add EventQueueScope
before setValueFromRenderer() to fix the bug.
* html/HTMLInputElement.h:
(WebCore::HTMLInputElement::setValueFromRenderer): Add comment
about how to use this method.

LayoutTests:

Test based on a Blink change (patch by <tkent@chromium.org>):
<https://chromium.googlesource.com/chromium/src.git/+/a17cb3ecef49a078657524cdeaba33ad2083646c>

* fast/forms/color/color-type-change-on-input-crash-expected.txt: Added.
* fast/forms/color/color-type-change-on-input-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@202626 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/forms/color/color-type-change-on-input-crash-expected.txt [new file with mode: 0644]
LayoutTests/fast/forms/color/color-type-change-on-input-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/html/ColorInputType.cpp
Source/WebCore/html/HTMLInputElement.h

index 0d7fdc4..bd4adc6 100644 (file)
@@ -1,3 +1,17 @@
+2016-06-29  David Kilzer  <ddkilzer@apple.com>
+
+        Crash when 'input' event handler for input[type=color] changes the input type
+        <https://webkit.org/b/159262>
+        <rdar://problem/27020404>
+
+        Reviewed by Daniel Bates.
+
+        Test based on a Blink change (patch by <tkent@chromium.org>):
+        <https://chromium.googlesource.com/chromium/src.git/+/a17cb3ecef49a078657524cdeaba33ad2083646c>
+
+        * fast/forms/color/color-type-change-on-input-crash-expected.txt: Added.
+        * fast/forms/color/color-type-change-on-input-crash.html: Added.
+
 2016-06-29  Adam Bergkvist  <adam.bergkvist@ericsson.com>
 
         WebRTC: Misc MediaStreamEvent fixes: Update build flag and remove PassRefPtr usage
diff --git a/LayoutTests/fast/forms/color/color-type-change-on-input-crash-expected.txt b/LayoutTests/fast/forms/color/color-type-change-on-input-crash-expected.txt
new file mode 100644 (file)
index 0000000..064aa2f
--- /dev/null
@@ -0,0 +1,9 @@
+Changing the input type from "color" to another in "input" event handler should not crash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/fast/forms/color/color-type-change-on-input-crash.html b/LayoutTests/fast/forms/color/color-type-change-on-input-crash.html
new file mode 100644 (file)
index 0000000..3fc4ef2
--- /dev/null
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+<script src="../../../resources/js-test.js"></script>
+</head>
+<body>
+<script>
+description('Changing the input type from "color" to another in "input" event handler should not crash.');
+
+function runTest() {
+    var input = document.createElement('input');
+    input.type = 'color';
+    input.oninput = function() {
+        this.type = 'text';
+    };
+    internals.selectColorInColorChooser(input, '#ff0000');
+}
+
+runTest();
+</script>
+</body>
+</html>
index 7dfe48e..a96425a 100644 (file)
@@ -1,3 +1,23 @@
+2016-06-29  David Kilzer  <ddkilzer@apple.com>
+
+        Crash when 'input' event handler for input[type=color] changes the input type
+        <https://webkit.org/b/159262>
+        <rdar://problem/27020404>
+
+        Reviewed by Daniel Bates.
+
+        Fix based on a Blink change (patch by <tkent@chromium.org>):
+        <https://chromium.googlesource.com/chromium/src.git/+/a17cb3ecef49a078657524cdeaba33ad2083646c>
+
+        Test: fast/forms/color/color-type-change-on-input-crash.html
+
+        * html/ColorInputType.cpp:
+        (WebCore::ColorInputType::didChooseColor): Add EventQueueScope
+        before setValueFromRenderer() to fix the bug.
+        * html/HTMLInputElement.h:
+        (WebCore::HTMLInputElement::setValueFromRenderer): Add comment
+        about how to use this method.
+
 2016-06-29  Adam Bergkvist  <adam.bergkvist@ericsson.com>
 
         WebRTC: Misc MediaStreamEvent fixes: Update build flag and remove PassRefPtr usage
index 596aaef..e1f2f66 100644 (file)
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2010 Google Inc. All rights reserved.
- * Copyright (C) 2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2016 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
@@ -46,6 +46,7 @@
 #include "MouseEvent.h"
 #include "RenderObject.h"
 #include "RenderView.h"
+#include "ScopedEventQueue.h"
 #include "ScriptController.h"
 #include "ShadowRoot.h"
 
@@ -174,6 +175,7 @@ void ColorInputType::didChooseColor(const Color& color)
 {
     if (element().isDisabledOrReadOnly() || color == valueAsColor())
         return;
+    EventQueueScope scope;
     element().setValueFromRenderer(color.serialized());
     updateColorSwatch();
     element().dispatchFormControlChangeEvent();
index 4e2c434..75cc672 100644 (file)
@@ -2,7 +2,7 @@
  * Copyright (C) 1999 Lars Knoll (knoll@kde.org)
  *           (C) 1999 Antti Koivisto (koivisto@kde.org)
  *           (C) 2000 Dirk Mueller (mueller@kde.org)
- * Copyright (C) 2004, 2005, 2006, 2007, 2010, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2004-2016 Apple Inc. All rights reserved.
  * Copyright (C) 2012 Samsung Electronics. All rights reserved.
  *
  * This library is free software; you can redistribute it and/or
@@ -197,6 +197,9 @@ public:
 
     String valueWithDefault() const;
 
+    // This function dispatches 'input' event for non-textfield types. Callers
+    // need to handle any DOM structure changes by event handlers, or need to
+    // delay the 'input' event with EventQueueScope.
     void setValueFromRenderer(const String&);
 
     bool canHaveSelection() const;