Crash submitting display:none textarea in a form
authorggaren@apple.com <ggaren@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 1 Apr 2010 01:54:40 +0000 (01:54 +0000)
committerggaren@apple.com <ggaren@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 1 Apr 2010 01:54:40 +0000 (01:54 +0000)
https://bugs.webkit.org/show_bug.cgi?id=36905

Reviewed by Darin Adler.

WebCore:

Test: fast/forms/textarea-submit-crash.html

* html/HTMLTextAreaElement.cpp:
(WebCore::HTMLTextAreaElement::appendFormData): Do update layout before
asking our renderer for its text, since we can't rely on our renderer's
text if layout is needed.

* rendering/RenderTextControl.cpp:
(WebCore::RenderTextControl::textWithHardLineBreaks): Don't update layout
while being asked for our text, since doing so may delete us, causing a crash.

LayoutTests:

* fast/forms/textarea-submit-crash-expected.txt: Added.
* fast/forms/textarea-submit-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@56885 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/forms/textarea-submit-crash-expected.txt [new file with mode: 0644]
LayoutTests/fast/forms/textarea-submit-crash.html [new file with mode: 0644]
WebCore/ChangeLog
WebCore/html/HTMLTextAreaElement.cpp
WebCore/rendering/RenderTextControl.cpp

index d99f506..58ed237 100644 (file)
@@ -1,3 +1,13 @@
+2010-03-31  Geoffrey Garen  <ggaren@apple.com>
+
+        Reviewed by Darin Adler.
+
+        Crash submitting display:none textarea in a form
+        https://bugs.webkit.org/show_bug.cgi?id=36905
+
+        * fast/forms/textarea-submit-crash-expected.txt: Added.
+        * fast/forms/textarea-submit-crash.html: Added.
+
 2010-03-31  Chris Fleizach  <cfleizach@apple.com>
 
         Reviewed by Darin Adler.
diff --git a/LayoutTests/fast/forms/textarea-submit-crash-expected.txt b/LayoutTests/fast/forms/textarea-submit-crash-expected.txt
new file mode 100644 (file)
index 0000000..a173c90
--- /dev/null
@@ -0,0 +1,6 @@
+This tests that a display:none textarea doesn't crash when submitted in a form.
+
+
+PASS: You didn't crash.
+Submitted form value: ?value=123456789
+
diff --git a/LayoutTests/fast/forms/textarea-submit-crash.html b/LayoutTests/fast/forms/textarea-submit-crash.html
new file mode 100644 (file)
index 0000000..4102137
--- /dev/null
@@ -0,0 +1,31 @@
+<p>This tests that a display:none textarea doesn't crash when submitted in a form.</p>
+<form action="?" id="form">
+    <textarea id="textarea" name=value style="-webkit-appearance:textarea" wrap=hard>123456789</textarea>
+</form>
+
+<pre id="console"></pre>
+
+<script>
+function log(s) {
+    document.getElementById('console').appendChild(document.createTextNode(s + "\n"));
+}
+
+(function () {    
+    if (document.URL.indexOf('?') == -1) {
+        if (window.layoutTestController) {
+            layoutTestController.dumpAsText();
+            layoutTestController.waitUntilDone();
+        }
+
+        document.getElementById("textarea").style.display = "none";
+        document.getElementById("form").submit();
+        return;
+    }
+
+    log("PASS: You didn't crash.");
+    log("Submitted form value: " + location.search);
+
+    if (window.layoutTestController)
+        layoutTestController.notifyDone();
+})();
+</script>
index 908ae39..0d961d6 100644 (file)
@@ -1,3 +1,21 @@
+2010-03-31  Geoffrey Garen  <ggaren@apple.com>
+
+        Reviewed by Darin Adler.
+
+        Crash submitting display:none textarea in a form
+        https://bugs.webkit.org/show_bug.cgi?id=36905
+
+        Test: fast/forms/textarea-submit-crash.html
+
+        * html/HTMLTextAreaElement.cpp:
+        (WebCore::HTMLTextAreaElement::appendFormData): Do update layout before
+        asking our renderer for its text, since we can't rely on our renderer's
+        text if layout is needed.
+
+        * rendering/RenderTextControl.cpp:
+        (WebCore::RenderTextControl::textWithHardLineBreaks): Don't update layout
+        while being asked for our text, since doing so may delete us, causing a crash.
+
 2010-03-31  Chris Fleizach  <cfleizach@apple.com>
 
         Reviewed by Darin Adler.
index bf34102..6824a72 100644 (file)
@@ -166,6 +166,8 @@ bool HTMLTextAreaElement::appendFormData(FormDataList& encoding, bool)
     if (name().isEmpty())
         return false;
 
+    document()->updateLayout();
+
     // FIXME: It's not acceptable to ignore the HardWrap setting when there is no renderer.
     // While we have no evidence this has ever been a practical problem, it would be best to fix it some day.
     RenderTextControl* control = toRenderTextControl(renderer());
index b98900a..a11b29b 100644 (file)
@@ -368,8 +368,6 @@ String RenderTextControl::textWithHardLineBreaks()
     if (!firstChild)
         return "";
 
-    document()->updateLayout();
-
     RenderObject* renderer = firstChild->renderer();
     if (!renderer)
         return "";