Avoid style recomputation when forwarding a focus event to an text field's input...
authorwenson_hsieh@apple.com <wenson_hsieh@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 15 Sep 2017 22:18:51 +0000 (22:18 +0000)
committerwenson_hsieh@apple.com <wenson_hsieh@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 15 Sep 2017 22:18:51 +0000 (22:18 +0000)
commit282904a92f24e95f570b4601009541b586297e65
tree40f35340228b498682cbb33f27745fe08f151993
parent3c78d23ab7cc2823c2fb1ab820a3a67f3486347e
Avoid style recomputation when forwarding a focus event to an text field's input type
https://bugs.webkit.org/show_bug.cgi?id=176160
<rdar://problem/34184820>

Reviewed by Ryosuke Niwa.

Source/WebCore:

Currently, TextFieldInputType::forwardEvent synchronously triggers style recomputation, for the purpose of
scrolling to the origin upon handling a blur event, and also for updating caps lock state after a blur or focus.
In synchronously triggering style recomputation, we may end up running arbitrary JavaScript, which may change
the HTMLInputElement's type and cause the current TextFieldInputType to be destroyed.

To mitigate this, we only update caps lock state when forwarding a focus or blur event to the InputType, and
instead scroll blurred text fields to the origin later, in HTMLInputElement::didBlur (invoked from
Document::setFocusedElement after blur and focusout events have fired). Instead of having the InputType update
style, lift the call to Document::updateStyleIfNeeded up into HTMLInputElement so that we gracefully handle the
case where the page destroys and sets a new InputType within the scope of this style update.

Test: fast/forms/change-input-type-in-focus-handler.html

* dom/Document.cpp:
(WebCore::Document::setFocusedElement):
* html/HTMLInputElement.cpp:
(WebCore::HTMLInputElement::didBlur):
* html/HTMLInputElement.h:
* html/InputType.h:
(WebCore::InputType::elementDidBlur):
* html/TextFieldInputType.cpp:
(WebCore::TextFieldInputType::forwardEvent):
(WebCore::TextFieldInputType::elementDidBlur):
* html/TextFieldInputType.h:

LayoutTests:

Adds a new layout test verifying that we don't crash when changing the input type from within a focus event listener.

* fast/forms/change-input-type-in-focus-handler-expected.txt: Added.
* fast/forms/change-input-type-in-focus-handler.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@222114 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/fast/forms/change-input-type-in-focus-handler-expected.txt [new file with mode: 0644]
LayoutTests/fast/forms/change-input-type-in-focus-handler.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/dom/Document.cpp
Source/WebCore/html/HTMLInputElement.cpp
Source/WebCore/html/HTMLInputElement.h
Source/WebCore/html/InputType.h
Source/WebCore/html/TextFieldInputType.cpp
Source/WebCore/html/TextFieldInputType.h