[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc

jamesr at google.com jamesr at google.com
Wed Dec 22 14:39:37 UTC 2010 

The following commit has been merged in the debian/experimental branch:
commit 52a4f1d3f06d70d94c532f4c539e992efe4913f4
Author: jamesr at google.com <jamesr at google.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Fri Oct 15 00:47:23 2010 +0000

    2010-10-14  James Robinson  <jamesr at chromium.org>
    
            Reviewed by Simon Fraser.
    
            SelectElement should check if its renderer exists after calling Element::focus()
            https://bugs.webkit.org/show_bug.cgi?id=47696
    
            Tests that clicking on a listbox select with an element has a blur listener that causes
            the listbox to become display:none does not crash.
    
            * fast/forms/select-listbox-focus-displaynone.html: Added.
    2010-10-14  James Robinson  <jamesr at chromium.org>
    
            Reviewed by Simon Fraser.
    
            SelectElement should check if its renderer exists after calling Element::focus()
            https://bugs.webkit.org/show_bug.cgi?id=47696
    
            Adds null checks for element->renderer() after calling element->focus(), since focus()
            can dispatch an event and run arbitrary javascript that may cause the select element
            to lose its renderer.
    
            Test: fast/forms/select-listbox-focus-displaynone.html
    
            * dom/SelectElement.cpp:
            (WebCore::SelectElement::menuListDefaultEventHandler):
            (WebCore::SelectElement::listBoxDefaultEventHandler):
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@69827 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 01d5dd6..c3a4f5c 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,15 @@
+2010-10-14  James Robinson  <jamesr at chromium.org>
+
+        Reviewed by Simon Fraser.
+
+        SelectElement should check if its renderer exists after calling Element::focus()
+        https://bugs.webkit.org/show_bug.cgi?id=47696
+
+        Tests that clicking on a listbox select with an element has a blur listener that causes
+        the listbox to become display:none does not crash.
+
+        * fast/forms/select-listbox-focus-displaynone.html: Added.
+
 2010-10-14  Steve Block  <steveblock at google.com>
 
         Reviewed by Adam Barth.
diff --git a/LayoutTests/fast/forms/select-listbox-focus-displaynone-expected.txt b/LayoutTests/fast/forms/select-listbox-focus-displaynone-expected.txt
new file mode 100644
index 0000000..5df6241
--- /dev/null
+++ b/LayoutTests/fast/forms/select-listbox-focus-displaynone-expected.txt
@@ -0,0 +1 @@
+  PASS
diff --git a/LayoutTests/fast/forms/select-listbox-focus-displaynone.html b/LayoutTests/fast/forms/select-listbox-focus-displaynone.html
new file mode 100644
index 0000000..41f8b1b
--- /dev/null
+++ b/LayoutTests/fast/forms/select-listbox-focus-displaynone.html
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<html>
+<body>
+
+<select id="multiselect" multiple="multiple">
+    <option id="optiona">a</option>
+    <option>b</option>
+</select>
+<input id="selectable">
+
+<script>
+if (window.layoutTestController)
+    window.layoutTestController.dumpAsText();
+
+var selectable = document.getElementById('selectable');
+var multiselect = document.getElementById('multiselect');
+selectable.focus();
+selectable.onblur = function() {
+    multiselect.style.display='none';
+    document.write('PASS');
+};
+
+if (window.eventSender) {
+    eventSender.mouseMoveTo(multiselect.offsetLeft + 5, multiselect.offsetTop + 5);
+    eventSender.mouseDown();
+    eventSender.mouseUp();
+} else {
+    document.write("To manually test, click on the 'a' option");
+}
+</script>
+
+</body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 863384d..689ac7b 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,20 @@
+2010-10-14  James Robinson  <jamesr at chromium.org>
+
+        Reviewed by Simon Fraser.
+
+        SelectElement should check if its renderer exists after calling Element::focus()
+        https://bugs.webkit.org/show_bug.cgi?id=47696
+
+        Adds null checks for element->renderer() after calling element->focus(), since focus()
+        can dispatch an event and run arbitrary javascript that may cause the select element
+        to lose its renderer.
+
+        Test: fast/forms/select-listbox-focus-displaynone.html
+
+        * dom/SelectElement.cpp:
+        (WebCore::SelectElement::menuListDefaultEventHandler):
+        (WebCore::SelectElement::listBoxDefaultEventHandler):
+
 2010-10-14  Beth Dakin  <bdakin at apple.com>
 
         Reviewed by Dave Hyatt.
diff --git a/WebCore/dom/SelectElement.cpp b/WebCore/dom/SelectElement.cpp
index c8af399..57fb277 100644
--- a/WebCore/dom/SelectElement.cpp
+++ b/WebCore/dom/SelectElement.cpp
@@ -547,6 +547,10 @@ void SelectElement::menuListDefaultEventHandler(SelectElementData& data, Element
 #if ARROW_KEYS_POP_MENU
         if (keyIdentifier == "Down" || keyIdentifier == "Up") {
             element->focus();
+
+            if (!element->renderer()) // Calling focus() may cause us to lose our renderer, in which case do not want to handle the event.
+                return;
+
             // Save the selection so it can be compared to the new selection when dispatching change events during setSelectedIndex,
             // which gets called from RenderMenuList::valueChanged, which gets called after the user makes a selection from the menu.
             saveLastSelection(data, element);
@@ -605,6 +609,10 @@ void SelectElement::menuListDefaultEventHandler(SelectElementData& data, Element
 #if SPACE_OR_RETURN_POP_MENU
         if (keyCode == ' ' || keyCode == '\r') {
             element->focus();
+
+            if (!element->renderer()) // Calling focus() may cause us to lose our renderer, in which case do not want to handle the event.
+                return;
+
             // Save the selection so it can be compared to the new selection when dispatching change events during setSelectedIndex,
             // which gets called from RenderMenuList::valueChanged, which gets called after the user makes a selection from the menu.
             saveLastSelection(data, element);
@@ -615,6 +623,10 @@ void SelectElement::menuListDefaultEventHandler(SelectElementData& data, Element
 #elif ARROW_KEYS_POP_MENU
         if (keyCode == ' ') {
             element->focus();
+
+            if (!element->renderer()) // Calling focus() may cause us to lose our renderer, in which case do not want to handle the event.
+                return;
+
             // Save the selection so it can be compared to the new selection when dispatching change events during setSelectedIndex,
             // which gets called from RenderMenuList::valueChanged, which gets called after the user makes a selection from the menu.
             saveLastSelection(data, element);
@@ -710,6 +722,9 @@ void SelectElement::listBoxDefaultEventHandler(SelectElementData& data, Element*
     if (event->type() == eventNames().mousedownEvent && event->isMouseEvent() && static_cast<MouseEvent*>(event)->button() == LeftButton) {
         element->focus();
 
+        if (!element->renderer()) // Calling focus() may cause us to lose our renderer, in which case do not want to handle the event.
+            return;
+
         // Convert to coords relative to the list box if needed.
         MouseEvent* mouseEvent = static_cast<MouseEvent*>(event);
         IntPoint localOffset = roundedIntPoint(element->renderer()->absoluteToLocal(mouseEvent->absoluteLocation(), false, true));

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list