[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc

jamesr at google.com jamesr at google.com
Wed Dec 22 15:35:26 UTC 2010 

The following commit has been merged in the debian/experimental branch:
commit 079b9e3b02caf1185e08e2b5857de13bada7fdd7
Author: jamesr at google.com <jamesr at google.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Mon Nov 8 21:52:40 2010 +0000

    2010-11-08  James Robinson  <jamesr at chromium.org>
    
            Reviewed by Dimitri Glazkov.
    
            Input element with inner spin button set to display:none causes crash
            https://bugs.webkit.org/show_bug.cgi?id=49121
    
            Adds a test for dispatching mouse events at an <input type="number"> with
            the inner spin button set to display:none does not crash.
    
            * fast/forms/input-number-spinbutton-crash-expected.txt: Added.
            * fast/forms/input-number-spinbutton-crash.html: Added.
    2010-11-08  James Robinson  <jamesr at chromium.org>
    
            Reviewed by Dimitri Glazkov.
    
            Input element with inner spin button set to display:none causes crash
            https://bugs.webkit.org/show_bug.cgi?id=49121
    
            Null check the inner spin button's renderer before dereferencing it.
    
            Test: fast/forms/input-number-spinbutton-crash.html
    
            * rendering/RenderTextControlSingleLine.cpp:
            (WebCore::RenderTextControlSingleLine::forwardEvent):
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@71568 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index df1bfbe..06027bd 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,16 @@
+2010-11-08  James Robinson  <jamesr at chromium.org>
+
+        Reviewed by Dimitri Glazkov.
+
+        Input element with inner spin button set to display:none causes crash
+        https://bugs.webkit.org/show_bug.cgi?id=49121
+
+        Adds a test for dispatching mouse events at an <input type="number"> with
+        the inner spin button set to display:none does not crash.
+
+        * fast/forms/input-number-spinbutton-crash-expected.txt: Added.
+        * fast/forms/input-number-spinbutton-crash.html: Added.
+
 2010-11-08  Tony Chang  <tony at chromium.org>
 
         Unreviewed.  Moving a plugin test into the plugins directory.
diff --git a/LayoutTests/compositing/overflow/get-transform-from-non-box-container-expected.txt b/LayoutTests/fast/forms/input-number-spinbutton-crash-expected.txt
similarity index 100%
copy from LayoutTests/compositing/overflow/get-transform-from-non-box-container-expected.txt
copy to LayoutTests/fast/forms/input-number-spinbutton-crash-expected.txt
diff --git a/LayoutTests/fast/forms/input-number-spinbutton-crash.html b/LayoutTests/fast/forms/input-number-spinbutton-crash.html
new file mode 100644
index 0000000..fbda964
--- /dev/null
+++ b/LayoutTests/fast/forms/input-number-spinbutton-crash.html
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+<head>
+<style>
+input::-webkit-inner-spin-button { display: none; }
+</style>
+</head>
+<body>
+<input type="number" id="in">
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+var input = document.getElementById('in');
+var evt = document.createEvent("MouseEvent");
+evt.initMouseEvent("click", true, true, window, 10, 10, 10, 10);
+input.dispatchEvent(evt);
+input.style.display='none';
+</script>
+PASS
+</body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index bf788df..b7bb4b7 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,17 @@
+2010-11-08  James Robinson  <jamesr at chromium.org>
+
+        Reviewed by Dimitri Glazkov.
+
+        Input element with inner spin button set to display:none causes crash
+        https://bugs.webkit.org/show_bug.cgi?id=49121
+
+        Null check the inner spin button's renderer before dereferencing it.
+
+        Test: fast/forms/input-number-spinbutton-crash.html
+
+        * rendering/RenderTextControlSingleLine.cpp:
+        (WebCore::RenderTextControlSingleLine::forwardEvent):
+
 2010-11-08  Xiaomei Ji  <xji at chromium.org>
 
         Reviewed by Dan Bernstein.
diff --git a/WebCore/rendering/RenderTextControlSingleLine.cpp b/WebCore/rendering/RenderTextControlSingleLine.cpp
index 85efae8..9aeedf9 100644
--- a/WebCore/rendering/RenderTextControlSingleLine.cpp
+++ b/WebCore/rendering/RenderTextControlSingleLine.cpp
@@ -397,7 +397,7 @@ void RenderTextControlSingleLine::forwardEvent(Event* event)
         m_resultsButton->defaultEventHandler(event);
     else if (m_cancelButton && localPoint.x() > textRight)
         m_cancelButton->defaultEventHandler(event);
-    else if (m_innerSpinButton && localPoint.x() > textRight && localPoint.x() < textRight + m_innerSpinButton->renderBox()->width())
+    else if (m_innerSpinButton && localPoint.x() > textRight && m_innerSpinButton->renderBox() && localPoint.x() < textRight + m_innerSpinButton->renderBox()->width())
         m_innerSpinButton->defaultEventHandler(event);
     else if (m_outerSpinButton && localPoint.x() > textRight)
         m_outerSpinButton->defaultEventHandler(event);

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list