[SCM] WebKit Debian packaging branch, debian/unstable, updated. debian/1.2.3-2-60-g76add97
Gustavo Noronha Silva
gns at gnome.org
Sun Oct 17 22:26:40 UTC 2010
The following commit has been merged in the debian/unstable branch:
commit 87e81a12376498a839916e560744e925edf76b2e
Author: jschuh at chromium.org <jschuh at chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Wed Jun 23 21:34:59 2010 +0000
2010-06-23 Abhishek Arya <inferno at chromium.org>
Reviewed by Kenneth Rohde Christiansen.
Firing the onchange event on select which changes its size > 1 causes the select
object to change from a menulist to a listbox. However, when propogating the events,
we do a bad cast assuming the object will remain a menulist. Added proper checks to
make sure we check the renderer after the onchange is fired and propogate the event
based on correct object type.
https://bugs.webkit.org/show_bug.cgi?id=40828
Test: fast/events/select-onchange-crash.html
* dom/SelectElement.cpp:
(WebCore::SelectElement::setSelectedIndex):
2010-06-23 Abhishek Arya <inferno at chromium.org>
Reviewed by Kenneth Rohde Christiansen.
Tests that we do not crash when onchange handler changes the select from a menu list to a list box.
https://bugs.webkit.org/show_bug.cgi?id=40828
* fast/events/select-onchange-crash-expected.txt: Added.
* fast/events/select-onchange-crash.html: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@61709 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 9a4b154..456c32b 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2010-06-23 Abhishek Arya <inferno at chromium.org>
+
+ Reviewed by Kenneth Rohde Christiansen.
+
+ Tests that we do not crash when onchange handler changes the select from a menu list to a list box.
+ https://bugs.webkit.org/show_bug.cgi?id=40828
+
+ * fast/events/select-onchange-crash-expected.txt: Added.
+ * fast/events/select-onchange-crash.html: Added.
+
2010-07-21 Justin Schuh <jschuh at chromium.org>
Unreviewed. Build fix.
diff --git a/LayoutTests/fast/events/select-onchange-crash-expected.txt b/LayoutTests/fast/events/select-onchange-crash-expected.txt
new file mode 100644
index 0000000..ad23729
--- /dev/null
+++ b/LayoutTests/fast/events/select-onchange-crash-expected.txt
@@ -0,0 +1,4 @@
+This test is to ensure that we do not crash when onchange handler changes the select from a menu list to a list box.
+PASS: Did not crash
+
+
diff --git a/LayoutTests/fast/events/select-onchange-crash.html b/LayoutTests/fast/events/select-onchange-crash.html
new file mode 100644
index 0000000..6cfc13b
--- /dev/null
+++ b/LayoutTests/fast/events/select-onchange-crash.html
@@ -0,0 +1,37 @@
+<html>
+ <head>
+ <script>
+ if (window.layoutTestController)
+ {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+ }
+ window.onload = function ()
+ {
+ var element = document.getElementById("test");
+ element.onchange = function() { element.size = 30; }
+ element.focus();
+ if (window.layoutTestController)
+ {
+ // This triggers selection of second option in the select and press Enter.
+ eventSender.keyDown("e");
+ eventSender.keyDown("\r", []);
+ // This triggers repaint.
+ document.body.offsetTop;
+
+ document.getElementById("log").innerHTML = "<span style='color: green;'>PASS:</span> Did not crash";
+ layoutTestController.notifyDone();
+ }
+ }
+ </script>
+ </head>
+ <body>
+ This test is to ensure that we do not crash when onchange handler changes the select from a menu list to a list box.
+ <p id="log"><span style='color: red;'>FAIL:</span> Did not complete test or not running inside DumpRenderTree</p>
+ <select id="test">
+ <option selected>abcd</option>
+ <option>efgh</option>
+ </select>
+ </body>
+</html>
+
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 365929f..1c58774 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,19 @@
+2010-06-23 Abhishek Arya <inferno at chromium.org>
+
+ Reviewed by Kenneth Rohde Christiansen.
+
+ Firing the onchange event on select which changes its size > 1 causes the select
+ object to change from a menulist to a listbox. However, when propogating the events,
+ we do a bad cast assuming the object will remain a menulist. Added proper checks to
+ make sure we check the renderer after the onchange is fired and propogate the event
+ based on correct object type.
+ https://bugs.webkit.org/show_bug.cgi?id=40828
+
+ Test: fast/events/select-onchange-crash.html
+
+ * dom/SelectElement.cpp:
+ (WebCore::SelectElement::setSelectedIndex):
+
2010-07-21 Justin Schuh <jschuh at chromium.org>
Reviewed by Oliver Hunt.
diff --git a/WebCore/dom/SelectElement.cpp b/WebCore/dom/SelectElement.cpp
index 0096627..95f6ac6 100644
--- a/WebCore/dom/SelectElement.cpp
+++ b/WebCore/dom/SelectElement.cpp
@@ -342,8 +342,13 @@ void SelectElement::setSelectedIndex(SelectElementData& data, Element* element,
data.setUserDrivenChange(userDrivenChange);
if (fireOnChangeNow)
menuListOnChange(data, element);
- if (RenderMenuList* menuList = toRenderMenuList(element->renderer()))
- menuList->didSetSelectedIndex();
+ RenderObject* renderer = element->renderer();
+ if (renderer) {
+ if (data.usesMenuList())
+ toRenderMenuList(renderer)->didSetSelectedIndex();
+ else if (renderer->isListBox())
+ toRenderListBox(renderer)->selectionChanged();
+ }
}
if (Frame* frame = element->document()->frame())
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list