Bug 119930

Summary: input[type=range]: Fix a crash by changing input type in 'input' event handler
Product: WebKit Reporter: Ryosuke Niwa <rniwa>
Component: FormsAssignee: Ryosuke Niwa <rniwa>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, commit-queue, darin, tkent, webkit-bug-importer
Priority: P2 Keywords: BlinkMergeCandidate, InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Fixes the bug none

Description Ryosuke Niwa 2013-08-16 20:28:20 PDT 
Merge https://chromium.googlesource.com/chromium/blink/+/99afc9b55ce176b4f5fe053070e19dbebc1891a5

In SliderThumbElement::setPositionFromPoint, renderer() can be NULL
after HTMLInputElement::setValueFromRenderer, which dispatches 'input'
event. Also, make a local vairable 'input' a RefPtr just in case.

http://crbug.com/248402

I reproduced the crash in ToT WebKit.
Comment 1 Radar WebKit Bug Importer 2013-08-16 20:28:47 PDT 
<rdar://problem/14763983>
Comment 2 Ryosuke Niwa 2013-08-16 20:32:19 PDT 
Merging the patch isn't enough to fix crash/hang in WebKit. We'll need to investigate it further.
Comment 3 Ryosuke Niwa 2013-08-19 14:05:44 PDT 
Created attachment 209119 [details]
Fixes the bug
Comment 4 Kent Tamura 2013-08-19 16:35:10 PDT 
Comment on attachment 209119 [details]
Fixes the bug

ok
Comment 5 Ryosuke Niwa 2013-08-19 16:43:40 PDT 
Comment on attachment 209119 [details]
Fixes the bug

Thanks for the review!
Comment 6 WebKit Commit Bot 2013-08-19 17:01:56 PDT 
Comment on attachment 209119 [details]
Fixes the bug

Clearing flags on attachment: 209119

Committed r154308: <http://trac.webkit.org/changeset/154308>
Comment 7 WebKit Commit Bot 2013-08-19 17:01:58 PDT 
All reviewed patches have been landed.  Closing bug.