Bug 209909 - Avoid null deref after inserting a text field with a list attribute
Summary: Avoid null deref after inserting a text field with a list attribute
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Forms (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Wenson Hsieh
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2020-04-02 09:02 PDT by Wenson Hsieh
Modified: 2020-04-02 12:06 PDT (History)
12 users (show)

See Also:

Attachments
Fixes the crash (11.70 KB, patch)
2020-04-02 09:57 PDT, Wenson Hsieh 		no flags Details | Formatted Diff | Diff
Add description to test case (12.07 KB, patch)
2020-04-02 10:04 PDT, Wenson Hsieh 		no flags Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Wenson Hsieh 2020-04-02 09:02:19 PDT 
<rdar://problem/60742229>
Comment 1 Wenson Hsieh 2020-04-02 09:57:17 PDT Comment hidden (obsolete)
Comment 2 Wenson Hsieh 2020-04-02 10:04:53 PDT 
Created attachment 395276 [details]
Add description to test case
Comment 3 Ryosuke Niwa 2020-04-02 10:32:38 PDT 
Comment on attachment 395276 [details]
Add description to test case

View in context: https://bugs.webkit.org/attachment.cgi?id=395276&action=review

> Source/WebCore/html/HTMLInputElement.cpp:1558
> +#if ENABLE(DATALIST_ELEMENT)
> +    if (isConnected() && m_hasNonEmptyList)
> +        dataListMayHaveChanged();
> +#endif

By this time, author scripts may have ran so it's possible that some code that
would have accessed things like computed style and bounding rect that rely on the updated style.
I guess that's okay because this only affects painting?
Comment 4 Wenson Hsieh 2020-04-02 10:38:16 PDT 
Comment on attachment 395276 [details]
Add description to test case

View in context: https://bugs.webkit.org/attachment.cgi?id=395276&action=review

>> Source/WebCore/html/HTMLInputElement.cpp:1558
>> +#endif
> 
> By this time, author scripts may have ran so it's possible that some code that
> would have accessed things like computed style and bounding rect that rely on the updated style.
> I guess that's okay because this only affects painting?

Yes — I /believe/ this is okay, since only content inside the input’s UA shadow root will be affected (which isn’t visible to author script at all), so this should only have an impact on painting.
Comment 5 Ryosuke Niwa 2020-04-02 11:01:10 PDT 
(In reply to Wenson Hsieh from comment #4)
> Comment on attachment 395276 [details]
> Add description to test case
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=395276&action=review
> 
> >> Source/WebCore/html/HTMLInputElement.cpp:1558
> >> +#endif
> > 
> > By this time, author scripts may have ran so it's possible that some code that
> > would have accessed things like computed style and bounding rect that rely on the updated style.
> > I guess that's okay because this only affects painting?
> 
> Yes — I /believe/ this is okay, since only content inside the input’s UA
> shadow root will be affected (which isn’t visible to author script at all),
> so this should only have an impact on painting.

Sounds good.
Comment 6 EWS 2020-04-02 12:06:52 PDT 
Committed r259402: <https://trac.webkit.org/changeset/259402>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 395276 [details].