Crash is observed when default checked is called for HTML Input element and radioButtonGroup is NULL.
rdar://problem/61290022
Created attachment 396118 [details] Patch
Comment on attachment 396118 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=396118&action=review > Source/WebCore/ChangeLog:8 > + Crash happend when default checked setter was called an input element and RadioButtonGroup was NULL. Nit - “This crash happened when the default…" > Source/WebCore/ChangeLog:9 > + Added a NULL pointer check before derefercing. Nit - “dereferencing" > LayoutTests/fast/forms/input-element-default-checked-setter-crash.html:1 > +<!DOCHTML> Nit - <!DOCTYPE html>?
Comment on attachment 396118 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=396118&action=review > LayoutTests/fast/forms/input-element-default-checked-setter-crash.html:16 > +<meta id="meta1"> </meta> I don’t think this meta tag is necessary to reproduce this crash. Here’s a slightly simpler version of this test case: <!DOCTYPE html> <html> <body> <p>This test passes if there is no crash</p> <div id="container"> <iframe id="frame"></iframe> <input id="input" name=" " type="radio"> </div> <script> if (window.testRunner) testRunner.dumpAsText(); frame.onload = () => input.defaultChecked = true; document.body.appendChild(container); </script> </body> </html>
Comment on attachment 396118 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=396118&action=review > Source/WebCore/dom/RadioButtonGroups.cpp:231 > + auto* group = m_nameToGroupMap.get(element.name().impl()); if (auto* group = m_nameToGroupMap.get(element.name().impl())) group->updateCheckedState(element) would be more concise.
Created attachment 396125 [details] Patch
Hi Chirs and Wensen, Thanks for quick review comments. I have incorporated the comments. Regards, Pinki
Comment on attachment 396125 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=396125&action=review > Source/WebCore/ChangeLog:8 > + This crash happend when the default checked setter was called for an input element and RadioButtonGroup was NULL. typo: happend > Source/WebCore/ChangeLog:9 > + Added condition to deference the group only if it is valid. typo: deference -> dereference s/valid/non-null > LayoutTests/fast/forms/input-element-default-checked-setter-crash.html:4 > +<p>This test passes if there is no crash</p> nit: There should be a period at the end of your sentence.
Created attachment 396131 [details] Patch
Committed r259911: <https://trac.webkit.org/changeset/259911> All reviewed patches have been landed. Closing bug and clearing flags on attachment 396131 [details].