2009-09-14 Simon Fraser <simon.fraser@apple.com>

        Reviewed by Dan Bernstein.

        <rdar://problem/7047282> Safari crashes at WebCore::RenderMenuList::adjustInnerStyle() + 436

        Avoid a crash when a mouse event handler on a <select> changes the select from a popup
        to a list (by setting the 'size' property) inside the event handler.

        Test: fast/forms/select-change-popup-to-listbox-in-event-handler.html

        * dom/SelectElement.cpp:
        (WebCore::SelectElement::menuListDefaultEventHandler):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@48376 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 9c644ee7
2009-09-14 Simon Fraser <simon.fraser@apple.com>
Reviewed by Dan Bernstein.
<rdar://problem/7047282> Safari crashes at WebCore::RenderMenuList::adjustInnerStyle() + 436
Test that changes the <select> from a popup to a list inside a mouse event handler.
* fast/forms/select-change-popup-to-listbox-in-event-handler-expected.txt: Added.
* fast/forms/select-change-popup-to-listbox-in-event-handler.html: Added.
2009-09-11 Jon Honeycutt <jhoneycutt@apple.com>
DRT/test part of
......
<!DOCTYPE>
<html>
<head>
<title>Change popup to list inside mouse event handler.</title>
<script type="text/javascript" charset="utf-8">
if (window.layoutTestController)
layoutTestController.dumpAsText();
function sendClick()
{
var select = document.getElementById("select");
var rect = select.getBoundingClientRect();
var evt = document.createEvent("MouseEvents");
evt.initMouseEvent("mousedown", true, true, window,
0, 0, 0, rect.top + 4, rect.left + 4, false, false, false, false, 0, null);
select.dispatchEvent(evt);
}
window.addEventListener('load', sendClick, false);
</script>
</head>
<body>
<p>This test should not crash.</p>
<select id="select" onFocus="this.size = 10">
<option value="0">One</option>
<option value="1">Two</option>
<option value="2">Three</option>
</select>
</body>
</html>
2009-09-14 Simon Fraser <simon.fraser@apple.com>
Reviewed by Dan Bernstein.
<rdar://problem/7047282> Safari crashes at WebCore::RenderMenuList::adjustInnerStyle() + 436
Avoid a crash when a mouse event handler on a <select> changes the select from a popup
to a list (by setting the 'size' property) inside the event handler.
Test: fast/forms/select-change-popup-to-listbox-in-event-handler.html
* dom/SelectElement.cpp:
(WebCore::SelectElement::menuListDefaultEventHandler):
2009-09-14 Anders Carlsson <andersca@apple.com>
Reviewed by Jon Honeycutt.
......@@ -644,14 +644,16 @@ void SelectElement::menuListDefaultEventHandler(SelectElementData& data, Element
if (event->type() == eventNames().mousedownEvent && event->isMouseEvent() && static_cast<MouseEvent*>(event)->button() == LeftButton) {
element->focus();
if (RenderMenuList* menuList = toRenderMenuList(element->renderer())) {
if (menuList->popupIsVisible())
menuList->hidePopup();
else {
// Save the selection so it can be compared to the new selection when we call onChange during setSelectedIndex,
// which gets called from RenderMenuList::valueChanged, which gets called after the user makes a selection from the menu.
saveLastSelection(data, element);
menuList->showPopup();
if (element->renderer()->isMenuList()) {
if (RenderMenuList* menuList = toRenderMenuList(element->renderer())) {
if (menuList->popupIsVisible())
menuList->hidePopup();
else {
// Save the selection so it can be compared to the new selection when we call onChange during setSelectedIndex,
// which gets called from RenderMenuList::valueChanged, which gets called after the user makes a selection from the menu.
saveLastSelection(data, element);
menuList->showPopup();
}
}
}
event->setDefaultHandled();
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment