Commit d3762f6e authored by dglazkov@chromium.org's avatar dglazkov@chromium.org

2010-04-05 Dimitri Glazkov <dglazkov@chromium.org>

        Reviewed by Darin Adler.

        Style update done due to mutation event dispatching in textarea can be
        used to corrupt the render tree.
        https://bugs.webkit.org/show_bug.cgi?id=36864

        Modified listbox-selection.html to correctly set the size during
        creation. Otherwise, options added to it as a menuList, resulting
        in a default selection of the first item.

        Added a few more tests to ensure we capture correct behavior for
        select elements and their default selection, as well as the influence
        of when layout occurs.

        * fast/forms/listbox-selection.html:
        * fast/forms/select-change-listbox-to-popup-roundtrip.html: Added.
        * fast/forms/select-change-popup-to-listbox-roundtrip.html: Added.
        * fast/forms/textarea-and-mutation-events.html: Added.
2010-04-05  Dimitri Glazkov  <dglazkov@chromium.org>

        Reviewed by Darin Adler.

        Style update done due to mutation event dispatching in textarea can be
        used to corrupt the render tree.
        https://bugs.webkit.org/show_bug.cgi?id=36864

        Tests: fast/forms/select-change-listbox-to-popup-roundtrip.html
               fast/forms/select-change-popup-to-listbox-roundtrip.html
               fast/forms/textarea-and-mutation-events.html

        * dom/Node.cpp:
        (WebCore::Node::dispatchGenericEvent): Removed invocation of
            Document::updateStyleForAllDocuments
        * html/HTMLSelectElement.cpp:
        (WebCore::HTMLSelectElement::parseMappedAttribute): Added explicit
            recalc to ensure accuracy of representation, especially for
            menuList/listBox switches.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@57081 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 508a9397
2010-04-05 Dimitri Glazkov <dglazkov@chromium.org>
Reviewed by Darin Adler.
Style update done due to mutation event dispatching in textarea can be
used to corrupt the render tree.
https://bugs.webkit.org/show_bug.cgi?id=36864
Modified listbox-selection.html to correctly set the size during
creation. Otherwise, options added to it as a menuList, resulting
in a default selection of the first item.
Added a few more tests to ensure we capture correct behavior for
select elements and their default selection, as well as the influence
of when layout occurs.
* fast/forms/listbox-selection.html:
* fast/forms/select-change-listbox-to-popup-roundtrip.html: Added.
* fast/forms/select-change-popup-to-listbox-roundtrip.html: Added.
* fast/forms/textarea-and-mutation-events.html: Added.
2010-04-05 Yury Semikhatsky <yurys@chromium.org>
Reviewed by Pavel Feldman.
......
......@@ -150,15 +150,15 @@
{
var sl = document.createElement("select");
var i = 0;
sl.size = sz;
while (i < sz) {
var opt = document.createElement("option");
if (i == selIndex)
opt.selected = true;
opt.innerText = "item " + i;
opt.textContent = "item " + i;
sl.appendChild(opt);
i++;
}
sl.size = sz;
sl.multiple = mlt;
sl.id = idName;
document.body.appendChild(sl);
......
Changing the size of a select element from 1 to 5 and back 1 should acquire selection of the first item: PASS
Forcing layout should not affect the outcome: PASS
And neither should dropping out of the message loop: PASS
<html>
<script>
if (window.layoutTestController) {
layoutTestController.dumpAsText();
layoutTestController.waitUntilDone();
}
function runTest()
{
var s1 = document.getElementById("s1");
s1.size = 5;
s1.size = 1;
var s2 = document.getElementById("s2");
s2.size = 5;
// force layout.
document.body.offsetTop;
s2.size = 1;
var s3 = document.getElementById("s3");
s3.size = 5;
setTimeout(function()
{
s3.size = 1;
reportResults();
}, 0);
}
function reportResults()
{
var selected1 = s1.selectedIndex;
var selected2 = s2.selectedIndex;
var selected3 = s3.selectedIndex;
document.getElementById("test").innerHTML = "<ul>" +
"<li>Changing the size of a select element from 1 to 5 and back 1 should acquire selection of the first item: " + (selected1 == 0 ? "PASS" : "FAIL") +
"<li>Forcing layout should not affect the outcome: " + (selected2 == selected1 ? "PASS" : "FAIL") +
"<li>And neither should dropping out of the message loop: " + (selected3 == selected1 ? "PASS" : "FAIL") +
"</ul>";
if (window.layoutTestController)
layoutTestController.notifyDone();
}
</script>
<body onload="runTest()">
<div id="test">
<select id="s1" size="1"><option>test</select>
<select id="s2" size="1"><option>test</select>
<select id="s3" size="1"><option>test</select>
</div>
</body>
\ No newline at end of file
Changing the size of a select element from 5 to 1 and back 5 should acquire selection of the first item: PASS
Forcing layout should not affect the outcome: PASS
And neither should dropping out of the message loop: PASS
<html>
<script>
if (window.layoutTestController) {
layoutTestController.dumpAsText();
layoutTestController.waitUntilDone();
}
function runTest()
{
var s1 = document.getElementById("s1");
s1.size = 1;
s1.size = 5;
var s2 = document.getElementById("s2");
s2.size = 1;
// force layout.
document.body.offsetTop;
s2.size = 5;
var s3 = document.getElementById("s3");
s3.size = 1;
setTimeout(function()
{
s3.size = 5;
reportResults();
}, 0);
}
function reportResults()
{
var selected1 = s1.selectedIndex;
var selected2 = s2.selectedIndex;
var selected3 = s3.selectedIndex;
document.getElementById("test").innerHTML = "<ul>" +
"<li>Changing the size of a select element from 5 to 1 and back 5 should acquire selection of the first item: " + (selected1 == 0 ? "PASS" : "FAIL") +
"<li>Forcing layout should not affect the outcome: " + (selected2 == selected1 ? "PASS" : "FAIL") +
"<li>And neither should dropping out of the message loop: " + (selected3 == selected1 ? "PASS" : "FAIL") +
"</ul>";
if (window.layoutTestController)
layoutTestController.notifyDone();
}
</script>
<body onload="runTest()">
<div id="test">
<select id="s1" size="5"><option>test</select>
<select id="s2" size="5"><option>test</select>
<select id="s3" size="5"><option>test</select>
</div>
</body>
\ No newline at end of file
Tests to see if registering an empty DOMNodeInserted event handler and dirtying the tree just right can cause attach re-entrancy with textarea.
Passes if doesn't crash.
<html>
<head>
<style>
html body { }
</style>
<script>
if (window.layoutTestController)
layoutTestController.dumpAsText();
function runTest()
{
document.body.addEventListener("DOMNodeInserted", function() { }, false);
var foo = document.getElementById("foo");
var bar = document.getElementById("bar");
bar.className = " ";
bar.appendChild(foo);
// Test complete. If didn't crash at this point, clean up.
bar.removeChild(foo);
}
</script>
</head>
<body onload="runTest()">
<p>Tests to see if registering an empty DOMNodeInserted event handler and dirtying the tree just right can cause attach re-entrancy with textarea.
<p>Passes if doesn't crash.
<div id="foo">
<textarea> </textarea>
<ul><li><li></ul>
<iframe></iframe>
</div>
<div id="bar"></div>
</body>
</html>
\ No newline at end of file
2010-04-05 Dimitri Glazkov <dglazkov@chromium.org>
Reviewed by Darin Adler.
Style update done due to mutation event dispatching in textarea can be
used to corrupt the render tree.
https://bugs.webkit.org/show_bug.cgi?id=36864
Tests: fast/forms/select-change-listbox-to-popup-roundtrip.html
fast/forms/select-change-popup-to-listbox-roundtrip.html
fast/forms/textarea-and-mutation-events.html
* dom/Node.cpp:
(WebCore::Node::dispatchGenericEvent): Removed invocation of
Document::updateStyleForAllDocuments
* html/HTMLSelectElement.cpp:
(WebCore::HTMLSelectElement::parseMappedAttribute): Added explicit
recalc to ensure accuracy of representation, especially for
menuList/listBox switches.
2010-04-01 Kenneth Rohde Christiansen <kenneth@webkit.org>
Reviewed by Dave Hyatt.
......@@ -2705,8 +2705,6 @@ doneWithDefault:
timelineAgent->didDispatchEvent();
#endif
Document::updateStyleForAllDocuments();
return !event->defaultPrevented();
}
......
......@@ -200,8 +200,13 @@ void HTMLSelectElement::parseMappedAttribute(MappedAttribute* attr)
String attrSize = String::number(size);
if (attrSize != attr->value())
attr->setValue(attrSize);
size = max(size, 1);
m_data.setSize(max(size, 1));
// Ensure that we've determined selectedness of the items at least once prior to changing the size.
if (oldSize != size)
recalcListItemsIfNeeded();
m_data.setSize(size);
if ((oldUsesMenuList != m_data.usesMenuList() || (!oldUsesMenuList && m_data.size() != oldSize)) && attached()) {
detach();
attach();
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment