[webkit-changes] [WebKit/WebKit] 589e3e: Cherry-pick 252432.806 at safari-7614-branch (a09205d...
Chris Dumez
noreply at github.com
Tue Jan 24 10:37:41 PST 2023
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 589e3edb7b1c0d3f8d78d399fadd9a54d9c062d4
https://github.com/WebKit/WebKit/commit/589e3edb7b1c0d3f8d78d399fadd9a54d9c062d4
Author: Chris Dumez <cdumez at apple.com>
Date: 2023-01-24 (Tue, 24 Jan 2023)
Changed paths:
A LayoutTests/fast/forms/datalist/datalist-idTargetChanged-crash-expected.txt
A LayoutTests/fast/forms/datalist/datalist-idTargetChanged-crash.html
M Source/WebCore/html/HTMLInputElement.cpp
Log Message:
-----------
Cherry-pick 252432.806 at safari-7614-branch (a09205d980f6). rdar://104599817
Assertion hit under IdTargetObserverRegistry::notifyObservers()
https://bugs.webkit.org/show_bug.cgi?id=247592
rdar://101454107
Reviewed by Aditya Keerthi, Wenson Hsieh and Geoffrey Garen.
ListAttributeTargetObserver::idTargetChanged() is not safe to re-enter. As a result,
we have an assertion and a runtime check to protect against this. However, it was
still possible to hit this assertion in debug.
ListAttributeTargetObserver::idTargetChanged() would call
TextFieldInputType::dataListMayHaveChanged() which could run script by calling
createDataListDropdownIndicator(). The script could then change the datalist
element's id, which would attempt to re-enter.
This patch addresses the issue by calling dataListMayHaveChanged() asynchronously.
* LayoutTests/fast/forms/datalist/datalist-idTargetChanged-crash-expected.txt: Added.
* LayoutTests/fast/forms/datalist/datalist-idTargetChanged-crash.html: Added.
* Source/WebCore/html/HTMLInputElement.cpp:
(WebCore::ListAttributeTargetObserver::idTargetChanged):
Canonical link: https://commits.webkit.org/252432.806@safari-7614-branch
Canonical link: https://commits.webkit.org/259290@main
More information about the webkit-changes
mailing list