<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[259950] releases/WebKitGTK/webkit-2.28</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/259950">259950</a></dd>
<dt>Author</dt> <dd>carlosgc@webkit.org</dd>
<dt>Date</dt> <dd>2020-04-12 06:03:13 -0700 (Sun, 12 Apr 2020)</dd>
</dl>

<h3>Log Message</h3>
<pre>Merge <a href="http://trac.webkit.org/projects/webkit/changeset/258532">r258532</a> - A change event gets dispatched when textarea gets changed without focus
https://bugs.webkit.org/show_bug.cgi?id=202144

Patch by ChangSeok Oh <changseok@webkit.org> on 2020-03-16
Reviewed by Ryosuke Niwa.

Source/WebCore:

A crash happens in WebCore::ValidationMessage::buildBubbleTree. An immediate reason
is that DOM tree is modified in buildBubbleTree triggered by a timer.
The function calls document.updateLayout() that causes a change event
for textarea to fire when something changed in the textarea.
This bug is not reproduced on Mac because buildBubbleTree is not called.
See ValidationMessage::setMessage.
On the other hand, the root cause of this issue is triggering the change event
for textarea even if it is not focused when a change is made. This behavior
is different to what Gecko and Chromium do. When loading the test, they do not
trigger the change event although the textarea is filled by the script
since the textarea is not focused. Only when we manually make a change (meaning
the textarea is focused by user input), the event gets dispatched. To fix it,
setChangedSinceLastFormControlChangeEvent(true) is moved below the focus check
in HTMLTextAreaElement::subtreeHasChanged();

Test: fast/forms/textfield-onchange-without-focus.html

* html/HTMLTextAreaElement.cpp:
(WebCore::HTMLTextAreaElement::subtreeHasChanged):

LayoutTests:

The test should be identical to the extected result without crash.

* fast/forms/textfield-onchange-without-focus-expected.html: Added.
* fast/forms/textfield-onchange-without-focus.html: Added.</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#releasesWebKitGTKwebkit228LayoutTestsChangeLog">releases/WebKitGTK/webkit-2.28/LayoutTests/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit228SourceWebCoreChangeLog">releases/WebKitGTK/webkit-2.28/Source/WebCore/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit228SourceWebCorehtmlHTMLTextAreaElementcpp">releases/WebKitGTK/webkit-2.28/Source/WebCore/html/HTMLTextAreaElement.cpp</a></li>
</ul>

<h3>Added Paths</h3>
<ul>
<li><a href="#releasesWebKitGTKwebkit228LayoutTestsfastformstextfieldonchangewithoutfocusexpectedhtml">releases/WebKitGTK/webkit-2.28/LayoutTests/fast/forms/textfield-onchange-without-focus-expected.html</a></li>
<li><a href="#releasesWebKitGTKwebkit228LayoutTestsfastformstextfieldonchangewithoutfocushtml">releases/WebKitGTK/webkit-2.28/LayoutTests/fast/forms/textfield-onchange-without-focus.html</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="releasesWebKitGTKwebkit228LayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.28/LayoutTests/ChangeLog (259949 => 259950)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.28/LayoutTests/ChangeLog     2020-04-12 13:03:07 UTC (rev 259949)
+++ releases/WebKitGTK/webkit-2.28/LayoutTests/ChangeLog        2020-04-12 13:03:13 UTC (rev 259950)
</span><span class="lines">@@ -1,3 +1,15 @@
</span><ins>+2020-03-16  ChangSeok Oh  <changseok@webkit.org>
+
+        A change event gets dispatched when textarea gets changed without focus
+        https://bugs.webkit.org/show_bug.cgi?id=202144
+
+        Reviewed by Ryosuke Niwa.
+
+        The test should be identical to the extected result without crash.
+
+        * fast/forms/textfield-onchange-without-focus-expected.html: Added.
+        * fast/forms/textfield-onchange-without-focus.html: Added.
+
</ins><span class="cx"> 2020-03-06  Enrique Ocaña González  <eocanha@igalia.com>
</span><span class="cx"> 
</span><span class="cx">         [GStreamer] Streaming aac/mp3 audio doesn't always work
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit228LayoutTestsfastformstextfieldonchangewithoutfocusexpectedhtml"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.28/LayoutTests/fast/forms/textfield-onchange-without-focus-expected.html (0 => 259950)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.28/LayoutTests/fast/forms/textfield-onchange-without-focus-expected.html                             (rev 0)
+++ releases/WebKitGTK/webkit-2.28/LayoutTests/fast/forms/textfield-onchange-without-focus-expected.html        2020-04-12 13:03:13 UTC (rev 259950)
</span><span class="lines">@@ -0,0 +1,22 @@
</span><ins>+<!DOCTYPE html>
+<script>
+function test() {
+  const select = document.querySelector('select');
+  select.setCustomValidity('validity');
+  select.reportValidity();
+
+  const textarea = document.querySelector('textarea');
+  textarea.setRangeText('lol');
+  select.autofocus = true;
+
+  setTimeout(() => {
+    select.reportValidity();
+    textarea.blur();
+  }, 0);
+}
+</script>
+<body onload='test()'>
+  <p>The onchange should not be triggered by textarea when it got something changed without being focused. Pass if not crashed, and the focused select box is displayed.</p>
+  <select></select>
+  <textarea></textarea>
+</body>
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit228LayoutTestsfastformstextfieldonchangewithoutfocushtml"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.28/LayoutTests/fast/forms/textfield-onchange-without-focus.html (0 => 259950)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.28/LayoutTests/fast/forms/textfield-onchange-without-focus.html                              (rev 0)
+++ releases/WebKitGTK/webkit-2.28/LayoutTests/fast/forms/textfield-onchange-without-focus.html 2020-04-12 13:03:13 UTC (rev 259950)
</span><span class="lines">@@ -0,0 +1,22 @@
</span><ins>+<!DOCTYPE html>
+<script>
+function test() {
+  const select = document.querySelector('select');
+  select.setCustomValidity('validity');
+  select.reportValidity();
+
+  const textarea = document.querySelector('textarea');
+  textarea.setRangeText('lol');
+  select.autofocus = true;
+
+  setTimeout(() => {
+    select.reportValidity();
+    textarea.blur();
+  }, 0);
+}
+</script>
+<body onload='test()'>
+  <p>The onchange should not be triggered by textarea when it got something changed without being focused. Pass if not crashed, and the focused select box is displayed.</p>
+  <select></select>
+  <textarea onchange="document.all[2].appendChild(document.querySelector('select'));"></textarea>
+</body>
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit228SourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.28/Source/WebCore/ChangeLog (259949 => 259950)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.28/Source/WebCore/ChangeLog  2020-04-12 13:03:07 UTC (rev 259949)
+++ releases/WebKitGTK/webkit-2.28/Source/WebCore/ChangeLog     2020-04-12 13:03:13 UTC (rev 259950)
</span><span class="lines">@@ -1,3 +1,30 @@
</span><ins>+2020-03-16  ChangSeok Oh  <changseok@webkit.org>
+
+        A change event gets dispatched when textarea gets changed without focus
+        https://bugs.webkit.org/show_bug.cgi?id=202144
+
+        Reviewed by Ryosuke Niwa.
+
+        A crash happens in WebCore::ValidationMessage::buildBubbleTree. An immediate reason
+        is that DOM tree is modified in buildBubbleTree triggered by a timer.
+        The function calls document.updateLayout() that causes a change event
+        for textarea to fire when something changed in the textarea.
+        This bug is not reproduced on Mac because buildBubbleTree is not called.
+        See ValidationMessage::setMessage.
+        On the other hand, the root cause of this issue is triggering the change event
+        for textarea even if it is not focused when a change is made. This behavior
+        is different to what Gecko and Chromium do. When loading the test, they do not
+        trigger the change event although the textarea is filled by the script
+        since the textarea is not focused. Only when we manually make a change (meaning
+        the textarea is focused by user input), the event gets dispatched. To fix it,
+        setChangedSinceLastFormControlChangeEvent(true) is moved below the focus check
+        in HTMLTextAreaElement::subtreeHasChanged();
+
+        Test: fast/forms/textfield-onchange-without-focus.html
+
+        * html/HTMLTextAreaElement.cpp:
+        (WebCore::HTMLTextAreaElement::subtreeHasChanged):
+
</ins><span class="cx"> 2020-03-17  Philippe Normand  <pnormand@igalia.com>
</span><span class="cx"> 
</span><span class="cx">         [GStreamer][MSE] Playback rate update support
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit228SourceWebCorehtmlHTMLTextAreaElementcpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.28/Source/WebCore/html/HTMLTextAreaElement.cpp (259949 => 259950)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.28/Source/WebCore/html/HTMLTextAreaElement.cpp       2020-04-12 13:03:07 UTC (rev 259949)
+++ releases/WebKitGTK/webkit-2.28/Source/WebCore/html/HTMLTextAreaElement.cpp  2020-04-12 13:03:13 UTC (rev 259950)
</span><span class="lines">@@ -284,7 +284,6 @@
</span><span class="cx"> 
</span><span class="cx"> void HTMLTextAreaElement::subtreeHasChanged()
</span><span class="cx"> {
</span><del>-    setChangedSinceLastFormControlChangeEvent(true);
</del><span class="cx">     setFormControlValueMatchesRenderer(false);
</span><span class="cx">     updateValidity();
</span><span class="cx"> 
</span><span class="lines">@@ -291,6 +290,8 @@
</span><span class="cx">     if (!focused())
</span><span class="cx">         return;
</span><span class="cx"> 
</span><ins>+    setChangedSinceLastFormControlChangeEvent(true);
+
</ins><span class="cx">     if (RefPtr<Frame> frame = document().frame())
</span><span class="cx">         frame->editor().textDidChangeInTextArea(this);
</span><span class="cx">     // When typing in a textarea, childrenChanged is not called, so we need to force the directionality check.
</span></span></pre>
</div>
</div>

</body>
</html>