Title: [144790] trunk
- Revision
- 144790
- Author
- t...@chromium.org
- Date
- 2013-03-05 11:41:55 -0800 (Tue, 05 Mar 2013)
Log Message
Fix some crashes in render sliders
https://bugs.webkit.org/show_bug.cgi?id=111458
Reviewed by Ojan Vafai.
Source/WebCore:
Fix some cases where we assumed the renderer is a renderBox.
Test: fast/forms/range/slider-inline-crash.html
* html/shadow/SliderThumbElement.cpp:
(WebCore::RenderSliderContainer::layout): Use renderBox() which will return 0 if the renderer is not a RenderBox.
(WebCore::SliderThumbElement::setPositionFromPoint): Bail out early if renderBox() is 0.
LayoutTests:
* fast/forms/range/slider-inline-crash-expected.txt: Added.
* fast/forms/range/slider-inline-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (144789 => 144790)
--- trunk/LayoutTests/ChangeLog 2013-03-05 19:37:18 UTC (rev 144789)
+++ trunk/LayoutTests/ChangeLog 2013-03-05 19:41:55 UTC (rev 144790)
@@ -1,3 +1,13 @@
+2013-03-05 Tony Chang <t...@chromium.org>
+
+ Fix some crashes in render sliders
+ https://bugs.webkit.org/show_bug.cgi?id=111458
+
+ Reviewed by Ojan Vafai.
+
+ * fast/forms/range/slider-inline-crash-expected.txt: Added.
+ * fast/forms/range/slider-inline-crash.html: Added.
+
2013-03-04 Andrew Scherkus <scher...@chromium.org>
REGRESSION(r142191): Fix closed caption buttons for ports still using the painting path.
Added: trunk/LayoutTests/fast/forms/range/slider-inline-crash-expected.txt (0 => 144790)
--- trunk/LayoutTests/fast/forms/range/slider-inline-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/forms/range/slider-inline-crash-expected.txt 2013-03-05 19:41:55 UTC (rev 144790)
@@ -0,0 +1,3 @@
+This test passes if dragging the thumb does not crash.
+
+
Added: trunk/LayoutTests/fast/forms/range/slider-inline-crash.html (0 => 144790)
--- trunk/LayoutTests/fast/forms/range/slider-inline-crash.html (rev 0)
+++ trunk/LayoutTests/fast/forms/range/slider-inline-crash.html 2013-03-05 19:41:55 UTC (rev 144790)
@@ -0,0 +1,29 @@
+<!DOCTYLE html>
+<html>
+<style>
+input[type="range"]::-webkit-slider-container,
+input[type="range"]::-webkit-slider-runnable-track,
+input[type="range"]::-webkit-slider-thumb {
+ display: inline;
+}
+</style>
+<p>This test passes if dragging the thumb does not crash.</p>
+<input id="slider" type="range">
+<script>
+function runTest()
+{
+ if (!window.testRunner || !window.eventSender)
+ return;
+ testRunner.dumpAsText();
+
+ var slider = document.getElementById("slider");
+ var x = slider.offsetLeft + slider.offsetWidth / 2;
+ var y = slider.offsetTop + slider.offsetHeight / 2;
+ eventSender.mouseMoveTo(x, y);
+ eventSender.mouseDown();
+ eventSender.mouseUp();
+}
+
+runTest();
+</script>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (144789 => 144790)
--- trunk/Source/WebCore/ChangeLog 2013-03-05 19:37:18 UTC (rev 144789)
+++ trunk/Source/WebCore/ChangeLog 2013-03-05 19:41:55 UTC (rev 144790)
@@ -1,3 +1,18 @@
+2013-03-05 Tony Chang <t...@chromium.org>
+
+ Fix some crashes in render sliders
+ https://bugs.webkit.org/show_bug.cgi?id=111458
+
+ Reviewed by Ojan Vafai.
+
+ Fix some cases where we assumed the renderer is a renderBox.
+
+ Test: fast/forms/range/slider-inline-crash.html
+
+ * html/shadow/SliderThumbElement.cpp:
+ (WebCore::RenderSliderContainer::layout): Use renderBox() which will return 0 if the renderer is not a RenderBox.
+ (WebCore::SliderThumbElement::setPositionFromPoint): Bail out early if renderBox() is 0.
+
2013-03-04 Andrew Scherkus <scher...@chromium.org>
REGRESSION(r142191): Fix closed caption buttons for ports still using the painting path.
Modified: trunk/Source/WebCore/html/shadow/SliderThumbElement.cpp (144789 => 144790)
--- trunk/Source/WebCore/html/shadow/SliderThumbElement.cpp 2013-03-05 19:37:18 UTC (rev 144789)
+++ trunk/Source/WebCore/html/shadow/SliderThumbElement.cpp 2013-03-05 19:41:55 UTC (rev 144790)
@@ -177,21 +177,18 @@
style()->setDirection(LTR);
}
- RenderBox* thumb = 0;
- RenderBox* track = 0;
- if (input->sliderThumbElement() && input->sliderThumbElement()->renderer()) {
- thumb = toRenderBox(input->sliderThumbElement()->renderer());
- track = toRenderBox(thumb->parent());
- // Force a layout to reset the position of the thumb so the code below doesn't move the thumb to the wrong place.
- // FIXME: Make a custom Render class for the track and move the thumb positioning code there.
+ RenderBox* thumb = input->sliderThumbElement() ? input->sliderThumbElement()->renderBox() : 0;
+ RenderBox* track = input->sliderTrackElement() ? input->sliderTrackElement()->renderBox() : 0;
+ // Force a layout to reset the position of the thumb so the code below doesn't move the thumb to the wrong place.
+ // FIXME: Make a custom Render class for the track and move the thumb positioning code there.
+ if (track)
track->setChildNeedsLayout(true, MarkOnlyThis);
- }
RenderFlexibleBox::layout();
style()->setDirection(oldTextDirection);
// These should always exist, unless someone mutates the shadow DOM (e.g., in the inspector).
- if (!thumb)
+ if (!thumb || !track)
return;
double percentageOffset = sliderPosition(input).toDouble();
@@ -255,7 +252,7 @@
HTMLInputElement* input = hostInput();
HTMLElement* trackElement = sliderTrackElementOf(input);
- if (!input->renderer() || !renderer() || !trackElement->renderer())
+ if (!input->renderer() || !renderBox() || !trackElement->renderBox())
return;
input->setTextAsOfLastFormControlChangeEvent(input->value());
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
