haikuwebkit/LayoutTests/fast/selectors/focus-visible-crash.html

<!DOCTYPE html>
<p>This test verifies that moving an element to a different document during blur doesn't crash (see <a href="https://webkit.org/b/224957">bug #224957</a>).</p>

<div id="initial" tabindex="0">initial</div>
<div id="target" tabindex="0">target</div>
<iframe id="iframe"></iframe>

<script>
  if (window.testRunner)
    testRunner.dumpAsText();

  initial.addEventListener("blur", () => {
    iframe.contentDocument.body.appendChild(target);
  });
  initial.focus();
  target.focus();
  iframe.remove();
</script>
REGRESSION (r276264): Reproducible crash in WebCore::UserActionElementSet::clearFlags https://bugs.webkit.org/show_bug.cgi?id=224957 Reviewed by Ryosuke Niwa. Source/WebCore: The crash was due to a problem with the focus and focus-visible flags getting out of sync. The problem was related to how we deal we script focus in Element::focus(), we were setting the focus-visible flag before doing focus, and if the element was moved to a different document in that process, we were resetting the flag for the same element, but pointing to the new document. So the old document still kept information about the element and the flag, and it shouldn't. This patch is based on a patch by Ryosuke Niwa <rniwa@webkit.org>. The approach to solve the issue is to consolidate the timing for both focus and focus-visible flags so they don't get out of sync. For that we add a new FocusVisibility enum to FocusOptions, and we pass it to Element::setFocus() and use it to pass a different value to Element::setHasFocusVisible(). Test: fast/selectors/focus-visible-crash.html * dom/Document.cpp: (WebCore::Document::setFocusedElement): * dom/Element.cpp: (WebCore::Element::setFocus): (WebCore::Element::focus): * dom/Element.h: * dom/FocusOptions.h: * html/HTMLAreaElement.cpp: (WebCore::HTMLAreaElement::setFocus): * html/HTMLAreaElement.h: * html/HTMLFrameElementBase.cpp: (WebCore::HTMLFrameElementBase::setFocus): * html/HTMLFrameElementBase.h: * page/EventHandler.cpp: (WebCore::EventHandler::internalKeyEvent): * page/FocusController.cpp: (WebCore::FocusController::advanceFocusInDocumentOrder): * page/FrameView.cpp: (WebCore::FrameView::scrollToFragmentInternal): LayoutTests: * fast/selectors/focus-visible-crash-expected.txt: Added. * fast/selectors/focus-visible-crash.html: Added. Canonical link: https://commits.webkit.org/237056@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@276628 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2021-04-27 05:44:59 +00:00			`<!DOCTYPE html>`
			`<p>This test verifies that moving an element to a different document during blur doesn't crash (see <a href="https://webkit.org/b/224957">bug #224957</a>).</p>`

			`<div id="initial" tabindex="0">initial</div>`
			`<div id="target" tabindex="0">target</div>`
			`<iframe id="iframe"></iframe>`

			`<script>`
			`if (window.testRunner)`
			`testRunner.dumpAsText();`

			`initial.addEventListener("blur", () => {`
			`iframe.contentDocument.body.appendChild(target);`
			`});`
			`initial.focus();`
			`target.focus();`
			`iframe.remove();`
			`</script>`