ImageInputType::ensurePrimaryContent should recreate UA shadow tree.
Once the fallback shadow tree was created, it was never recreated even if
ensurePrimaryContent was called. Such situation happens by updating |src|
attribute.
BUG=589838
Review URL: https://codereview.chromium.org/1732753004
Cr-Commit-Position: refs/heads/master@{#377804}
diff --git a/third_party/WebKit/Source/core/html/HTMLInputElementTest.cpp b/third_party/WebKit/Source/core/html/HTMLInputElementTest.cpp
index ce818df..d08fff37 100644
--- a/third_party/WebKit/Source/core/html/HTMLInputElementTest.cpp
+++ b/third_party/WebKit/Source/core/html/HTMLInputElementTest.cpp
@@ -70,4 +70,17 @@
EXPECT_EQ(String(), inputWithForm->defaultToolTip());
}
+// crbug.com/589838
+TEST(HTMLInputElementTest, ImageTypeCrash)
+{
+ RefPtrWillBeRawPtr<Document> document = Document::create();
+ RefPtrWillBeRawPtr<HTMLInputElement> input = HTMLInputElement::create(*document, nullptr, false);
+ input->setAttribute(HTMLNames::typeAttr, "image");
+ input->ensureFallbackContent();
+ // Make sure ensurePrimaryContent() recreates UA shadow tree, and updating
+ // |value| doesn't crash.
+ input->ensurePrimaryContent();
+ input->setAttribute(HTMLNames::valueAttr, "aaa");
+}
+
} // namespace blink
diff --git a/third_party/WebKit/Source/core/html/forms/ImageInputType.cpp b/third_party/WebKit/Source/core/html/forms/ImageInputType.cpp
index 9705409..e578147 100644
--- a/third_party/WebKit/Source/core/html/forms/ImageInputType.cpp
+++ b/third_party/WebKit/Source/core/html/forms/ImageInputType.cpp
@@ -271,6 +271,9 @@
if (!m_useFallbackContent)
return;
m_useFallbackContent = false;
+ if (ShadowRoot* root = element().userAgentShadowRoot())
+ root->removeChildren();
+ createShadowSubtree();
reattachFallbackContent();
}
