Cherry-pick 259548.204@safari-7615-branch (e110042). https://bugs.web…

…kit.org/show_bug.cgi?id=252426

    Nullptr crash in DateTimeFieldElement::isFocusable()
    https://bugs.webkit.org/show_bug.cgi?id=252426
    rdar://105383909

    Reviewed by Aditya Keerthi and Wenson Hsieh.

    The bug was caused by FocusController calling isFocusable() on a disconnected element of
    the shadow tree of input element after blur event handler had changed the input type.

    Fixed the crash by checking the connected-ness early and bailing out if it's disconnected.

    * LayoutTests/fast/dom/focus-dialog-blur-input-type-change-crash-expected.txt: Added.
    * LayoutTests/fast/dom/focus-dialog-blur-input-type-change-crash.html: Added.
    * Source/WebCore/dom/Document.cpp:
    (WebCore::Document::setFocusedElement):

    Canonical link: https://commits.webkit.org/259548.204@safari-7615-branch

LayoutTests/fast/dom/focus-dialog-blur-input-type-change-crash-expected.txt

@@ -0,0 +1 @@
+PASS

LayoutTests/fast/dom/focus-dialog-blur-input-type-change-crash.html

@@ -0,0 +1,21 @@
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+
+function main() {
+    input.focus();
+    input.stepUp(1);
+    document.body.innerHTML = 'PASS';
+}
+function inputFocus() {
+    x1.show();
+}
+function dialogChange() {
+    x1.close();
+    input.type = "range";
+}
+</script>
+<body onload="main()">
+<dialog id="x1" tabindex="0" onfocus="dialogChange()" onblur="dialogChange()">
+</dialog>
+<input id="input" onfocusin="inputFocus()" type="time">

Source/WebCore/dom/Document.cpp

@@ -4845,7 +4845,7 @@ bool Document::setFocusedElement(Element* element, const FocusOptions& options)
     }
 
     auto isNewElementFocusable = [&] {
-        if (!newFocusedElement)
+        if (!newFocusedElement || !newFocusedElement->isConnected())
             return false;
         // Resolving isFocusable() may require matching :focus-within as if the focus was already on the new element.
         newFocusedElement->setHasTentativeFocus(true);