Fix potential crash in Nav Cache code introduced by WebKit merge

The refactoring in the nav cache code caused by the recent merge
to webkit r70209 can crash. Fix that.

Bug: 3132882
Change-Id: I98b605ae2fdf24cf0f25adc919f2dbba581abef0

4 files changed, 44 insertions, 43 deletions

diff --git a/WebKit/android/nav/CacheBuilder.cpp b/WebKit/android/nav/CacheBuilder.cpp
index 0905ca7..42a4b53 100644
--- a/WebKit/android/nav/CacheBuilder.cpp
+++ b/WebKit/android/nav/CacheBuilder.cpp
@@ -1268,7 +1268,7 @@ void CacheBuilder::BuildFrame(Frame* root, Frame* frame,
                 cachedInput.setIsTextArea(false);
                 exported = input->value().threadsafeCopy();
                 cachedInput.setMaxLength(input->maxLength());
-                cachedInput.setInputElement(input);
+                cachedInput.setTypeFromElement(input);
     // If this does not need to be threadsafe, we can use crossThreadString().
     // See http://trac.webkit.org/changeset/49160.
                 cachedInput.setName(input->name().string().threadsafeCopy());
diff --git a/WebKit/android/nav/CachedInput.cpp b/WebKit/android/nav/CachedInput.cpp
index 7c9beba..45172fb 100644
--- a/WebKit/android/nav/CachedInput.cpp
+++ b/WebKit/android/nav/CachedInput.cpp
@@ -33,6 +33,26 @@ void CachedInput::init() {
     mName = WTF::String();
 }
 
+void CachedInput::setTypeFromElement(WebCore::HTMLInputElement* element)
+{
+    ASSERT(element);
+
+    if (element->isPasswordField())
+        mType = PASSWORD;
+    else if (element->isSearchField())
+        mType = SEARCH;
+    else if (element->isEmailField())
+        mType = EMAIL;
+    else if (element->isNumberField())
+        mType = NUMBER;
+    else if (element->isTelephoneField())
+        mType = TELEPHONE;
+    else if (element->isURLField())
+        mType = URL;
+    else
+        mType = NORMAL_TEXT_FIELD;
+}
+
 #if DUMP_NAV_CACHE
 
 #define DEBUG_PRINT_BOOL(field) \
diff --git a/WebKit/android/nav/CachedInput.h b/WebKit/android/nav/CachedInput.h
index 333c346..cbcc1fb 100644
--- a/WebKit/android/nav/CachedInput.h
+++ b/WebKit/android/nav/CachedInput.h
@@ -38,9 +38,23 @@ public:
         // Initiaized to 0 in its array, so nothing to do in the
         // constructor
     }
+
+    enum Type {
+        NONE = -1,
+        NORMAL_TEXT_FIELD = 0,
+        TEXT_AREA = 1,
+        PASSWORD = 2,
+        SEARCH = 3,
+        EMAIL = 4,
+        NUMBER = 5,
+        TELEPHONE = 6,
+        URL = 7
+    };
+
     void* formPointer() const { return mForm; }
     void init();
-    WebCore::HTMLInputElement* inputElement() const { return mElement; }
+    void setTypeFromElement(WebCore::HTMLInputElement*);
+    Type getType() const { return mType; }
     bool isRtlText() const { return mIsRtlText; }
     bool isTextField() const { return mIsTextField; }
     bool isTextArea() const { return mIsTextArea; }
@@ -51,7 +65,6 @@ public:
     int paddingRight() const { return mPaddingRight; }
     int paddingTop() const { return mPaddingTop; }
     void setFormPointer(void* form) { mForm = form; }
-    void setInputElement(WebCore::HTMLInputElement* element) { mElement = element; }
     void setIsRtlText(bool isRtlText) { mIsRtlText = isRtlText; }
     void setIsTextField(bool isTextField) { mIsTextField = isTextField; }
     void setIsTextArea(bool isTextArea) { mIsTextArea = isTextArea; }
@@ -63,7 +76,9 @@ public:
     void setPaddingTop(int top) { mPaddingTop = top; }
     void setTextSize(int textSize) { mTextSize = textSize; }
     int textSize() const { return mTextSize; }
+
 private:
+
     void* mForm;
     WTF::String mName;
     int mMaxLength;
@@ -72,7 +87,7 @@ private:
     int mPaddingRight;
     int mPaddingTop;
     int mTextSize;
-    WebCore::HTMLInputElement* mElement;
+    Type mType;
     bool mIsRtlText : 1;
     bool mIsTextField : 1;
     bool mIsTextArea : 1;
diff --git a/WebKit/android/nav/WebView.cpp b/WebKit/android/nav/WebView.cpp
index 7a3e08f..cd5b4ae 100644
--- a/WebKit/android/nav/WebView.cpp
+++ b/WebKit/android/nav/WebView.cpp
@@ -1642,10 +1642,7 @@ static jint nativeFocusCandidateFramePointer(JNIEnv *env, jobject obj)
 static bool nativeFocusCandidateIsPassword(JNIEnv *env, jobject obj)
 {
     const CachedInput* input = getInputCandidate(env, obj);
-    HTMLInputElement* element = 0;
-    if (input)
-        element = input->inputElement();
-    return element && element->isPasswordField();
+    return input && input->getType() == CachedInput::PASSWORD;
 }
 
 static bool nativeFocusCandidateIsRtlText(JNIEnv *env, jobject obj)
@@ -1725,47 +1722,16 @@ static jint nativeFocusCandidateTextSize(JNIEnv *env, jobject obj)
     return input ? input->textSize() : 0;
 }
 
-enum type {
-    NONE = -1,
-    NORMAL_TEXT_FIELD = 0,
-    TEXT_AREA = 1,
-    PASSWORD = 2,
-    SEARCH = 3,
-    EMAIL = 4,
-    NUMBER = 5,
-    TELEPHONE = 6,
-    URL = 7
-};
-
 static int nativeFocusCandidateType(JNIEnv *env, jobject obj)
 {
     const CachedInput* input = getInputCandidate(env, obj);
     if (!input)
-        return NONE;
+        return CachedInput::NONE;
 
     if (input->isTextArea())
-        return TEXT_AREA;
-
-    HTMLInputElement* element = input->inputElement();
-    // If the CachedInput is used to represent a TextArea,
-    // we have no HTMLInputElement and should have already
-    // returned above. We must have an HTMLInputElement now.
-    ASSERT(element);
-
-    if (element->isPasswordField())
-        return PASSWORD;
-    else if (element->isSearchField())
-        return SEARCH;
-    else if (element->isEmailField())
-        return EMAIL;
-    else if (element->isNumberField())
-        return NUMBER;
-    else if (element->isTelephoneField())
-        return TELEPHONE;
-    else if (element->isURLField())
-        return URL;
-    else
-        return NORMAL_TEXT_FIELD;
+        return CachedInput::TEXT_AREA;
+
+    return input->getType();
 }
 
 static bool nativeFocusIsPlugin(JNIEnv *env, jobject obj)