[webkit-changes] [146393] trunk

Wed, 20 Mar 2013 14:56:44 -0700

Title: [146393] trunk
Revision
146393
Author
[email protected]
Date
2013-03-20 14:58:37 -0700 (Wed, 20 Mar 2013)

Log Message

Crash in Document::setFocusedNode if the frame of new focused node is detached in 'change' event handler
https://bugs.webkit.org/show_bug.cgi?id=112653

Reviewed by Dimitri Glazkov.

Source/WebCore:

Test: fast/frames/detach-frame-during-focus.html

* page/FocusController.cpp:
(WebCore::FocusController::setFocusedNode):
A oldDocument->setFocusedNode call might dispatch a 'change' event for
an old focused node, and an event handler code might detach the
newFocusedFrame. So we should check it. Without the check, the following
newDocument->setFocusedNode call would crash because of null
Frame::page().

LayoutTests:

* fast/frames/detach-frame-during-focus-expected.txt: Added.
* fast/frames/detach-frame-during-focus.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (146392 => 146393)


--- trunk/LayoutTests/ChangeLog	2013-03-20 21:41:55 UTC (rev 146392)
+++ trunk/LayoutTests/ChangeLog	2013-03-20 21:58:37 UTC (rev 146393)
@@ -1,3 +1,13 @@
+2013-03-20  Kent Tamura  <[email protected]>
+
+        Crash in Document::setFocusedNode if the frame of new focused node is detached in 'change' event handler
+        https://bugs.webkit.org/show_bug.cgi?id=112653
+
+        Reviewed by Dimitri Glazkov.
+
+        * fast/frames/detach-frame-during-focus-expected.txt: Added.
+        * fast/frames/detach-frame-during-focus.html: Added.
+
 2013-03-20  Eric Carlson  <[email protected]>
 
         Allow ports specific text track menu

Added: trunk/LayoutTests/fast/frames/detach-frame-during-focus-expected.txt (0 => 146393)


--- trunk/LayoutTests/fast/frames/detach-frame-during-focus-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/frames/detach-frame-during-focus-expected.txt	2013-03-20 21:58:37 UTC (rev 146393)
@@ -0,0 +1,2 @@
+
+PASS

Added: trunk/LayoutTests/fast/frames/detach-frame-during-focus.html (0 => 146393)


--- trunk/LayoutTests/fast/frames/detach-frame-during-focus.html	                        (rev 0)
+++ trunk/LayoutTests/fast/frames/detach-frame-during-focus.html	2013-03-20 21:58:37 UTC (rev 146393)
@@ -0,0 +1,22 @@
+<script>
+if (window.testRunner) {
+    testRunner.waitUntilDone();
+    testRunner.dumpAsText();
+}
+
+addEventListener('change', function(e) {
+    document.body.appendChild(document.getElementById('frame1'));
+}, false);
+
+function handleFocus() {
+    outerInput.focus();
+    document.execCommand('inserttext', false, 'abc');
+    frame1.innerInput.focus();
+    document.body.appendChild(document.createTextNode('PASS'));
+    testRunner.notifyDone();
+}
+</script>
+<div>
+ <input value="foo" id="outerInput"></input>
+ <iframe frameborder="0" id="frame1" height="100" width="540" srcdoc="&lt;input autofocus id='innerInput' _onfocus_='parent.handleFocus()'>"></iframe>
+</div>

Modified: trunk/Source/WebCore/ChangeLog (146392 => 146393)


--- trunk/Source/WebCore/ChangeLog	2013-03-20 21:41:55 UTC (rev 146392)
+++ trunk/Source/WebCore/ChangeLog	2013-03-20 21:58:37 UTC (rev 146393)
@@ -1,3 +1,20 @@
+2013-03-20  Kent Tamura  <[email protected]>
+
+        Crash in Document::setFocusedNode if the frame of new focused node is detached in 'change' event handler
+        https://bugs.webkit.org/show_bug.cgi?id=112653
+
+        Reviewed by Dimitri Glazkov.
+
+        Test: fast/frames/detach-frame-during-focus.html
+
+        * page/FocusController.cpp:
+        (WebCore::FocusController::setFocusedNode):
+        A oldDocument->setFocusedNode call might dispatch a 'change' event for
+        an old focused node, and an event handler code might detach the
+        newFocusedFrame. So we should check it. Without the check, the following
+        newDocument->setFocusedNode call would crash because of null
+        Frame::page().
+
 2013-03-20  Ryosuke Niwa  <[email protected]>
 
         Assertion in LegacyWebArchive::create() in editing tests

Modified: trunk/Source/WebCore/page/FocusController.cpp (146392 => 146393)


--- trunk/Source/WebCore/page/FocusController.cpp	2013-03-20 21:41:55 UTC (rev 146392)
+++ trunk/Source/WebCore/page/FocusController.cpp	2013-03-20 21:58:37 UTC (rev 146393)
@@ -611,7 +611,11 @@
     
     if (oldDocument && oldDocument != newDocument)
         oldDocument->setFocusedNode(0);
-    
+
+    if (newFocusedFrame && !newFocusedFrame->page()) {
+        setFocusedFrame(0);
+        return false;
+    }
     setFocusedFrame(newFocusedFrame);
 
     // Setting the focused node can result in losing our last reft to node when JS event handlers fire.

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to