Title: [156382] trunk
- Revision
- 156382
- Author
- [email protected]
- Date
- 2013-09-24 20:34:56 -0700 (Tue, 24 Sep 2013)
Log Message
Crash in Document::setFocusedElement
https://bugs.webkit.org/show_bug.cgi?id=121888
Reviewed by Andreas Kling.
Source/WebCore:
Merge https://chromium.googlesource.com/chromium/blink/+/4a594a3de7d9761462b55fb27a6850d767419af2
The crash was caused by attempting to call Chrome:focusedNodeChanged() after m_page had already
been cleared. This could happen when blur's event handler removes the iframe from which
the focus had been moved. Fixed the bug by adding a null pointer check.
Test: fast/events/blur-remove-parent-crash.html
* dom/Document.cpp:
(WebCore::Document::setFocusedElement):
LayoutTests:
* fast/events/blur-remove-parent-crash-expected.txt: Added.
* fast/events/blur-remove-parent-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (156381 => 156382)
--- trunk/LayoutTests/ChangeLog 2013-09-25 03:09:41 UTC (rev 156381)
+++ trunk/LayoutTests/ChangeLog 2013-09-25 03:34:56 UTC (rev 156382)
@@ -1,3 +1,13 @@
+2013-09-24 Ryosuke Niwa <[email protected]>
+
+ Crash in Document::setFocusedElement
+ https://bugs.webkit.org/show_bug.cgi?id=121888
+
+ Reviewed by Andreas Kling.
+
+ * fast/events/blur-remove-parent-crash-expected.txt: Added.
+ * fast/events/blur-remove-parent-crash.html: Added.
+
2013-09-24 Mark Hahnenberg <[email protected]>
op_get_callee shouldn't use value profiling
Added: trunk/LayoutTests/fast/events/blur-remove-parent-crash-expected.txt (0 => 156382)
--- trunk/LayoutTests/fast/events/blur-remove-parent-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/events/blur-remove-parent-crash-expected.txt 2013-09-25 03:34:56 UTC (rev 156382)
@@ -0,0 +1,3 @@
+This tests removing an iframe while it is being focused. WebKit should not crash.
+
+PASS
Added: trunk/LayoutTests/fast/events/blur-remove-parent-crash.html (0 => 156382)
--- trunk/LayoutTests/fast/events/blur-remove-parent-crash.html (rev 0)
+++ trunk/LayoutTests/fast/events/blur-remove-parent-crash.html 2013-09-25 03:34:56 UTC (rev 156382)
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+<body>
+<p>This tests removing an iframe while it is being focused. WebKit should not crash.</p>
+<iframe></iframe>
+<script>
+
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+var iframe = document.querySelector('iframe');
+var doc = iframe.contentDocument;
+var input = doc.createElement('input');
+input.value = 'foo';
+doc.body.appendChild(input);
+input.addEventListener('blur', function() { iframe.remove(); });
+input.focus();
+iframe.focus();
+
+document.write('PASS');
+
+</script>
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (156381 => 156382)
--- trunk/Source/WebCore/ChangeLog 2013-09-25 03:09:41 UTC (rev 156381)
+++ trunk/Source/WebCore/ChangeLog 2013-09-25 03:34:56 UTC (rev 156382)
@@ -1,3 +1,21 @@
+2013-09-24 Ryosuke Niwa <[email protected]>
+
+ Crash in Document::setFocusedElement
+ https://bugs.webkit.org/show_bug.cgi?id=121888
+
+ Reviewed by Andreas Kling.
+
+ Merge https://chromium.googlesource.com/chromium/blink/+/4a594a3de7d9761462b55fb27a6850d767419af2
+
+ The crash was caused by attempting to call Chrome:focusedNodeChanged() after m_page had already
+ been cleared. This could happen when blur's event handler removes the iframe from which
+ the focus had been moved. Fixed the bug by adding a null pointer check.
+
+ Test: fast/events/blur-remove-parent-crash.html
+
+ * dom/Document.cpp:
+ (WebCore::Document::setFocusedElement):
+
2013-09-24 Antti Koivisto <[email protected]>
Remove HTMLContentElement
Modified: trunk/Source/WebCore/dom/Document.cpp (156381 => 156382)
--- trunk/Source/WebCore/dom/Document.cpp 2013-09-25 03:09:41 UTC (rev 156381)
+++ trunk/Source/WebCore/dom/Document.cpp 2013-09-25 03:34:56 UTC (rev 156382)
@@ -3429,7 +3429,7 @@
cache->handleFocusedUIElementChanged(oldFocusedElement.get(), newFocusedElement.get());
}
- if (!focusChangeBlocked)
+ if (!focusChangeBlocked && page())
page()->chrome().focusedElementChanged(m_focusedElement.get());
SetFocusedNodeDone:
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
