Avoid null dereference when changing focus in design mode.
authorbfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 3 Oct 2016 21:36:46 +0000 (21:36 +0000)
committerbfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 3 Oct 2016 21:36:46 +0000 (21:36 +0000)
commit2db7392c14de6684a7c2a150f578a1ecdc930a7a
tree475fdf1f62b82037d4a209b0fabfd6a1eff5b619
parent20fbbc28c0fef895f61578206fb94e3ca6bdf987
Avoid null dereference when changing focus in design mode.
https://bugs.webkit.org/show_bug.cgi?id=162877
<rdar://problem/28061261>

Reviewed by Chris Dumez.

Source/WebCore:

The bare m_frame pointer in DOMWindow can be cleared when setting focus to a new element. Check
that the m_frame pointer is non-null before using it after calling a routine that could
clear the pointer value.

Test: fast/frames/iframe-focus-crash.html

* page/DOMWindow.cpp:
(WebCore::DOMWindow::focus): Check that the pointer is still non-null after setting the
current focused element to nullptr.

LayoutTests:

* fast/frames/iframe-focus-crash-expected.txt: Added.
* fast/frames/iframe-focus-crash.html: Added.
* fast/frames/resources/iframe-focus-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@206751 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/fast/frames/iframe-focus-crash-expected.txt [new file with mode: 0644]
LayoutTests/fast/frames/iframe-focus-crash.html [new file with mode: 0644]
LayoutTests/fast/frames/resources/iframe-focus-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/page/DOMWindow.cpp