Crash in Document::setFocusedNode if the frame of new focused node is detached in...
authortkent@chromium.org <tkent@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 20 Mar 2013 21:58:37 +0000 (21:58 +0000)
committertkent@chromium.org <tkent@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 20 Mar 2013 21:58:37 +0000 (21:58 +0000)
https://bugs.webkit.org/show_bug.cgi?id=112653

Reviewed by Dimitri Glazkov.

Source/WebCore:

Test: fast/frames/detach-frame-during-focus.html

* page/FocusController.cpp:
(WebCore::FocusController::setFocusedNode):
A oldDocument->setFocusedNode call might dispatch a 'change' event for
an old focused node, and an event handler code might detach the
newFocusedFrame. So we should check it. Without the check, the following
newDocument->setFocusedNode call would crash because of null
Frame::page().

LayoutTests:

* fast/frames/detach-frame-during-focus-expected.txt: Added.
* fast/frames/detach-frame-during-focus.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@146393 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/frames/detach-frame-during-focus-expected.txt [new file with mode: 0644]
LayoutTests/fast/frames/detach-frame-during-focus.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/page/FocusController.cpp

index 1dea92c..df7a325 100644 (file)
@@ -1,3 +1,13 @@
+2013-03-20  Kent Tamura  <tkent@chromium.org>
+
+        Crash in Document::setFocusedNode if the frame of new focused node is detached in 'change' event handler
+        https://bugs.webkit.org/show_bug.cgi?id=112653
+
+        Reviewed by Dimitri Glazkov.
+
+        * fast/frames/detach-frame-during-focus-expected.txt: Added.
+        * fast/frames/detach-frame-during-focus.html: Added.
+
 2013-03-20  Eric Carlson  <eric.carlson@apple.com>
 
         Allow ports specific text track menu
diff --git a/LayoutTests/fast/frames/detach-frame-during-focus-expected.txt b/LayoutTests/fast/frames/detach-frame-during-focus-expected.txt
new file mode 100644 (file)
index 0000000..aa44e7c
--- /dev/null
@@ -0,0 +1,2 @@
+
+PASS
diff --git a/LayoutTests/fast/frames/detach-frame-during-focus.html b/LayoutTests/fast/frames/detach-frame-during-focus.html
new file mode 100644 (file)
index 0000000..9fafa29
--- /dev/null
@@ -0,0 +1,22 @@
+<script>
+if (window.testRunner) {
+    testRunner.waitUntilDone();
+    testRunner.dumpAsText();
+}
+
+addEventListener('change', function(e) {
+    document.body.appendChild(document.getElementById('frame1'));
+}, false);
+
+function handleFocus() {
+    outerInput.focus();
+    document.execCommand('inserttext', false, 'abc');
+    frame1.innerInput.focus();
+    document.body.appendChild(document.createTextNode('PASS'));
+    testRunner.notifyDone();
+}
+</script>
+<div>
+ <input value="foo" id="outerInput"></input>
+ <iframe frameborder="0" id="frame1" height="100" width="540" srcdoc="&lt;input autofocus id='innerInput' onfocus='parent.handleFocus()'>"></iframe>
+</div>
index 9dd4f99..0741f70 100644 (file)
@@ -1,3 +1,20 @@
+2013-03-20  Kent Tamura  <tkent@chromium.org>
+
+        Crash in Document::setFocusedNode if the frame of new focused node is detached in 'change' event handler
+        https://bugs.webkit.org/show_bug.cgi?id=112653
+
+        Reviewed by Dimitri Glazkov.
+
+        Test: fast/frames/detach-frame-during-focus.html
+
+        * page/FocusController.cpp:
+        (WebCore::FocusController::setFocusedNode):
+        A oldDocument->setFocusedNode call might dispatch a 'change' event for
+        an old focused node, and an event handler code might detach the
+        newFocusedFrame. So we should check it. Without the check, the following
+        newDocument->setFocusedNode call would crash because of null
+        Frame::page().
+
 2013-03-20  Ryosuke Niwa  <rniwa@webkit.org>
 
         Assertion in LegacyWebArchive::create() in editing tests
index 1355bb7..bfd0359 100644 (file)
@@ -611,7 +611,11 @@ bool FocusController::setFocusedNode(Node* node, PassRefPtr<Frame> newFocusedFra
     
     if (oldDocument && oldDocument != newDocument)
         oldDocument->setFocusedNode(0);
-    
+
+    if (newFocusedFrame && !newFocusedFrame->page()) {
+        setFocusedFrame(0);
+        return false;
+    }
     setFocusedFrame(newFocusedFrame);
 
     // Setting the focused node can result in losing our last reft to node when JS event handlers fire.