Crash in Document::setFocusedElement
authorrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 25 Sep 2013 03:34:56 +0000 (03:34 +0000)
committerrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 25 Sep 2013 03:34:56 +0000 (03:34 +0000)
https://bugs.webkit.org/show_bug.cgi?id=121888

Reviewed by Andreas Kling.

Source/WebCore:

Merge https://chromium.googlesource.com/chromium/blink/+/4a594a3de7d9761462b55fb27a6850d767419af2

The crash was caused by attempting to call Chrome:focusedNodeChanged() after m_page had already
been cleared. This could happen when blur's event handler removes the iframe from which
the focus had been moved. Fixed the bug by adding a null pointer check.

Test: fast/events/blur-remove-parent-crash.html

* dom/Document.cpp:
(WebCore::Document::setFocusedElement):

LayoutTests:

* fast/events/blur-remove-parent-crash-expected.txt: Added.
* fast/events/blur-remove-parent-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@156382 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/events/blur-remove-parent-crash-expected.txt [new file with mode: 0644]
LayoutTests/fast/events/blur-remove-parent-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/dom/Document.cpp

index d40a72b1870494317b6dd99f55b1dc815a60896d..605259c72da7dd2b08a13622c8e1eb7b425c74bd 100644 (file)
@@ -1,3 +1,13 @@
+2013-09-24  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Crash in Document::setFocusedElement
+        https://bugs.webkit.org/show_bug.cgi?id=121888
+
+        Reviewed by Andreas Kling.
+
+        * fast/events/blur-remove-parent-crash-expected.txt: Added.
+        * fast/events/blur-remove-parent-crash.html: Added.
+
 2013-09-24  Mark Hahnenberg  <mhahnenberg@apple.com>
 
         op_get_callee shouldn't use value profiling
diff --git a/LayoutTests/fast/events/blur-remove-parent-crash-expected.txt b/LayoutTests/fast/events/blur-remove-parent-crash-expected.txt
new file mode 100644 (file)
index 0000000..7530a61
--- /dev/null
@@ -0,0 +1,3 @@
+This tests removing an iframe while it is being focused. WebKit should not crash.
+
+PASS
diff --git a/LayoutTests/fast/events/blur-remove-parent-crash.html b/LayoutTests/fast/events/blur-remove-parent-crash.html
new file mode 100644 (file)
index 0000000..3e49e00
--- /dev/null
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+<body>
+<p>This tests removing an iframe while it is being focused. WebKit should not crash.</p>
+<iframe></iframe>
+<script>
+
+if (window.testRunner)
+    testRunner.dumpAsText();
+
+var iframe = document.querySelector('iframe');
+var doc = iframe.contentDocument;
+var input = doc.createElement('input');
+input.value = 'foo';
+doc.body.appendChild(input);
+input.addEventListener('blur', function() { iframe.remove(); });
+input.focus();
+iframe.focus();
+
+document.write('PASS');
+
+</script>
+</body>
+</html>
index 18445cedd46c4053db4676e8e11aeddc8c253e3d..17002424be2ced4317400c84ba02dd520ed15942 100644 (file)
@@ -1,3 +1,21 @@
+2013-09-24  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Crash in Document::setFocusedElement
+        https://bugs.webkit.org/show_bug.cgi?id=121888
+
+        Reviewed by Andreas Kling.
+
+        Merge https://chromium.googlesource.com/chromium/blink/+/4a594a3de7d9761462b55fb27a6850d767419af2
+
+        The crash was caused by attempting to call Chrome:focusedNodeChanged() after m_page had already
+        been cleared. This could happen when blur's event handler removes the iframe from which
+        the focus had been moved. Fixed the bug by adding a null pointer check.
+
+        Test: fast/events/blur-remove-parent-crash.html
+
+        * dom/Document.cpp:
+        (WebCore::Document::setFocusedElement):
+
 2013-09-24  Antti Koivisto  <antti@apple.com>
 
         Remove HTMLContentElement
index 07ce9d48cd7d52342d09b501c4e856bd662ba5f5..149d89ac64777d6e125075be55b322a52cbe016b 100644 (file)
@@ -3429,7 +3429,7 @@ bool Document::setFocusedElement(PassRefPtr<Element> prpNewFocusedElement, Focus
             cache->handleFocusedUIElementChanged(oldFocusedElement.get(), newFocusedElement.get());
     }
 
-    if (!focusChangeBlocked)
+    if (!focusChangeBlocked && page())
         page()->chrome().focusedElementChanged(m_focusedElement.get());
 
 SetFocusedNodeDone: