23858 2009-02-09 17:31:06 -0800 Crash when removing a HTMLSelectElement from the document from inside its focus event handler 2009-05-18 16:40:04 -0700 1 1 1 Unclassified WebKit WebCore Misc. 528+ (Nightly build) Mac OS X 10.5 RESOLVED FIXED http://jimeh.info/webkit-bomb HasReduction, InRadar P1 Normal --- 1 mrowe mrowe tikbew oldest_to_newest 109061 0 mrowe 2009-02-09 17:31:06 -0800 <select id="bomb" onfocus="this.parentNode.removeChild(this)"> <option>Click me to crash WebKit/Safari/Chrome.</option> </select><br /> This crashes because HTMLSelectElement::menuListDefaultEventHandler retrieves its renderer into a local variable, calls focus() which calls into JS to call the focus event handler, and then uses the renderer. The event handler can cause the renderer to be destroyed. <rdar://problem/6570513> 109063 1 27506 mrowe 2009-02-09 17:36:12 -0800 Created attachment 27506 Patch 109074 2 27506 darin 2009-02-09 18:02:52 -0800 Comment on attachment 27506 Patch r=me 109081 3 mrowe 2009-02-09 19:15:01 -0800 Fixed with r40804. Sam talked me into adding a layout test too. 121835 4 30454 tikbew 2009-05-18 16:39:20 -0700 Created attachment 30454 testcase 27506 2009-02-09 17:36:12 -0800 2009-02-09 18:02:52 -0800 Patch 0001-Bug-23858-Crash-when-removing-a-HTMLSelectElement-f.patch text/plain 4602 mrowe RnJvbSA4YzY4MWE4YjlhZGZkZjY2ZDIzNzRkYmNjM2U1ZDQzOGM3MTg0OTNmIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBNYXJrIFJvd2UgPG1yb3dlQGFwcGxlLmNvbT4KRGF0ZTogTW9u LCA5IEZlYiAyMDA5IDE3OjM1OjE1IC0wODAwClN1YmplY3Q6IFtQQVRDSF0gQnVnIDIzODU4OiBD cmFzaCB3aGVuIHJlbW92aW5nIGEgSFRNTFNlbGVjdEVsZW1lbnQgZnJvbSB0aGUgZG9jdW1lbnQg ZnJvbSBpbnNpZGUgaXRzIGZvY3VzIGV2ZW50IGhhbmRsZXIKIEZpeCA8aHR0cHM6Ly9idWdzLndl YmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTIzODU4PgoKKiBodG1sL0hUTUxTZWxlY3RFbGVtZW50 LmNwcDoKKFdlYkNvcmU6OkhUTUxTZWxlY3RFbGVtZW50OjptZW51TGlzdERlZmF1bHRFdmVudEhh bmRsZXIpOiBEb24ndCBzdG9yZSB0aGUgcmVuZGVyZXIgaW4gYSBsb2NhbCB2YXJpYWJsZQphcyBp dCBjYW4gYmUgaW52YWxpZGF0ZWQgYnkgYW55IG9mIHRoZSBjYWxscyB0byBmb2N1cygpIHdpdGhp biB0aGUgZnVuY3Rpb24uICBJbnN0ZWFkLCByZXRyaWV2ZSBpdCBhbmQKbnVsbC1jaGVjayBpdCB3 aGVuIGl0IGlzIG5lZWRlZC4KLS0tCiBXZWJDb3JlL0NoYW5nZUxvZyAgICAgICAgICAgICAgICAg IHwgICAxMiArKysrKysrKysrKysKIFdlYkNvcmUvaHRtbC9IVE1MU2VsZWN0RWxlbWVudC5jcHAg fCAgIDI0ICsrKysrKysrKysrKystLS0tLS0tLS0tLQogMiBmaWxlcyBjaGFuZ2VkLCAyNSBpbnNl cnRpb25zKCspLCAxMSBkZWxldGlvbnMoLSkKCmRpZmYgLS1naXQgYS9XZWJDb3JlL0NoYW5nZUxv ZyBiL1dlYkNvcmUvQ2hhbmdlTG9nCmluZGV4IDJhNjQ2NDkuLjFiZjU1ZDQgMTAwNjQ0Ci0tLSBh L1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1dlYkNvcmUvQ2hhbmdlTG9nCkBAIC0xLDMgKzEsMTUg QEAKKzIwMDktMDItMDkgIE1hcmsgUm93ZSAgPG1yb3dlQGFwcGxlLmNvbT4KKworICAgICAgICBS ZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBGaXggPGh0dHBzOi8vYnVncy53 ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0yMzg1OD4KKyAgICAgICAgQnVnIDIzODU4OiBDcmFz aCB3aGVuIHJlbW92aW5nIGEgSFRNTFNlbGVjdEVsZW1lbnQgZnJvbSB0aGUgZG9jdW1lbnQgZnJv bSBpbnNpZGUgaXRzIGZvY3VzIGV2ZW50IGhhbmRsZXIKKworICAgICAgICAqIGh0bWwvSFRNTFNl bGVjdEVsZW1lbnQuY3BwOgorICAgICAgICAoV2ViQ29yZTo6SFRNTFNlbGVjdEVsZW1lbnQ6Om1l bnVMaXN0RGVmYXVsdEV2ZW50SGFuZGxlcik6IERvbid0IHN0b3JlIHRoZSByZW5kZXJlciBpbiBh IGxvY2FsIHZhcmlhYmxlCisgICAgICAgIGFzIGl0IGNhbiBiZSBpbnZhbGlkYXRlZCBieSBhbnkg b2YgdGhlIGNhbGxzIHRvIGZvY3VzKCkgd2l0aGluIHRoZSBmdW5jdGlvbi4gIEluc3RlYWQsIHJl dHJpZXZlIGl0IGFuZAorICAgICAgICBudWxsLWNoZWNrIGl0IHdoZW4gaXQgaXMgbmVlZGVkLgor CiAyMDA5LTAyLTA2ICBEYXJpbiBGaXNoZXIgIDxkYXJpbkBjaHJvbWl1bS5vcmc+CiAKICAgICAg ICAgUmV2aWV3ZWQgYnkgRXJpYyBTZWlkZWwuCmRpZmYgLS1naXQgYS9XZWJDb3JlL2h0bWwvSFRN TFNlbGVjdEVsZW1lbnQuY3BwIGIvV2ViQ29yZS9odG1sL0hUTUxTZWxlY3RFbGVtZW50LmNwcApp bmRleCA4ZTBlMmM3Li5mZDM0YTRiIDEwMDY0NAotLS0gYS9XZWJDb3JlL2h0bWwvSFRNTFNlbGVj dEVsZW1lbnQuY3BwCisrKyBiL1dlYkNvcmUvaHRtbC9IVE1MU2VsZWN0RWxlbWVudC5jcHAKQEAg LTYxNyw4ICs2MTcsNiBAQCB2b2lkIEhUTUxTZWxlY3RFbGVtZW50OjpkZWZhdWx0RXZlbnRIYW5k bGVyKEV2ZW50KiBldnQpCiAKIHZvaWQgSFRNTFNlbGVjdEVsZW1lbnQ6Om1lbnVMaXN0RGVmYXVs dEV2ZW50SGFuZGxlcihFdmVudCogZXZ0KQogewotICAgIFJlbmRlck1lbnVMaXN0KiBtZW51TGlz dCA9IHN0YXRpY19jYXN0PFJlbmRlck1lbnVMaXN0Kj4ocmVuZGVyZXIoKSk7Ci0KICAgICBpZiAo ZXZ0LT50eXBlKCkgPT0gZXZlbnROYW1lcygpLmtleWRvd25FdmVudCkgewogICAgICAgICBpZiAo IXJlbmRlcmVyKCkgfHwgIWV2dC0+aXNLZXlib2FyZEV2ZW50KCkpCiAgICAgICAgICAgICByZXR1 cm47CkBAIC02MzAsNyArNjI4LDggQEAgdm9pZCBIVE1MU2VsZWN0RWxlbWVudDo6bWVudUxpc3RE ZWZhdWx0RXZlbnRIYW5kbGVyKEV2ZW50KiBldnQpCiAgICAgICAgICAgICAvLyBTYXZlIHRoZSBz ZWxlY3Rpb24gc28gaXQgY2FuIGJlIGNvbXBhcmVkIHRvIHRoZSBuZXcgc2VsZWN0aW9uIHdoZW4g d2UgY2FsbCBvbkNoYW5nZSBkdXJpbmcgc2V0U2VsZWN0ZWRJbmRleCwKICAgICAgICAgICAgIC8v IHdoaWNoIGdldHMgY2FsbGVkIGZyb20gUmVuZGVyTWVudUxpc3Q6OnZhbHVlQ2hhbmdlZCwgd2hp Y2ggZ2V0cyBjYWxsZWQgYWZ0ZXIgdGhlIHVzZXIgbWFrZXMgYSBzZWxlY3Rpb24gZnJvbSB0aGUg bWVudS4KICAgICAgICAgICAgIHNhdmVMYXN0U2VsZWN0aW9uKCk7Ci0gICAgICAgICAgICBtZW51 TGlzdC0+c2hvd1BvcHVwKCk7CisgICAgICAgICAgICBpZiAoUmVuZGVyTWVudUxpc3QqIG1lbnVM aXN0ID0gc3RhdGljX2Nhc3Q8UmVuZGVyTWVudUxpc3QqPihyZW5kZXJlcigpKSkKKyAgICAgICAg ICAgICAgICBtZW51TGlzdC0+c2hvd1BvcHVwKCk7CiAgICAgICAgICAgICBoYW5kbGVkID0gdHJ1 ZTsKICAgICAgICAgfQogI2Vsc2UKQEAgLTY3Miw3ICs2NzEsOCBAQCB2b2lkIEhUTUxTZWxlY3RF bGVtZW50OjptZW51TGlzdERlZmF1bHRFdmVudEhhbmRsZXIoRXZlbnQqIGV2dCkKICAgICAgICAg ICAgIC8vIFNhdmUgdGhlIHNlbGVjdGlvbiBzbyBpdCBjYW4gYmUgY29tcGFyZWQgdG8gdGhlIG5l dyBzZWxlY3Rpb24gd2hlbiB3ZSBjYWxsIG9uQ2hhbmdlIGR1cmluZyBzZXRTZWxlY3RlZEluZGV4 LAogICAgICAgICAgICAgLy8gd2hpY2ggZ2V0cyBjYWxsZWQgZnJvbSBSZW5kZXJNZW51TGlzdDo6 dmFsdWVDaGFuZ2VkLCB3aGljaCBnZXRzIGNhbGxlZCBhZnRlciB0aGUgdXNlciBtYWtlcyBhIHNl bGVjdGlvbiBmcm9tIHRoZSBtZW51LgogICAgICAgICAgICAgc2F2ZUxhc3RTZWxlY3Rpb24oKTsK LSAgICAgICAgICAgIG1lbnVMaXN0LT5zaG93UG9wdXAoKTsKKyAgICAgICAgICAgIGlmIChSZW5k ZXJNZW51TGlzdCogbWVudUxpc3QgPSBzdGF0aWNfY2FzdDxSZW5kZXJNZW51TGlzdCo+KHJlbmRl cmVyKCkpKQorICAgICAgICAgICAgICAgIG1lbnVMaXN0LT5zaG93UG9wdXAoKTsKICAgICAgICAg ICAgIGhhbmRsZWQgPSB0cnVlOwogICAgICAgICB9CiAgICAgICAgIGlmIChrZXlDb2RlID09ICdc cicpIHsKQEAgLTY5NSwxMyArNjk1LDE1IEBAIHZvaWQgSFRNTFNlbGVjdEVsZW1lbnQ6Om1lbnVM aXN0RGVmYXVsdEV2ZW50SGFuZGxlcihFdmVudCogZXZ0KQogCiAgICAgaWYgKGV2dC0+dHlwZSgp ID09IGV2ZW50TmFtZXMoKS5tb3VzZWRvd25FdmVudCAmJiBldnQtPmlzTW91c2VFdmVudCgpICYm IHN0YXRpY19jYXN0PE1vdXNlRXZlbnQqPihldnQpLT5idXR0b24oKSA9PSBMZWZ0QnV0dG9uKSB7 CiAgICAgICAgIGZvY3VzKCk7Ci0gICAgICAgIGlmIChtZW51TGlzdC0+cG9wdXBJc1Zpc2libGUo KSkKLSAgICAgICAgICAgIG1lbnVMaXN0LT5oaWRlUG9wdXAoKTsKLSAgICAgICAgZWxzZSB7Ci0g ICAgICAgICAgICAvLyBTYXZlIHRoZSBzZWxlY3Rpb24gc28gaXQgY2FuIGJlIGNvbXBhcmVkIHRv IHRoZSBuZXcgc2VsZWN0aW9uIHdoZW4gd2UgY2FsbCBvbkNoYW5nZSBkdXJpbmcgc2V0U2VsZWN0 ZWRJbmRleCwKLSAgICAgICAgICAgIC8vIHdoaWNoIGdldHMgY2FsbGVkIGZyb20gUmVuZGVyTWVu dUxpc3Q6OnZhbHVlQ2hhbmdlZCwgd2hpY2ggZ2V0cyBjYWxsZWQgYWZ0ZXIgdGhlIHVzZXIgbWFr ZXMgYSBzZWxlY3Rpb24gZnJvbSB0aGUgbWVudS4KLSAgICAgICAgICAgIHNhdmVMYXN0U2VsZWN0 aW9uKCk7Ci0gICAgICAgICAgICBtZW51TGlzdC0+c2hvd1BvcHVwKCk7CisgICAgICAgIGlmIChS ZW5kZXJNZW51TGlzdCogbWVudUxpc3QgPSBzdGF0aWNfY2FzdDxSZW5kZXJNZW51TGlzdCo+KHJl bmRlcmVyKCkpKSB7CisgICAgICAgICAgICBpZiAobWVudUxpc3QtPnBvcHVwSXNWaXNpYmxlKCkp CisgICAgICAgICAgICAgICAgbWVudUxpc3QtPmhpZGVQb3B1cCgpOworICAgICAgICAgICAgZWxz ZSB7CisgICAgICAgICAgICAgICAgLy8gU2F2ZSB0aGUgc2VsZWN0aW9uIHNvIGl0IGNhbiBiZSBj b21wYXJlZCB0byB0aGUgbmV3IHNlbGVjdGlvbiB3aGVuIHdlIGNhbGwgb25DaGFuZ2UgZHVyaW5n IHNldFNlbGVjdGVkSW5kZXgsCisgICAgICAgICAgICAgICAgLy8gd2hpY2ggZ2V0cyBjYWxsZWQg ZnJvbSBSZW5kZXJNZW51TGlzdDo6dmFsdWVDaGFuZ2VkLCB3aGljaCBnZXRzIGNhbGxlZCBhZnRl ciB0aGUgdXNlciBtYWtlcyBhIHNlbGVjdGlvbiBmcm9tIHRoZSBtZW51LgorICAgICAgICAgICAg ICAgIHNhdmVMYXN0U2VsZWN0aW9uKCk7CisgICAgICAgICAgICAgICAgbWVudUxpc3QtPnNob3dQ b3B1cCgpOworICAgICAgICAgICAgfQogICAgICAgICB9CiAgICAgICAgIGV2dC0+c2V0RGVmYXVs dEhhbmRsZWQoKTsKICAgICB9Ci0tIAoxLjYuMS4yLjMxOS5nYmQ5ZQoK 30454 2009-05-18 16:39:20 -0700 2009-05-18 16:39:20 -0700 testcase opr01XZN text/html 812 tikbew PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDQuMDEvL0VOIj4KPGh0bWw+ PGhlYWQ+Cgk8dGl0bGU+b3BlbmVkIFNFTEVDVCBlbGVtZW50cyBhbmQgcmVkcmF3PC90aXRsZT4K CjwvaGVhZD4KPGJvZHk+CgoJPHA+RkFJTEVEIChUaGlzIFRDIHJlcXVpcmVzIEphdmFTY3JpcHQg ZW5hYmxlZCk8L3A+Cgk8Zm9ybSBhY3Rpb249IiIgbmFtZT0iZm9ybTEiPgoJCQoJCTxzZWxlY3Qg b25mb2N1cz0idGhpcy5mb3JtLnN0eWxlLmRpc3BsYXk9J25vbmUnOyI+CgkJCTxvcHRpb24+VGhp cyBpcyBhIGZpbGxlciBvcHRpb248L29wdGlvbj4KCQkJPG9wdGlvbj5UaGlzIGlzIGEgZmlsbGVy IG9wdGlvbjwvb3B0aW9uPgoJCQk8b3B0aW9uPlRoaXMgaXMgYSBmaWxsZXIgb3B0aW9uPC9vcHRp b24+CgkJCTxvcHRpb24+VGhpcyBpcyBhIGZpbGxlciBvcHRpb248L29wdGlvbj4KCQkJPG9wdGlv bj5UaGlzIGlzIGEgZmlsbGVyIG9wdGlvbjwvb3B0aW9uPgoJCTwvc2VsZWN0PgoJCQoJPC9mb3Jt PgoKCTxzY3JpcHQgdHlwZT0idGV4dC9qYXZhc2NyaXB0Ij4KCQoJZnVuY3Rpb24gdGVzdCgpewoJ CXZhciBsb2c9ZG9jdW1lbnQuZ2V0RWxlbWVudHNCeVRhZ05hbWUoJ3AnKVswXS5maXJzdENoaWxk OwoJCWxvZy5kYXRhPSdUcnkgdG8gbWFrZSBhIHNlbGVjdGlvbiBiZWxvdyB3aXRoIGEgbW91c2Ug LSB0aGUgc2VsZWN0IHNob3VsZCBkaXNhcHBlYXIsIGluY2x1ZGluZyB0aGUgZHJvcC1kb3duIGxp c3Qgb2Ygb3B0aW9uczonOwoJCQoJfQoJd2luZG93Lm9ubG9hZD10ZXN0OwoJPC9zY3JpcHQ+Cgo8 L2JvZHk+PC9odG1sPgo=