76656 2012-01-19 12:44:21 -0800 NULL deref on Webkit at bool Document::setFocusedNode(PassRefPtr<Node> prpNewFocusedNode) 2019-02-06 09:04:00 -0800 1 1 1 Unclassified WebKit DOM 528+ (Nightly build) All All RESOLVED FIXED P1 Normal --- 1 fjserna hayato ap cdumez dglazkov hayato webkit.review.bot oldest_to_newest 538943 0 fjserna 2012-01-19 12:44:21 -0800 Originally I filled this on Chromium (http://code.google.com/p/chromium/issues/detail?id=110464) but it is a WebKit issue. NULL deref on Webkit at bool Document::setFocusedNode(PassRefPtr<Node> prpNewFocusedNode) Root cause is here: Problem is the second dispatch without checking m_focusedNode == NULL 3435 m_focusedNode->dispatchFocusInEvent(eventNames().focusinEvent, oldFocusedNode); // DOM level 3 bubbling focus event. 3436 // FIXME: We should remove firing DOMFocusInEvent event when we are sure no content depends 3437 // on it, probably when <rdar://problem/8503958> is m. 3438 m_focusedNode->dispatchFocusInEvent(eventNames().DOMFocusInEvent, oldFocusedNode); // DOM level 2 for compatibility. Proof of concept: <html> <head> <title></title> <script language="JavaScript"> function run() { document.getElementById("h6_00").addEventListener('focusin', function () { try { this.parentNode.removeChild(this); } catch(e) {} } , false); document.getElementById("h6_00").focus(); } </script> </head> <body onload="javascript: run();"> <h1 tabindex="0" id="h6_00" ></h1> </body> </html> 539334 1 hayato 2012-01-20 00:48:36 -0800 Confirmed. I can reproduce it. It'd be great that we have a spec which tells us what should be done in this case. Let me investigate. 539388 2 123281 hayato 2012-01-20 03:33:44 -0800 Created attachment 123281 fix crash 539390 3 hayato 2012-01-20 03:36:07 -0800 Although I couldn't find any backing spec yet, it might be better to fix this by using similar check login in the local context than leaving crash. 539392 4 hayato 2012-01-20 03:36:53 -0800 typo: check login -> check logic. (In reply to comment #3) > Although I couldn't find any backing spec yet, it might be better to fix this by using similar check login in the local context than leaving crash. 540609 5 123281 dglazkov 2012-01-23 09:34:20 -0800 Comment on attachment 123281 fix crash ok. The whole function looks ugly, but it's not your fault. 541015 6 123281 webkit.review.bot 2012-01-23 17:21:57 -0800 Comment on attachment 123281 fix crash Clearing flags on attachment: 123281 Committed r105665: <http://trac.webkit.org/changeset/105665> 541016 7 webkit.review.bot 2012-01-23 17:22:02 -0800 All reviewed patches have been landed. Closing bug. 1503081 8 lforschler 2019-02-06 09:04:00 -0800 Mass moving XML DOM bugs to the "DOM" Component. 123281 2012-01-20 03:33:44 -0800 2012-01-23 17:21:57 -0800 fix crash bug-76656-20120120203342.patch text/plain 3895 hayato U3VidmVyc2lvbiBSZXZpc2lvbjogMTA1NDgyCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggZGE3Y2E3ZTNjNTViMjIy Nzk2NTdmYzNiYTI1MTY1ZmJkZDVkM2U5MC4uOWI0MzcxNDk0NDRhNDFlNWExOWNjOThiOGIwZGE5 N2U1YzBmZmM1MyAxMDA3NTUKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDE1IEBACisyMDEyLTAxLTIwICBIYXlh dG8gSXRvICA8aGF5YXRvQGNocm9taXVtLm9yZz4KKworICAgICAgICBGaXggY3Jhc2ggd2hlbiBh IGZvY3VzZWQgbm9kZSBpcyByZW1vdmVkIHdoaWxlIGluIHByb2Nlc3NpbmcgZm9jdXNpbiBldmVu dC4KKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTc2NjU2 CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgVGVzdDog ZmFzdC9ldmVudHMvZm9jdXMtcmVtb3ZlLWZvY3Vlc2VkLW5vZGUuaHRtbAorCisgICAgICAgICog ZG9tL0RvY3VtZW50LmNwcDoKKyAgICAgICAgKFdlYkNvcmU6OkRvY3VtZW50OjpzZXRGb2N1c2Vk Tm9kZSk6CisKIDIwMTItMDEtMTggIFNhbSBXZWluaWcgIDxzYW1Ad2Via2l0Lm9yZz4KIAogICAg ICAgICBNb3ZlIFJ1bkxvb3AgdG8gV2ViQ29yZS9wbGF0Zm9ybQpkaWZmIC0tZ2l0IGEvU291cmNl L1dlYkNvcmUvZG9tL0RvY3VtZW50LmNwcCBiL1NvdXJjZS9XZWJDb3JlL2RvbS9Eb2N1bWVudC5j cHAKaW5kZXggYzU5NmJkZDVjYzdiYzRiZDJhOGViZDg2OGJjYjkzNzg2ZDhkNzQ1NS4uM2FiYjNh ZGE5YmNiNTFmMDFmMDI0NzVhODE5MTY3M2JkZWE4YTFhMSAxMDA2NDQKLS0tIGEvU291cmNlL1dl YkNvcmUvZG9tL0RvY3VtZW50LmNwcAorKysgYi9Tb3VyY2UvV2ViQ29yZS9kb20vRG9jdW1lbnQu Y3BwCkBAIC0zNDQ0LDYgKzM0NDQsMTMgQEAgYm9vbCBEb2N1bWVudDo6c2V0Rm9jdXNlZE5vZGUo UGFzc1JlZlB0cjxOb2RlPiBwcnBOZXdGb2N1c2VkTm9kZSkKICAgICAgICAgfQogCiAgICAgICAg IG1fZm9jdXNlZE5vZGUtPmRpc3BhdGNoRm9jdXNJbkV2ZW50KGV2ZW50TmFtZXMoKS5mb2N1c2lu RXZlbnQsIG9sZEZvY3VzZWROb2RlKTsgLy8gRE9NIGxldmVsIDMgYnViYmxpbmcgZm9jdXMgZXZl bnQuCisKKyAgICAgICAgaWYgKG1fZm9jdXNlZE5vZGUgIT0gbmV3Rm9jdXNlZE5vZGUpIHsKKyAg ICAgICAgICAgIC8vIGhhbmRsZXIgc2hpZnRlZCBmb2N1cworICAgICAgICAgICAgZm9jdXNDaGFu Z2VCbG9ja2VkID0gdHJ1ZTsKKyAgICAgICAgICAgIGdvdG8gU2V0Rm9jdXNlZE5vZGVEb25lOwor ICAgICAgICB9CisKICAgICAgICAgLy8gRklYTUU6IFdlIHNob3VsZCByZW1vdmUgZmlyaW5nIERP TUZvY3VzSW5FdmVudCBldmVudCB3aGVuIHdlIGFyZSBzdXJlIG5vIGNvbnRlbnQgZGVwZW5kcwog ICAgICAgICAvLyBvbiBpdCwgcHJvYmFibHkgd2hlbiA8cmRhcjovL3Byb2JsZW0vODUwMzk1OD4g aXMgbS4KICAgICAgICAgbV9mb2N1c2VkTm9kZS0+ZGlzcGF0Y2hGb2N1c0luRXZlbnQoZXZlbnRO YW1lcygpLkRPTUZvY3VzSW5FdmVudCwgb2xkRm9jdXNlZE5vZGUpOyAvLyBET00gbGV2ZWwgMiBm b3IgY29tcGF0aWJpbGl0eS4KZGlmZiAtLWdpdCBhL0xheW91dFRlc3RzL0NoYW5nZUxvZyBiL0xh eW91dFRlc3RzL0NoYW5nZUxvZwppbmRleCA5ZTVlMTBhZGI5NjBmOTc5MTdlZTJhYTk3ZTA1ZTQ3 YWViYmUyM2RlLi5iNDdmODJmYWEzYzkyMzg5ODk0YmFjMjM0ZGRhY2NkNWI4ZGZmZGJlIDEwMDY0 NAotLS0gYS9MYXlvdXRUZXN0cy9DaGFuZ2VMb2cKKysrIGIvTGF5b3V0VGVzdHMvQ2hhbmdlTG9n CkBAIC0xLDMgKzEsMTMgQEAKKzIwMTItMDEtMjAgIEhheWF0byBJdG8gIDxoYXlhdG9AY2hyb21p dW0ub3JnPgorCisgICAgICAgIEZpeCBjcmFzaCB3aGVuIGEgZm9jdXNlZCBub2RlIGlzIHJlbW92 ZWQgd2hpbGUgaW4gcHJvY2Vzc2luZyBmb2N1c2luIGV2ZW50LgorICAgICAgICBodHRwczovL2J1 Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9NzY2NTYKKworICAgICAgICBSZXZpZXdlZCBi eSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICAqIGZhc3QvZXZlbnRzL2ZvY3VzLXJlbW92ZS1m b2N1ZXNlZC1ub2RlLWV4cGVjdGVkLnR4dDogQWRkZWQuCisgICAgICAgICogZmFzdC9ldmVudHMv Zm9jdXMtcmVtb3ZlLWZvY3Vlc2VkLW5vZGUuaHRtbDogQWRkZWQuCisKIDIwMTItMDEtMTkgIFJv bGFuZCBTdGVpbmVyICA8cm9sYW5kc3RlaW5lckBjaHJvbWl1bS5vcmc+CiAKICAgICAgICAgVW5y ZXZpZXdlZDogYWRkIGxheW91dCB0ZXN0IHRvIENocm9taXVtIHRlc3RfZXhwZWN0YXRpb25zLnR4 dCBmaWxlIGFmdGVyIGNoYW5nZXMgdG8gTWFjIHVuZGVybGluZSBkcmF3aW5nLgpkaWZmIC0tZ2l0 IGEvTGF5b3V0VGVzdHMvZmFzdC9ldmVudHMvZm9jdXMtcmVtb3ZlLWZvY3Vlc2VkLW5vZGUtZXhw ZWN0ZWQudHh0IGIvTGF5b3V0VGVzdHMvZmFzdC9ldmVudHMvZm9jdXMtcmVtb3ZlLWZvY3Vlc2Vk LW5vZGUtZXhwZWN0ZWQudHh0Cm5ldyBmaWxlIG1vZGUgMTAwNjQ0CmluZGV4IDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAuLjQ1MmFiNGI4NmRkNmQxYTBkYjE1OGEyNTQy YTFlODA0OTk2ODI0MzQKLS0tIC9kZXYvbnVsbAorKysgYi9MYXlvdXRUZXN0cy9mYXN0L2V2ZW50 cy9mb2N1cy1yZW1vdmUtZm9jdWVzZWQtbm9kZS1leHBlY3RlZC50eHQKQEAgLTAsMCArMSwzIEBA CitUZXN0IGZvciBtYWtpbmcgc3VyZSB0aGF0IGEgY3Jhc2ggZG9lcyBub3QgaGFwcGVuIHdoZW4g YSBmb2N1c2VkIG5vZGUgaXMgcmVtb3ZlZCBpbiBwcm9jZXNzaW5nIGZvY3VzaW4gZXZlbnRMaXN0 bmVyLgorCisKZGlmZiAtLWdpdCBhL0xheW91dFRlc3RzL2Zhc3QvZXZlbnRzL2ZvY3VzLXJlbW92 ZS1mb2N1ZXNlZC1ub2RlLmh0bWwgYi9MYXlvdXRUZXN0cy9mYXN0L2V2ZW50cy9mb2N1cy1yZW1v dmUtZm9jdWVzZWQtbm9kZS5odG1sCm5ldyBmaWxlIG1vZGUgMTAwNjQ0CmluZGV4IDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAuLjZkZDE3NmFhMWQ3NmI3ODNkNjUzNzZh NzEzZWIzNTZjMTEzYzA0OWQKLS0tIC9kZXYvbnVsbAorKysgYi9MYXlvdXRUZXN0cy9mYXN0L2V2 ZW50cy9mb2N1cy1yZW1vdmUtZm9jdWVzZWQtbm9kZS5odG1sCkBAIC0wLDAgKzEsMjUgQEAKKzwh RE9DVFlQRSBodG1sPgorPGh0bWw+Cis8aGVhZD4KKzxzY3JpcHQ+CitmdW5jdGlvbiBmb2N1c2lu TGlzdGVuZXIoZXZ0KSB7CisgICAgdHJ5IHsKKyAgICAgICAgdGhpcy5wYXJlbnROb2RlLnJlbW92 ZUNoaWxkKHRoaXMpOworICAgIH0gY2F0Y2goZSkgeworICAgIH0KK30KKworZnVuY3Rpb24gdGVz dCgpIHsKKyAgICBpZiAod2luZG93LmxheW91dFRlc3RDb250cm9sbGVyKQorICAgICAgICB3aW5k b3cubGF5b3V0VGVzdENvbnRyb2xsZXIuZHVtcEFzVGV4dCgpOworICAgIGRvY3VtZW50LmdldEVs ZW1lbnRCeUlkKCJhIikuYWRkRXZlbnRMaXN0ZW5lcignZm9jdXNpbicsIGZvY3VzaW5MaXN0ZW5l ciAsIGZhbHNlKTsKKyAgICBkb2N1bWVudC5nZXRFbGVtZW50QnlJZCgiYSIpLmZvY3VzKCk7Cit9 Cis8L3NjcmlwdD4KKzwvaGVhZD4KKzxib2R5IG9ubG9hZD0idGVzdCgpOyI+Cis8cD5UZXN0IGZv ciBtYWtpbmcgc3VyZSB0aGF0IGEgY3Jhc2ggZG9lcyBub3QgaGFwcGVuIHdoZW4gYSBmb2N1c2Vk IG5vZGUgaXMgcmVtb3ZlZCBpbiBwcm9jZXNzaW5nIGZvY3VzaW4gZXZlbnRMaXN0bmVyLjwvcD4K KzxwcmUgaWQ9ImNvbnNvbGUiPjwvcHJlPgorPGgxIHRhYmluZGV4PSIwIiBpZD0iYSIgPjwvaDE+ Cis8L2JvZHk+Cis8L2h0bWw+Cg==