Bug 23858

Summary: Crash when removing a HTMLSelectElement from the document from inside its focus event handler
Product: WebKit Reporter: Mark Rowe (bdash) <mrowe>
Component: WebCore Misc.Assignee: Mark Rowe (bdash) <mrowe>
Status: RESOLVED FIXED    
Severity: Normal CC: tikbew
Priority: P1 Keywords: HasReduction, InRadar
Version: 528+ (Nightly build)   
Hardware: Mac   
OS: OS X 10.5   
URL: http://jimeh.info/webkit-bomb
Attachments:
Description Flags
Patch
darin: review+
testcase none

Mark Rowe (bdash)
Reported 2009-02-09 17:31:06 PST
<select id="bomb" onfocus="this.parentNode.removeChild(this)"> <option>Click me to crash WebKit/Safari/Chrome.</option> </select><br /> This crashes because HTMLSelectElement::menuListDefaultEventHandler retrieves its renderer into a local variable, calls focus() which calls into JS to call the focus event handler, and then uses the renderer. The event handler can cause the renderer to be destroyed. <rdar://problem/6570513>
Attachments
Patch (4.49 KB, patch)
2009-02-09 17:36 PST, Mark Rowe (bdash) 		darin: review+
DetailsFormatted DiffDiff
testcase (812 bytes, text/html)
2009-05-18 16:39 PDT, Hallvord R. M. Steen 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Mark Rowe (bdash)
Comment 1 2009-02-09 17:36:12 PST
Created attachment 27506 [details] Patch
Darin Adler
Comment 2 2009-02-09 18:02:52 PST
Comment on attachment 27506 [details] Patch r=me
Mark Rowe (bdash)
Comment 3 2009-02-09 19:15:01 PST
Fixed with r40804. Sam talked me into adding a layout test too.
Hallvord R. M. Steen
Comment 4 2009-05-18 16:39:20 PDT
Created attachment 30454 [details] testcase
Note You need to log in before you can comment on or make changes to this bug.