Bug 76656

Summary:

NULL deref on Webkit at bool Document::setFocusedNode(PassRefPtr<Node> prpNewFocusedNode)

Product:

WebKit

Reporter:

Fermin <fjserna>

Component:

DOM

Assignee:

Hayato Ito <hayato>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

ap, cdumez, dglazkov, hayato, webkit.review.bot

Priority:

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Attachments:

Description	Flags
fix crash	none

Fermin

Reported 2012-01-19 12:44:21 PST

Originally I filled this on Chromium (http://code.google.com/p/chromium/issues/detail?id=110464) but it is a WebKit issue. NULL deref on Webkit at bool Document::setFocusedNode(PassRefPtr<Node> prpNewFocusedNode) Root cause is here: Problem is the second dispatch without checking m_focusedNode == NULL 3435 m_focusedNode->dispatchFocusInEvent(eventNames().focusinEvent, oldFocusedNode); // DOM level 3 bubbling focus event. 3436 // FIXME: We should remove firing DOMFocusInEvent event when we are sure no content depends 3437 // on it, probably when <rdar://problem/8503958> is m. 3438 m_focusedNode->dispatchFocusInEvent(eventNames().DOMFocusInEvent, oldFocusedNode); // DOM level 2 for compatibility. Proof of concept: <html> <head> <title></title> <script language="JavaScript"> function run() { document.getElementById("h6_00").addEventListener('focusin', function () { try { this.parentNode.removeChild(this); } catch(e) {} } , false); document.getElementById("h6_00").focus(); } </script> </head> <body onload="javascript: run();"> <h1 tabindex="0" id="h6_00" ></h1> </body> </html>

Attachments
fix crash (3.80 KB, patch) 2012-01-20 03:33 PST, Hayato Ito	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Hayato Ito

Comment 1 2012-01-20 00:48:36 PST

Confirmed. I can reproduce it. It'd be great that we have a spec which tells us what should be done in this case. Let me investigate.

Hayato Ito

Comment 2 2012-01-20 03:33:44 PST

Created attachment 123281 [details] fix crash

Hayato Ito

Comment 3 2012-01-20 03:36:07 PST

Although I couldn't find any backing spec yet, it might be better to fix this by using similar check login in the local context than leaving crash.

Hayato Ito

Comment 4 2012-01-20 03:36:53 PST

typo: check login -> check logic. (In reply to comment #3) > Although I couldn't find any backing spec yet, it might be better to fix this by using similar check login in the local context than leaving crash.

Dimitri Glazkov (Google)

Comment 5 2012-01-23 09:34:20 PST

Comment on attachment 123281 [details] fix crash ok. The whole function looks ugly, but it's not your fault.

WebKit Review Bot

Comment 6 2012-01-23 17:21:57 PST

Comment on attachment 123281 [details] fix crash Clearing flags on attachment: 123281 Committed r105665: <http://trac.webkit.org/changeset/105665>

WebKit Review Bot

Comment 7 2012-01-23 17:22:02 PST

All reviewed patches have been landed. Closing bug.

Lucas Forschler

Comment 8 2019-02-06 09:04:00 PST

Mass moving XML DOM bugs to the "DOM" Component.

Note You need to log in before you can comment on or make changes to this bug.