112653 – Crash in Document::setFocusedNode if the frame of new focused node is detached in 'change' event handler

RESOLVED FIXED 112653

Crash in Document::setFocusedNode if the frame of new focused node is detached in 'change' event handler

https://bugs.webkit.org/show_bug.cgi?id=112653

Summary Crash in Document::setFocusedNode if the frame of new focused node is detache...

Kent Tamura

Reported 2013-03-18 21:11:02 PDT

https://code.google.com/p/chromium/issues/detail?id=201134 Reduction: <div> <input value="foo"></input> <iframe frameborder="0" id="input" height="100" width="540" srcdoc="<input autofocus>"></iframe> </div> <script> addEventListener("change", function(e) { document.body.appendChild(document.getElementById("input")); document.body.appendChild(document.createTextNode("PASS")); }, false); </script> 1. Open the above document 2. Click on the left input field 3. Modify it 4. Click on the right input field --> Crash by null pointer deference

Attachments
Patch (3.88 KB, patch) 2013-03-18 21:54 PDT, Kent Tamura	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Kent Tamura

Comment 1 2013-03-18 21:54:30 PDT

Created attachment 193724 [details] Patch

WebKit Review Bot

Comment 2 2013-03-20 15:01:01 PDT

Comment on attachment 193724 [details] Patch Clearing flags on attachment: 193724 Committed r146393: <http://trac.webkit.org/changeset/146393>

WebKit Review Bot

Comment 3 2013-03-20 15:01:05 PDT

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P1

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware Unspecified

OS Unspecified

Product WebKit

Component DOM

Assignee

Kent Tamura

Reported

2013-03-18 21:11 PDT

Modified

2013-03-20 15:01 PDT History

CC List

6 users Show

URL

Keywords

Depends on

Blocks