https://code.google.com/p/chromium/issues/detail?id=126386 (Note: this report doesn't mention possibility of crashes.) http://trac.webkit.org/changeset/88030 In the preparation code of context menu, HTMLFormElement* form = selectedFrame->selection()->currentForm(); if (form && form->checkValidity() && r.innerNonSharedNode()->hasTagName(HTMLNames::inputTag)) { HTMLInputElement* selectedElement = static_cast<HTMLInputElement*>(r.innerNonSharedNode()); if (selectedElement) { WebSearchableFormData ws = WebSearchableFormData(WebFormElement(form), WebInputElement(selectedElement)); form->checkValidity() can dispatch 'invalid' events, and the 'form' object can be removed in event handlers.
Created attachment 195252 [details] Patch
Comment on attachment 195252 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=195252&action=review > Source/WebKit/chromium/src/ContextMenuClientImpl.cpp:341 > - if (form && form->checkValidity() && r.innerNonSharedNode()->hasTagName(HTMLNames::inputTag)) { > + if (form && r.innerNonSharedNode()->hasTagName(HTMLNames::inputTag)) { I think we have no reason to call checkValidity here, and functions dispatching events should not be called during context menu preparation.
Ah, I found this didn't cause use-after-free. If form->checkValidity() dispatches 'invalid' events, it returns false. So 'form' won't be accessed in such case. If form->checkValidity() returns true, it won't dispatch events and accessing 'form' is safe.
Comment on attachment 195252 [details] Patch Clearing flags on attachment: 195252 Committed r147161: <http://trac.webkit.org/changeset/147161>
All reviewed patches have been landed. Closing bug.