RESOLVED FIXED 23858
Crash when removing a HTMLSelectElement from the document from inside its focus event handler 
https://bugs.webkit.org/show_bug.cgi?id=23858
Summary Crash when removing a HTMLSelectElement from the document from inside its foc...
Mark Rowe (bdash)
Reported 2009-02-09 17:31:06 PST
<select id="bomb" onfocus="this.parentNode.removeChild(this)"> <option>Click me to crash WebKit/Safari/Chrome.</option> </select><br /> This crashes because HTMLSelectElement::menuListDefaultEventHandler retrieves its renderer into a local variable, calls focus() which calls into JS to call the focus event handler, and then uses the renderer. The event handler can cause the renderer to be destroyed. <rdar://problem/6570513>
Attachments
Patch (4.49 KB, patch)
2009-02-09 17:36 PST, Mark Rowe (bdash) 		darin: review+
DetailsFormatted DiffDiff
testcase (812 bytes, text/html)
2009-05-18 16:39 PDT, Hallvord R. M. Steen 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Mark Rowe (bdash)
Comment 1 2009-02-09 17:36:12 PST
Created attachment 27506 [details] Patch
Darin Adler
Comment 2 2009-02-09 18:02:52 PST
Comment on attachment 27506 [details] Patch r=me
Mark Rowe (bdash)
Comment 3 2009-02-09 19:15:01 PST
Fixed with r40804. Sam talked me into adding a layout test too.
Hallvord R. M. Steen
Comment 4 2009-05-18 16:39:20 PDT
Created attachment 30454 [details] testcase
Note You need to log in before you can comment on or make changes to this bug.