RESOLVED FIXED 76656
NULL deref on Webkit at bool Document::setFocusedNode(PassRefPtr<Node> prpNewFocusedNode) 
https://bugs.webkit.org/show_bug.cgi?id=76656
Summary NULL deref on Webkit at bool Document::setFocusedNode(PassRefPtr<Node> prpNew...
Fermin
Reported 2012-01-19 12:44:21 PST
Originally I filled this on Chromium (http://code.google.com/p/chromium/issues/detail?id=110464) but it is a WebKit issue. NULL deref on Webkit at bool Document::setFocusedNode(PassRefPtr<Node> prpNewFocusedNode) Root cause is here: Problem is the second dispatch without checking m_focusedNode == NULL 3435 m_focusedNode->dispatchFocusInEvent(eventNames().focusinEvent, oldFocusedNode); // DOM level 3 bubbling focus event. 3436 // FIXME: We should remove firing DOMFocusInEvent event when we are sure no content depends 3437 // on it, probably when <rdar://problem/8503958> is m. 3438 m_focusedNode->dispatchFocusInEvent(eventNames().DOMFocusInEvent, oldFocusedNode); // DOM level 2 for compatibility. Proof of concept: <html> <head> <title></title> <script language="JavaScript"> function run() { document.getElementById("h6_00").addEventListener('focusin', function () { try { this.parentNode.removeChild(this); } catch(e) {} } , false); document.getElementById("h6_00").focus(); } </script> </head> <body onload="javascript: run();"> <h1 tabindex="0" id="h6_00" ></h1> </body> </html>
Attachments
fix crash (3.80 KB, patch)
2012-01-20 03:33 PST, Hayato Ito 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Hayato Ito
Comment 1 2012-01-20 00:48:36 PST
Confirmed. I can reproduce it. It'd be great that we have a spec which tells us what should be done in this case. Let me investigate.
Hayato Ito
Comment 2 2012-01-20 03:33:44 PST
Created attachment 123281 [details] fix crash
Hayato Ito
Comment 3 2012-01-20 03:36:07 PST
Although I couldn't find any backing spec yet, it might be better to fix this by using similar check login in the local context than leaving crash.
Hayato Ito
Comment 4 2012-01-20 03:36:53 PST
typo: check login -> check logic. (In reply to comment #3) > Although I couldn't find any backing spec yet, it might be better to fix this by using similar check login in the local context than leaving crash.
Dimitri Glazkov (Google)
Comment 5 2012-01-23 09:34:20 PST
Comment on attachment 123281 [details] fix crash ok. The whole function looks ugly, but it's not your fault.
WebKit Review Bot
Comment 6 2012-01-23 17:21:57 PST
Comment on attachment 123281 [details] fix crash Clearing flags on attachment: 123281 Committed r105665: <http://trac.webkit.org/changeset/105665>
WebKit Review Bot
Comment 7 2012-01-23 17:22:02 PST
All reviewed patches have been landed. Closing bug.
Lucas Forschler
Comment 8 2019-02-06 09:04:00 PST
Mass moving XML DOM bugs to the "DOM" Component.
Note You need to log in before you can comment on or make changes to this bug.