Bug 23858 - Crash when removing a HTMLSelectElement from the document from inside its focus event handler
Summary: Crash when removing a HTMLSelectElement from the document from inside its foc...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: 528+ (Nightly build)
Hardware: Mac OS X 10.5
: P1 Normal
Assignee: Mark Rowe (bdash)
URL: http://jimeh.info/webkit-bomb
Keywords: HasReduction, InRadar
Depends on:
Blocks:
 
Reported: 2009-02-09 17:31 PST by Mark Rowe (bdash)
Modified: 2009-05-18 16:40 PDT (History)
1 user (show)

See Also:

Attachments
Patch (4.49 KB, patch)
2009-02-09 17:36 PST, Mark Rowe (bdash) 		darin: review+
Details | Formatted Diff | Diff
testcase (812 bytes, text/html)
2009-05-18 16:39 PDT, Hallvord R. M. Steen 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Rowe (bdash) 2009-02-09 17:31:06 PST 
<select id="bomb" onfocus="this.parentNode.removeChild(this)">
		<option>Click me to crash WebKit/Safari/Chrome.</option>
	</select><br />

This crashes because HTMLSelectElement::menuListDefaultEventHandler retrieves its renderer into a local variable, calls focus() which calls into JS to call the focus event handler, and then uses the renderer.  The event handler can cause the renderer to be destroyed.

<rdar://problem/6570513>
Comment 1 Mark Rowe (bdash) 2009-02-09 17:36:12 PST 
Created attachment 27506 [details]
Patch
Comment 2 Darin Adler 2009-02-09 18:02:52 PST 
Comment on attachment 27506 [details]
Patch

r=me
Comment 3 Mark Rowe (bdash) 2009-02-09 19:15:01 PST 
Fixed with r40804.  Sam talked me into adding a layout test too.
Comment 4 Hallvord R. M. Steen 2009-05-18 16:39:20 PDT 
Created attachment 30454 [details]
testcase