Crash in FocusController::advanceFocusInDocumentOrder

https://bugs.webkit.org/show_bug.cgi?id=66678 Source/WebCore: RefPtr the focusable node to prevent getting deleted by mutation event. Reviewed by Dave Hyatt. Test: fast/frames/focus-controller-crash-change-event.html * page/FocusController.cpp: (WebCore::FocusController::advanceFocusInDocumentOrder): LayoutTests: Reviewed by Dave Hyatt. * fast/frames/focus-controller-crash-change-event-expected.txt: Added. * fast/frames/focus-controller-crash-change-event.html: Added. git-svn-id: svn://svn.chromium.org/blink/trunk@93514 bbb929c8-8fbe-4397-9dbb-9b2b20218538

Crash in FocusController::advanceFocusInDocumentOrder
https://bugs.webkit.org/show_bug.cgi?id=66678 Source/WebCore: RefPtr the focusable node to prevent getting deleted by mutation event. Reviewed by Dave Hyatt. Test: fast/frames/focus-controller-crash-change-event.html * page/FocusController.cpp: (WebCore::FocusController::advanceFocusInDocumentOrder): LayoutTests: Reviewed by Dave Hyatt. * fast/frames/focus-controller-crash-change-event-expected.txt: Added. * fast/frames/focus-controller-crash-change-event.html: Added. git-svn-id: svn://svn.chromium.org/blink/trunk@93514 bbb929c8-8fbe-4397-9dbb-9b2b20218538
ac2cc3d1 · inferno@chromium.org · 8c13d985 · ac2cc3d1 · ac2cc3d1 · ac2cc3d1
Commit ac2cc3d1 authored Aug 22, 2011 by inferno@chromium.org
5 changed files
--- a/third_party/WebKit/LayoutTests/ChangeLog
+++ b/third_party/WebKit/LayoutTests/ChangeLog
+2011-08-22  Abhishek Arya  <inferno@chromium.org>
+        Crash in FocusController::advanceFocusInDocumentOrder
+        https://bugs.webkit.org/show_bug.cgi?id=66678
+        Reviewed by Dave Hyatt.
+        * fast/frames/focus-controller-crash-change-event-expected.txt: Added.
+        * fast/frames/focus-controller-crash-change-event.html: Added.
 2011-08-22  Martin Robinson  <mrobinson@igalia.com>
        [GTK] Some GTK+-specific font-face tests fail on the bots
--- a/third_party/WebKit/LayoutTests/fast/frames/focus-controller-crash-change-event-expected.txt
+++ b/third_party/WebKit/LayoutTests/fast/frames/focus-controller-crash-change-event-expected.txt
+PASS
--- a/third_party/WebKit/LayoutTests/fast/frames/focus-controller-crash-change-event.html
+++ b/third_party/WebKit/LayoutTests/fast/frames/focus-controller-crash-change-event.html
+<html>
+<div id="b">
+    Press a key!
+    <input id="a">
+    <iframe></iframe>
+</div>
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+	layoutTestController.waitUntilDone();
+}
+a.addEventListener("change", function() { 
+    b.innerHTML = "PASS";
+	if (window.layoutTestController)
+	    layoutTestController.notifyDone();
+});
+a.addEventListener("keyup", function() {
+    var e = document.createEvent("KeyboardEvent");
+    e.initKeyboardEvent('keydown', true, true, document.defaultView, 'U+0009', 0, false, false, false, false, false);
+    a.dispatchEvent(e);
+})
+document.body.offsetTop;
+a.focus();
+if (window.layoutTestController)
+    eventSender.keyDown('a');
+</script>
+</html>
\ No newline at end of file
--- a/third_party/WebKit/Source/WebCore/ChangeLog
+++ b/third_party/WebKit/Source/WebCore/ChangeLog
+2011-08-22  Abhishek Arya  <inferno@chromium.org>
+        Crash in FocusController::advanceFocusInDocumentOrder
+        https://bugs.webkit.org/show_bug.cgi?id=66678
+        RefPtr the focusable node to prevent getting deleted by mutation
+        event.
+        Reviewed by Dave Hyatt.
+        Test: fast/frames/focus-controller-crash-change-event.html
+        * page/FocusController.cpp:
+        (WebCore::FocusController::advanceFocusInDocumentOrder):
 2011-08-22  Justin Novosad  <junov@chromium.org>
        [Chromium] Crash when allocation of very large canvas fails
--- a/third_party/WebKit/Source/WebCore/page/FocusController.cpp
+++ b/third_party/WebKit/Source/WebCore/page/FocusController.cpp
@@ -246,7 +246,7 @@ bool FocusController::advanceFocusInDocumentOrder(FocusDirection direction, Keyb
    document->updateLayoutIgnorePendingStylesheets();
-    Node* node = findFocusableNodeAcrossTreeScope(direction, currentNode ? currentNode->treeScope() : document, currentNode, event);
+    RefPtr<Node> node = findFocusableNodeAcrossTreeScope(direction, currentNode ? currentNode->treeScope() : document, currentNode, event);
    if (!node) {
        // We didn't find a node to focus, so we should try to pass focus to Chrome.
@@ -259,7 +259,7 @@ bool FocusController::advanceFocusInDocumentOrder(FocusDirection direction, Keyb
        // Chrome doesn't want focus, so we should wrap focus.
        node = findFocusableNode(direction, m_page->mainFrame()->document(), 0, event);
-        node = findFocusableNodeDecendingDownIntoFrameDocumentOrShadowRoot(direction, node, event);
+        node = findFocusableNodeDecendingDownIntoFrameDocumentOrShadowRoot(direction, node.get(), event);
        if (!node)
            return false;
@@ -278,7 +278,7 @@ bool FocusController::advanceFocusInDocumentOrder(FocusDirection direction, Keyb
    if (node->isFrameOwnerElement()) {
        // We focus frames rather than frame owners.
        // FIXME: We should not focus frames that have no scrollbars, as focusing them isn't useful to the user.
-        HTMLFrameOwnerElement* owner = static_cast<HTMLFrameOwnerElement*>(node);
+        HTMLFrameOwnerElement* owner = static_cast<HTMLFrameOwnerElement*>(node.get());
        if (!owner->contentFrame())
            return false;
@@ -301,13 +301,13 @@ bool FocusController::advanceFocusInDocumentOrder(FocusDirection direction, Keyb
        setFocusedFrame(newDocument->frame());
    if (caretBrowsing) {
-        Position position = firstPositionInOrBeforeNode(node);
+        Position position = firstPositionInOrBeforeNode(node.get());
        VisibleSelection newSelection(position, position, DOWNSTREAM);
        if (frame->selection()->shouldChangeSelection(newSelection))
            frame->selection()->setSelection(newSelection);
    }
-    static_cast<Element*>(node)->focus(false);
+    static_cast<Element*>(node.get())->focus(false);
    return true;
 }