[webkit-changes] [93514] trunk

Mon, 22 Aug 2011 10:34:07 -0700

Title: [93514] trunk
Revision
93514
Author
infe...@chromium.org
Date
2011-08-22 10:33:59 -0700 (Mon, 22 Aug 2011)

Log Message

Crash in FocusController::advanceFocusInDocumentOrder
https://bugs.webkit.org/show_bug.cgi?id=66678

Source/WebCore: 

RefPtr the focusable node to prevent getting deleted by mutation
event.

Reviewed by Dave Hyatt.

Test: fast/frames/focus-controller-crash-change-event.html

* page/FocusController.cpp:
(WebCore::FocusController::advanceFocusInDocumentOrder):

LayoutTests: 

Reviewed by Dave Hyatt.

* fast/frames/focus-controller-crash-change-event-expected.txt: Added.
* fast/frames/focus-controller-crash-change-event.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (93513 => 93514)


--- trunk/LayoutTests/ChangeLog	2011-08-22 17:07:55 UTC (rev 93513)
+++ trunk/LayoutTests/ChangeLog	2011-08-22 17:33:59 UTC (rev 93514)
@@ -1,3 +1,13 @@
+2011-08-22  Abhishek Arya  <infe...@chromium.org>
+
+        Crash in FocusController::advanceFocusInDocumentOrder
+        https://bugs.webkit.org/show_bug.cgi?id=66678
+
+        Reviewed by Dave Hyatt.
+
+        * fast/frames/focus-controller-crash-change-event-expected.txt: Added.
+        * fast/frames/focus-controller-crash-change-event.html: Added.
+
 2011-08-22  Martin Robinson  <mrobin...@igalia.com>
 
         [GTK] Some GTK+-specific font-face tests fail on the bots

Added: trunk/LayoutTests/fast/frames/focus-controller-crash-change-event-expected.txt (0 => 93514)


--- trunk/LayoutTests/fast/frames/focus-controller-crash-change-event-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/frames/focus-controller-crash-change-event-expected.txt	2011-08-22 17:33:59 UTC (rev 93514)
@@ -0,0 +1 @@
+PASS

Added: trunk/LayoutTests/fast/frames/focus-controller-crash-change-event.html (0 => 93514)


--- trunk/LayoutTests/fast/frames/focus-controller-crash-change-event.html	                        (rev 0)
+++ trunk/LayoutTests/fast/frames/focus-controller-crash-change-event.html	2011-08-22 17:33:59 UTC (rev 93514)
@@ -0,0 +1,32 @@
+<html>
+<div id="b">
+    Press a key!
+    <input id="a">
+    <iframe></iframe>
+</div>
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+	layoutTestController.waitUntilDone();
+}
+
+a.addEventListener("change", function() { 
+    b.innerHTML = "PASS";
+
+	if (window.layoutTestController)
+	    layoutTestController.notifyDone();
+});
+
+a.addEventListener("keyup", function() {
+    var e = document.createEvent("KeyboardEvent");
+    e.initKeyboardEvent('keydown', true, true, document.defaultView, 'U+0009', 0, false, false, false, false, false);
+    a.dispatchEvent(e);
+})
+
+document.body.offsetTop;
+a.focus();
+
+if (window.layoutTestController)
+    eventSender.keyDown('a');
+</script>
+</html>
\ No newline at end of file

Modified: trunk/Source/WebCore/ChangeLog (93513 => 93514)


--- trunk/Source/WebCore/ChangeLog	2011-08-22 17:07:55 UTC (rev 93513)
+++ trunk/Source/WebCore/ChangeLog	2011-08-22 17:33:59 UTC (rev 93514)
@@ -1,3 +1,18 @@
+2011-08-22  Abhishek Arya  <infe...@chromium.org>
+
+        Crash in FocusController::advanceFocusInDocumentOrder
+        https://bugs.webkit.org/show_bug.cgi?id=66678
+
+        RefPtr the focusable node to prevent getting deleted by mutation
+        event.
+
+        Reviewed by Dave Hyatt.
+
+        Test: fast/frames/focus-controller-crash-change-event.html
+
+        * page/FocusController.cpp:
+        (WebCore::FocusController::advanceFocusInDocumentOrder):
+
 2011-08-22  Justin Novosad  <ju...@chromium.org>
 
         [Chromium] Crash when allocation of very large canvas fails

Modified: trunk/Source/WebCore/page/FocusController.cpp (93513 => 93514)


--- trunk/Source/WebCore/page/FocusController.cpp	2011-08-22 17:07:55 UTC (rev 93513)
+++ trunk/Source/WebCore/page/FocusController.cpp	2011-08-22 17:33:59 UTC (rev 93514)
@@ -246,7 +246,7 @@
 
     document->updateLayoutIgnorePendingStylesheets();
 
-    Node* node = findFocusableNodeAcrossTreeScope(direction, currentNode ? currentNode->treeScope() : document, currentNode, event);
+    RefPtr<Node> node = findFocusableNodeAcrossTreeScope(direction, currentNode ? currentNode->treeScope() : document, currentNode, event);
 
     if (!node) {
         // We didn't find a node to focus, so we should try to pass focus to Chrome.
@@ -259,7 +259,7 @@
 
         // Chrome doesn't want focus, so we should wrap focus.
         node = findFocusableNode(direction, m_page->mainFrame()->document(), 0, event);
-        node = findFocusableNodeDecendingDownIntoFrameDocumentOrShadowRoot(direction, node, event);
+        node = findFocusableNodeDecendingDownIntoFrameDocumentOrShadowRoot(direction, node.get(), event);
 
         if (!node)
             return false;
@@ -278,7 +278,7 @@
     if (node->isFrameOwnerElement()) {
         // We focus frames rather than frame owners.
         // FIXME: We should not focus frames that have no scrollbars, as focusing them isn't useful to the user.
-        HTMLFrameOwnerElement* owner = static_cast<HTMLFrameOwnerElement*>(node);
+        HTMLFrameOwnerElement* owner = static_cast<HTMLFrameOwnerElement*>(node.get());
         if (!owner->contentFrame())
             return false;
 
@@ -301,13 +301,13 @@
         setFocusedFrame(newDocument->frame());
 
     if (caretBrowsing) {
-        Position position = firstPositionInOrBeforeNode(node);
+        Position position = firstPositionInOrBeforeNode(node.get());
         VisibleSelection newSelection(position, position, DOWNSTREAM);
         if (frame->selection()->shouldChangeSelection(newSelection))
             frame->selection()->setSelection(newSelection);
     }
 
-    static_cast<Element*>(node)->focus(false);
+    static_cast<Element*>(node.get())->focus(false);
     return true;
 }
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to