[webkit-changes] [WebKit/WebKit] ab52a0: StabilityTracer: com.apple.WebKit.WebContent at co...

Thu, 11 Jun 2026 09:33:17 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: ab52a089ca027eae9a1ead8b83f806417b2b268e
      
https://github.com/WebKit/WebKit/commit/ab52a089ca027eae9a1ead8b83f806417b2b268e
  Author: Rupin Mittal <[email protected]>
  Date:   2026-06-11 (Thu, 11 Jun 2026)

  Changed paths:
    A 
LayoutTests/fast/events/window-deactivation-onchange-blurs-focused-element-should-not-crash-expected.txt
    A 
LayoutTests/fast/events/window-deactivation-onchange-blurs-focused-element-should-not-crash.html
    M Source/WebCore/page/FocusController.cpp

  Log Message:
  -----------
  StabilityTracer: com.apple.WebKit.WebContent at com.apple.WebCore: 
WebCore::dispatchEventsOnWindowAndFocusedElement
https://bugs.webkit.org/show_bug.cgi?id=316860
rdar://179182828

Reviewed by Abrar Rahman Protyasha and Chris Dumez.

On this line in dispatchEventsOnWindowAndFocusedElement, the focusedElement()
may be nullptr, resulting a null dereference:

document->focusedElement()->dispatchBlurEvent(nullptr);

We can reproduce the crash in this scenario: There is an input element on the
page which is focused and has an onchange handler that blurs it. We type a
character in it, and then when we CMD+TAB to open and move to a new tab, the
crash happens.

When we move away from the this page, dispatchEventsOnWindowAndFocusedElement()
is called, and since there is a HTMLFormControlElement on it, we call
dispatchFormControlChangeEvent() on it. This calls Element::blur(), which sets
Document::m_focusedElement to nullptr. Then we unconditionally dereference
document->focusedElement() in the next line (the line shown above) and crash.
This call to dispatchEventsOnWindowAndFocusedElement() was added in 308203@main.

We fix this by null checking focusedElement before using it. We add a test that
mirrors this scenario.

Credit to Abrar Protyasha for finding the repro case.

* 
LayoutTests/fast/events/window-deactivation-onchange-blurs-focused-element-should-not-crash-expected.txt:
 Added.
* 
LayoutTests/fast/events/window-deactivation-onchange-blurs-focused-element-should-not-crash.html:
 Added.
* Source/WebCore/page/FocusController.cpp:
(WebCore::dispatchEventsOnWindowAndFocusedElement):

Canonical link: https://commits.webkit.org/315028@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to