Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1241)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 225163004: Element::focus() should acquire the reference of LocalFrame. (Closed)

Created:
6 years, 8 months ago by Yuta Kitamura
Modified:
6 years, 8 months ago
Reviewers:
yoichio, yosin_UTC9
CC:
blink-reviews, sof, eae+blinkwatch, dglazkov+blink, adamk+blink_chromium.org, Inactive, rwlbuis
Visibility:
Public.

Description

Element::focus() should acquire the reference of LocalFrame. FrameSelection::setSelection() may cause some DOM events to happen synchro- nously, which could free the frame and produce a dangling pointer to the frame. This patch extends the lifetime of the frame object and fixes this use-after- free. BUG=357669 Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=171415

Patch Set 1 #

Total comments: 2

Patch Set 2 : Use focusout event. #

Unified diffs Side-by-side diffs Delta from patch set Stats (+32 lines, -3 lines) Patch
A LayoutTests/editing/selection/focus-iframe-removal-crash.html View 1 1 chunk +29 lines, -0 lines 0 comments Download
A + LayoutTests/editing/selection/focus-iframe-removal-crash-expected.txt View 1 1 chunk +1 line, -2 lines 0 comments Download
M Source/core/dom/Element.cpp View 1 chunk +2 lines, -1 line 0 comments Download

Messages

Total messages: 6 (0 generated)
Yuta Kitamura
Debug for a whole day and come up with one-line change...
6 years, 8 months ago (2014-04-11 09:25:08 UTC) #1
yosin_UTC9
LGTM https://codereview.chromium.org/225163004/diff/1/LayoutTests/editing/selection/focus-iframe-removal-crash.html File LayoutTests/editing/selection/focus-iframe-removal-crash.html (right): https://codereview.chromium.org/225163004/diff/1/LayoutTests/editing/selection/focus-iframe-removal-crash.html#newcode17 LayoutTests/editing/selection/focus-iframe-removal-crash.html:17: iframe.contentDocument.documentElement.addEventListener('DOMFocusOut', function () { nit: Can we use ...
6 years, 8 months ago (2014-04-14 02:00:27 UTC) #2
Yuta Kitamura
The CQ bit was checked by yutak@chromium.org
6 years, 8 months ago (2014-04-14 02:43:52 UTC) #3
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/yutak@chromium.org/225163004/20001
6 years, 8 months ago (2014-04-14 02:44:04 UTC) #4
Yuta Kitamura
https://codereview.chromium.org/225163004/diff/1/LayoutTests/editing/selection/focus-iframe-removal-crash.html File LayoutTests/editing/selection/focus-iframe-removal-crash.html (right): https://codereview.chromium.org/225163004/diff/1/LayoutTests/editing/selection/focus-iframe-removal-crash.html#newcode17 LayoutTests/editing/selection/focus-iframe-removal-crash.html:17: iframe.contentDocument.documentElement.addEventListener('DOMFocusOut', function () { On 2014/04/14 02:00:27, Yoshi wrote: ...
6 years, 8 months ago (2014-04-14 02:44:32 UTC) #5
commit-bot: I haz the power
6 years, 8 months ago (2014-04-14 03:43:03 UTC) #6
Message was sent while issue was closed. 
Change committed as 171415

Powered by Google App Engine
This is Rietveld 408576698