[Webkit-unassigned] [Bug 13701] New: REGRESSION (r21431): Reproducible crash resulting from calling adoptNode on a password field
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sat May 12 15:46:53 PDT 2007
http://bugs.webkit.org/show_bug.cgi?id=13701
Summary: REGRESSION (r21431): Reproducible crash resulting from
calling adoptNode on a password field
Product: WebKit
Version: 522+ (nightly)
Platform: Macintosh
OS/Version: Mac OS X 10.4
Status: NEW
Keywords: Regression, NeedsRadar
Severity: Major
Priority: P1
Component: New Bugs
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: mitz at webkit.org
The attached test case demonstrates that it is possible to crash the browser
after using adoptNode() to move a password field out of a document. Password
fields register with their document for the didRestoreFromCache() notification,
and unregister when they are destroyed. The problem is that if the password
field is adopted by a different document before being destroyed, it will
unregister with the wrong document (the new one) and a deleted element will
remain registered with the original document. When that document is restored
from the back/forward cache, it will send the notification to an invalid
pointer and crash.
Other issues involving adoptNode and form elements have been mentioned in bug
12938. While I don't think it's a good idea to override setDocument(), a
separate method to be used exclusively by adoptNode() might be appropriate.
--
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list