[Webkit-unassigned] [Bug 26087] New: Removing element in JS crashes Chrome tab if it fired the change event

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri May 29 14:49:31 PDT 2009


           Summary: Removing element in JS crashes Chrome tab if it fired
                    the change event
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
               URL: http://www.schrierc.org/chrome-reload-crash.html
        OS/Version: All
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: Platform
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: victorw at chromium.org
                CC: dglazkov at chromium.org

This applies to Chrome only.
If a popup list is abandoned (press a key to jump to an item and then use tab
or mouse to get away from the select box), the current code in
PopupMenuChromium fires a change event in updateFromElemt(). The JS that
listens to this event may
destroy the object and cause the rest of popup list code crashes.

What steps will reproduce the problem?

1. Open URL using Chrome: http://www.schrierc.org/chrome-reload-crash.html
2. Click the select
3. Press 's' on your keyboard
4. Click on the document but not the select itself

Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list