[Webkit-unassigned] [Bug 205128] use-after-free READ @ WebCore::EventHandler::focusDocumentView
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Dec 11 11:30:17 PST 2019
https://bugs.webkit.org/show_bug.cgi?id=205128
Jack <shihchieh_lee at apple.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |rniwa at webkit.org,
| |zalan at apple.com
--- Comment #1 from Jack <shihchieh_lee at apple.com> ---
The root cause is a race condition between two threads:
1. WebCore::jsDOMWindowInstanceFunctionFocus -> WebCore::DOMWindow::focus -> FocusController::setFocusedFrame, which would reference DOMWindow->frame()
2. HTMLTableElement::deleteCaption -> WidgetHierarchyUpdatesSuspensionScope::moveWidgets, which would free DOMWindow->frame()
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20191211/69ef96c9/attachment.htm>
More information about the webkit-unassigned
mailing list