Diff
Modified: branches/safari-534.54-branch/LayoutTests/ChangeLog (103421 => 103422)
--- branches/safari-534.54-branch/LayoutTests/ChangeLog 2011-12-21 19:41:12 UTC (rev 103421)
+++ branches/safari-534.54-branch/LayoutTests/ChangeLog 2011-12-21 19:42:20 UTC (rev 103422)
@@ -1,5 +1,19 @@
2011-12-21 Lucas Forschler <[email protected]>
+ Merge 93514
+
+ 2011-08-22 Abhishek Arya <[email protected]>
+
+ Crash in FocusController::advanceFocusInDocumentOrder
+ https://bugs.webkit.org/show_bug.cgi?id=66678
+
+ Reviewed by Dave Hyatt.
+
+ * fast/frames/focus-controller-crash-change-event-expected.txt: Added.
+ * fast/frames/focus-controller-crash-change-event.html: Added.
+
+2011-12-21 Lucas Forschler <[email protected]>
+
Merge 93347
2011-08-18 Ryosuke Niwa <[email protected]>
Copied: branches/safari-534.54-branch/LayoutTests/fast/frames/focus-controller-crash-change-event-expected.txt (from rev 93514, trunk/LayoutTests/fast/frames/focus-controller-crash-change-event-expected.txt) (0 => 103422)
--- branches/safari-534.54-branch/LayoutTests/fast/frames/focus-controller-crash-change-event-expected.txt (rev 0)
+++ branches/safari-534.54-branch/LayoutTests/fast/frames/focus-controller-crash-change-event-expected.txt 2011-12-21 19:42:20 UTC (rev 103422)
@@ -0,0 +1 @@
+PASS
Copied: branches/safari-534.54-branch/LayoutTests/fast/frames/focus-controller-crash-change-event.html (from rev 93514, trunk/LayoutTests/fast/frames/focus-controller-crash-change-event.html) (0 => 103422)
--- branches/safari-534.54-branch/LayoutTests/fast/frames/focus-controller-crash-change-event.html (rev 0)
+++ branches/safari-534.54-branch/LayoutTests/fast/frames/focus-controller-crash-change-event.html 2011-12-21 19:42:20 UTC (rev 103422)
@@ -0,0 +1,32 @@
+<html>
+<div id="b">
+ Press a key!
+ <input id="a">
+ <iframe></iframe>
+</div>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+}
+
+a.addEventListener("change", function() {
+ b.innerHTML = "PASS";
+
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+});
+
+a.addEventListener("keyup", function() {
+ var e = document.createEvent("KeyboardEvent");
+ e.initKeyboardEvent('keydown', true, true, document.defaultView, 'U+0009', 0, false, false, false, false, false);
+ a.dispatchEvent(e);
+})
+
+document.body.offsetTop;
+a.focus();
+
+if (window.layoutTestController)
+ eventSender.keyDown('a');
+</script>
+</html>
\ No newline at end of file
Modified: branches/safari-534.54-branch/Source/WebCore/ChangeLog (103421 => 103422)
--- branches/safari-534.54-branch/Source/WebCore/ChangeLog 2011-12-21 19:41:12 UTC (rev 103421)
+++ branches/safari-534.54-branch/Source/WebCore/ChangeLog 2011-12-21 19:42:20 UTC (rev 103422)
@@ -1,5 +1,24 @@
2011-12-21 Lucas Forschler <[email protected]>
+ Merge 93514
+
+ 2011-08-22 Abhishek Arya <[email protected]>
+
+ Crash in FocusController::advanceFocusInDocumentOrder
+ https://bugs.webkit.org/show_bug.cgi?id=66678
+
+ RefPtr the focusable node to prevent getting deleted by mutation
+ event.
+
+ Reviewed by Dave Hyatt.
+
+ Test: fast/frames/focus-controller-crash-change-event.html
+
+ * page/FocusController.cpp:
+ (WebCore::FocusController::advanceFocusInDocumentOrder):
+
+2011-12-21 Lucas Forschler <[email protected]>
+
Merge 93347
2011-08-18 Ryosuke Niwa <[email protected]>
Modified: branches/safari-534.54-branch/Source/WebCore/page/FocusController.cpp (103421 => 103422)
--- branches/safari-534.54-branch/Source/WebCore/page/FocusController.cpp 2011-12-21 19:41:12 UTC (rev 103421)
+++ branches/safari-534.54-branch/Source/WebCore/page/FocusController.cpp 2011-12-21 19:42:20 UTC (rev 103422)
@@ -214,7 +214,7 @@
document->updateLayoutIgnorePendingStylesheets();
- Node* node = (direction == FocusDirectionForward)
+ RefPtr<Node> node = (direction == FocusDirectionForward)
? document->nextFocusableNode(currentNode, event)
: document->previousFocusableNode(currentNode, event);
@@ -237,7 +237,7 @@
frame = parentFrame;
}
- node = deepFocusableNode(direction, node, event);
+ node = deepFocusableNode(direction, node.get(), event);
if (!node) {
// We didn't find a node to focus, so we should try to pass focus to Chrome.
@@ -254,7 +254,7 @@
? d->nextFocusableNode(0, event)
: d->previousFocusableNode(0, event);
- node = deepFocusableNode(direction, node, event);
+ node = deepFocusableNode(direction, node.get(), event);
if (!node)
return false;
@@ -273,7 +273,7 @@
if (node->isFrameOwnerElement()) {
// We focus frames rather than frame owners.
// FIXME: We should not focus frames that have no scrollbars, as focusing them isn't useful to the user.
- HTMLFrameOwnerElement* owner = static_cast<HTMLFrameOwnerElement*>(node);
+ HTMLFrameOwnerElement* owner = static_cast<HTMLFrameOwnerElement*>(node.get());
if (!owner->contentFrame())
return false;
@@ -296,13 +296,13 @@
setFocusedFrame(newDocument->frame());
if (caretBrowsing) {
- Position position = firstPositionInOrBeforeNode(node);
+ Position position = firstPositionInOrBeforeNode(node.get());
VisibleSelection newSelection(position, position, DOWNSTREAM);
if (frame->selection()->shouldChangeSelection(newSelection))
frame->selection()->setSelection(newSelection);
}
- static_cast<Element*>(node)->focus(false);
+ static_cast<Element*>(node.get())->focus(false);
return true;
}
