[webkit-changes] [109363] branches/chromium/963

Thu, 01 Mar 2012 10:24:20 -0800

Title: [109363] branches/chromium/963
Revision
109363
Author
[email protected]
Date
2012-03-01 10:24:14 -0800 (Thu, 01 Mar 2012)

Log Message

Merge 107749
BUG=111748
Review URL: https://chromiumcodereview.appspot.com/9564014


Modified Paths




Added Paths

Diff

Copied: branches/chromium/963/LayoutTests/fast/dom/Range/surround-contents-font-face-crash-expected.txt (from rev 107749, trunk/LayoutTests/fast/dom/Range/surround-contents-font-face-crash-expected.txt) (0 => 109363)


--- branches/chromium/963/LayoutTests/fast/dom/Range/surround-contents-font-face-crash-expected.txt	                        (rev 0)
+++ branches/chromium/963/LayoutTests/fast/dom/Range/surround-contents-font-face-crash-expected.txt	2012-03-01 18:24:14 UTC (rev 109363)
@@ -0,0 +1,7 @@
+ALERT: PASS. WebKit didn't crash.
+This page contains the following errors:
+
+error on line 20 at column 10: Extra content at the end of the document
+Below is a rendering of the page up to the first error.
+
+

Copied: branches/chromium/963/LayoutTests/fast/dom/Range/surround-contents-font-face-crash.svg (from rev 107749, trunk/LayoutTests/fast/dom/Range/surround-contents-font-face-crash.svg) (0 => 109363)


--- branches/chromium/963/LayoutTests/fast/dom/Range/surround-contents-font-face-crash.svg	                        (rev 0)
+++ branches/chromium/963/LayoutTests/fast/dom/Range/surround-contents-font-face-crash.svg	2012-03-01 18:24:14 UTC (rev 109363)
@@ -0,0 +1,20 @@
+<svg xmlns="http://www.w3.org/2000/svg">
+<font>
+    <font-face id="f" font-family="SVGArial"/>
+<stop id="s"/>
+<script>
+
+if (!window.layoutTestController)
+    alert("This test requires GCController")
+else {
+    var range = document.createRange();
+    range.selectNodeContents( document.getElementById('s') );
+    GCController.collect();
+    range.surroundContents( document.getElementById('f') );
+    GCController.collect();
+
+    layoutTestController.dumpAsText();
+    alert("PASS. WebKit didn't crash.");
+}
+
+</script>

Modified: branches/chromium/963/Source/WebCore/dom/ContainerNodeAlgorithms.h (109362 => 109363)


--- branches/chromium/963/Source/WebCore/dom/ContainerNodeAlgorithms.h	2012-03-01 18:19:03 UTC (rev 109362)
+++ branches/chromium/963/Source/WebCore/dom/ContainerNodeAlgorithms.h	2012-03-01 18:24:14 UTC (rev 109363)
@@ -135,8 +135,10 @@
                     head = n;
 
                 tail = n;
-            } else
+            } else {
+                RefPtr<GenericNode> protect(n); // removedFromDocument may remove remove all references to this node.
                 NodeRemovalDispatcher<GenericNode, ShouldDispatchRemovalNotification<GenericNode>::value>::dispatch(n);
+            }
         }
 
         container->setFirstChild(0);

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to