[webkit-changes] [112323] trunk

[adamk]

Title: [112323] trunk

Revision

112323

Author

ad...@chromium.org

Date

2012-03-27 15:13:06 -0700 (Tue, 27 Mar 2012)

Log Message

Hold a reference to refChild in insertBefore before calling collectChildrenAndRemoveFromOldParent
https://bugs.webkit.org/show_bug.cgi?id=82377

Reviewed by Ryosuke Niwa.

Source/WebCore:

This fixes a regression from r111925.

Test: fast/dom/insertBefore-refChild-crash.html

* dom/ContainerNode.cpp:
(WebCore::ContainerNode::insertBefore): Move the 'next' RefPtr above the call to
collectChildrenAndRemoveFromOldParent and rename refChildPreviousSibling
to 'prev' (matching appendChild and replaceChild).

LayoutTests:

* fast/dom/insertBefore-refChild-crash-expected.txt: Added.
* fast/dom/insertBefore-refChild-crash.html: Added.

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/dom/ContainerNode.cpp

Added Paths

• trunk/LayoutTests/fast/dom/insertBefore-refChild-crash-expected.txt
• trunk/LayoutTests/fast/dom/insertBefore-refChild-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (112322 => 112323)

--- trunk/LayoutTests/ChangeLog	2012-03-27 22:07:18 UTC (rev 112322)
+++ trunk/LayoutTests/ChangeLog	2012-03-27 22:13:06 UTC (rev 112323)
@@ -1,3 +1,13 @@
+2012-03-27  Adam Klein  <ad...@chromium.org>
+
+        Hold a reference to refChild in insertBefore before calling collectChildrenAndRemoveFromOldParent
+        https://bugs.webkit.org/show_bug.cgi?id=82377
+
+        Reviewed by Ryosuke Niwa.
+
+        * fast/dom/insertBefore-refChild-crash-expected.txt: Added.
+        * fast/dom/insertBefore-refChild-crash.html: Added.
+
 2012-03-27  Ryosuke Niwa  <rn...@webkit.org>
 
         cssText should not generate literal 'initial' in shorthand properties

Added: trunk/LayoutTests/fast/dom/insertBefore-refChild-crash-expected.txt (0 => 112323)

--- trunk/LayoutTests/fast/dom/insertBefore-refChild-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/insertBefore-refChild-crash-expected.txt	2012-03-27 22:13:06 UTC (rev 112323)
@@ -0,0 +1,2 @@
+Test passes if it does not crash.
+

Added: trunk/LayoutTests/fast/dom/insertBefore-refChild-crash.html (0 => 112323)

--- trunk/LayoutTests/fast/dom/insertBefore-refChild-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/insertBefore-refChild-crash.html	2012-03-27 22:13:06 UTC (rev 112323)
@@ -0,0 +1,18 @@
+<div>Test passes if it does not crash.</div>
+<span id=container><span></span></span>
+<span id=newChild></span>
+<script src=""
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+var container = document.getElementById('container');
+var newChild = document.getElementById('newChild');
+newChild.addEventListener('DOMNodeRemoved', function() {
+    container.innerHTML = '';
+    gc();
+}, false);
+var range = document.createRange();
+range.selectNodeContents(container);
+range.insertNode(newChild);
+</script>

Modified: trunk/Source/WebCore/ChangeLog (112322 => 112323)

--- trunk/Source/WebCore/ChangeLog	2012-03-27 22:07:18 UTC (rev 112322)
+++ trunk/Source/WebCore/ChangeLog	2012-03-27 22:13:06 UTC (rev 112323)
@@ -1,3 +1,19 @@
+2012-03-27  Adam Klein  <ad...@chromium.org>
+
+        Hold a reference to refChild in insertBefore before calling collectChildrenAndRemoveFromOldParent
+        https://bugs.webkit.org/show_bug.cgi?id=82377
+
+        Reviewed by Ryosuke Niwa.
+
+        This fixes a regression from r111925.
+
+        Test: fast/dom/insertBefore-refChild-crash.html
+
+        * dom/ContainerNode.cpp:
+        (WebCore::ContainerNode::insertBefore): Move the 'next' RefPtr above the call to
+        collectChildrenAndRemoveFromOldParent and rename refChildPreviousSibling
+        to 'prev' (matching appendChild and replaceChild).
+
 2012-03-27  Ryosuke Niwa  <rn...@webkit.org>
 
         cssText should not generate literal 'initial' in shorthand properties

Modified: trunk/Source/WebCore/dom/ContainerNode.cpp (112322 => 112323)

--- trunk/Source/WebCore/dom/ContainerNode.cpp	2012-03-27 22:07:18 UTC (rev 112322)
+++ trunk/Source/WebCore/dom/ContainerNode.cpp	2012-03-27 22:13:06 UTC (rev 112323)
@@ -142,6 +142,8 @@
     if (refChild->previousSibling() == newChild || refChild == newChild) // nothing to do
         return true;
 
+    RefPtr<Node> next = refChild;
+
     NodeVector targets;
     collectChildrenAndRemoveFromOldParent(newChild.get(), targets, ec);
     if (ec)
@@ -153,8 +155,7 @@
     ChildListMutationScope mutation(this);
 #endif
 
-    RefPtr<Node> next = refChild;
-    RefPtr<Node> refChildPreviousSibling = refChild->previousSibling();
+    RefPtr<Node> prev = next->previousSibling();
     for (NodeVector::const_iterator it = targets.begin(); it != targets.end(); ++it) {
         Node* child = it->get();
 
@@ -176,7 +177,7 @@
         insertBeforeCommon(next.get(), child);
 
         // Send notification about the children change.
-        childrenChanged(false, refChildPreviousSibling.get(), next.get(), 1);
+        childrenChanged(false, prev.get(), next.get(), 1);
         notifyChildInserted(child);
 
         // Add child to the rendering tree.

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes