[webkit-changes] [112603] branches/chromium/1025

Thu, 29 Mar 2012 16:29:26 -0700

Title: [112603] branches/chromium/1025
Revision
112603
Author
[email protected]
Date
2012-03-29 16:29:20 -0700 (Thu, 29 Mar 2012)

Log Message

Merge 110487
BUG=117724
Review URL: https://chromiumcodereview.appspot.com/9948001


Modified Paths




Added Paths

Diff

Copied: branches/chromium/1025/LayoutTests/fast/text/split-text-crash-expected.txt (from rev 110487, trunk/LayoutTests/fast/text/split-text-crash-expected.txt) (0 => 112603)


--- branches/chromium/1025/LayoutTests/fast/text/split-text-crash-expected.txt	                        (rev 0)
+++ branches/chromium/1025/LayoutTests/fast/text/split-text-crash-expected.txt	2012-03-29 23:29:20 UTC (rev 112603)
@@ -0,0 +1 @@
+PASS. WebKit didn't crash.

Copied: branches/chromium/1025/LayoutTests/fast/text/split-text-crash.xhtml (from rev 110487, trunk/LayoutTests/fast/text/split-text-crash.xhtml) (0 => 112603)


--- branches/chromium/1025/LayoutTests/fast/text/split-text-crash.xhtml	                        (rev 0)
+++ branches/chromium/1025/LayoutTests/fast/text/split-text-crash.xhtml	2012-03-29 23:29:20 UTC (rev 112603)
@@ -0,0 +1,30 @@
+<html xmlns="http://www.w3.org/1999/xhtml">
+<body></body>
+<script>
+if (window.layoutTestController) {
+    layoutTestController.waitUntilDone();
+    layoutTestController.dumpAsText();
+}
+
+function crash() {
+    document.designMode = "on";
+    var textNode = document.body.appendChild(document.createTextNode("PASS. WebKit didn't crash."));
+    var range = document.createRange();
+    range.setStart(textNode, 0);
+    document.addEventListener("DOMNodeInserted", function () {
+        document.body.removeChild(textNode);
+        textNode = null;
+
+        if (window.layoutTestController) {
+            GCController.collect();
+            setTimeout("layoutTestController.notifyDone()", 0);
+        }
+    }, true);
+    try {
+        range.insertNode(document.createTextNode(""));
+    } catch(e) { }
+}
+
+window._onload_ = crash;
+</script>
+</html>

Modified: branches/chromium/1025/Source/WebCore/dom/Range.cpp (112602 => 112603)


--- branches/chromium/1025/Source/WebCore/dom/Range.cpp	2012-03-29 23:28:52 UTC (rev 112602)
+++ branches/chromium/1025/Source/WebCore/dom/Range.cpp	2012-03-29 23:29:20 UTC (rev 112603)
@@ -1036,11 +1036,15 @@
     }
 
     bool collapsed = m_start == m_end;
+    RefPtr<Node> container;
     if (startIsText) {
-        RefPtr<Text> newText = static_cast<Text*>(m_start.container())->splitText(m_start.offset(), ec);
+        container = m_start.container();
+        RefPtr<Text> newText = static_cast<Text*>(container.get())->splitText(m_start.offset(), ec);
         if (ec)
             return;
-        m_start.container()->parentNode()->insertBefore(newNode.release(), newText.get(), ec);
+        
+        container = m_start.container();
+        container->parentNode()->insertBefore(newNode.release(), newText.get(), ec);
         if (ec)
             return;
 
@@ -1054,7 +1058,8 @@
             lastChild = (newNodeType == Node::DOCUMENT_FRAGMENT_NODE) ? newNode->lastChild() : newNode;
 
         int startOffset = m_start.offset();
-        m_start.container()->insertBefore(newNode.release(), m_start.container()->childNode(startOffset), ec);
+        container = m_start.container();
+        container->insertBefore(newNode.release(), container->childNode(startOffset), ec);
         if (ec)
             return;
 

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to