Title: [116861] releases/WebKitGTK/webkit-1.8
- Revision
- 116861
- Author
- [email protected]
- Date
- 2012-05-12 12:23:41 -0700 (Sat, 12 May 2012)
Log Message
Merging 111925.
Modified Paths
Diff
Modified: releases/WebKitGTK/webkit-1.8/LayoutTests/ChangeLog (116860 => 116861)
--- releases/WebKitGTK/webkit-1.8/LayoutTests/ChangeLog 2012-05-12 19:14:19 UTC (rev 116860)
+++ releases/WebKitGTK/webkit-1.8/LayoutTests/ChangeLog 2012-05-12 19:23:41 UTC (rev 116861)
@@ -1,3 +1,13 @@
+2012-03-27 Adam Klein <[email protected]>
+
+ Hold a reference to refChild in insertBefore before calling collectChildrenAndRemoveFromOldParent
+ https://bugs.webkit.org/show_bug.cgi?id=82377
+
+ Reviewed by Ryosuke Niwa.
+
+ * fast/dom/insertBefore-refChild-crash-expected.txt: Added.
+ * fast/dom/insertBefore-refChild-crash.html: Added.
+
2012-04-18 Abhishek Arya <[email protected]>
Crash due to accessing removed parent lineboxes when clearing selection.
Modified: releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog (116860 => 116861)
--- releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog 2012-05-12 19:14:19 UTC (rev 116860)
+++ releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog 2012-05-12 19:23:41 UTC (rev 116861)
@@ -1,3 +1,19 @@
+2012-03-27 Adam Klein <[email protected]>
+
+ Hold a reference to refChild in insertBefore before calling collectChildrenAndRemoveFromOldParent
+ https://bugs.webkit.org/show_bug.cgi?id=82377
+
+ Reviewed by Ryosuke Niwa.
+
+ This fixes a regression from r111925.
+
+ Test: fast/dom/insertBefore-refChild-crash.html
+
+ * dom/ContainerNode.cpp:
+ (WebCore::ContainerNode::insertBefore): Move the 'next' RefPtr above the call to
+ collectChildrenAndRemoveFromOldParent and rename refChildPreviousSibling
+ to 'prev' (matching appendChild and replaceChild).
+
2012-04-26 Zan Dobersek <[email protected]>
[Gtk] WebKitGTK+ 1.8.1 fails to build when disabling HTML Video feature
Modified: releases/WebKitGTK/webkit-1.8/Source/WebCore/dom/ContainerNode.cpp (116860 => 116861)
--- releases/WebKitGTK/webkit-1.8/Source/WebCore/dom/ContainerNode.cpp 2012-05-12 19:14:19 UTC (rev 116860)
+++ releases/WebKitGTK/webkit-1.8/Source/WebCore/dom/ContainerNode.cpp 2012-05-12 19:23:41 UTC (rev 116861)
@@ -127,6 +127,8 @@
return false;
}
+ RefPtr<Node> next = refChild;
+
NodeVector targets;
collectTargetNodes(newChild.get(), targets);
if (targets.isEmpty())
@@ -140,8 +142,7 @@
ChildListMutationScope mutation(this);
#endif
- RefPtr<Node> next = refChild;
- RefPtr<Node> refChildPreviousSibling = refChild->previousSibling();
+ RefPtr<Node> prev = next->previousSibling();
for (NodeVector::const_iterator it = targets.begin(); it != targets.end(); ++it) {
Node* child = it->get();
@@ -174,7 +175,7 @@
insertBeforeCommon(next.get(), child);
// Send notification about the children change.
- childrenChanged(false, refChildPreviousSibling.get(), next.get(), 1);
+ childrenChanged(false, prev.get(), next.get(), 1);
notifyChildInserted(child);
// Add child to the rendering tree.
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
