Skip to site navigation (Press enter)

[webkit-changes] [116864] trunk

inferno Sat, 12 May 2012 21:21:55 -0700

Title: [116864] trunk

Revision: 116864
Author: [email protected]
Date: 2012-05-12 21:22:42 -0700 (Sat, 12 May 2012)

Log Message

Crash in HTMLSelectElement::setOption
https://bugs.webkit.org/show_bug.cgi?id=85420


Source/WebCore:

Reviewed by Eric Seidel

RefPtr before option in HTMLSelectElement::setOption since it
can get destroyed due to mutation events.

Test: fast/dom/HTMLSelectElement/option-add-crash.html

* html/HTMLSelectElement.cpp:
(WebCore::HTMLSelectElement::setOption):

LayoutTests:

Reviewed by Eric Seidel.

* fast/dom/HTMLSelectElement/option-add-crash-expected.txt: Added.
* fast/dom/HTMLSelectElement/option-add-crash.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/html/HTMLSelectElement.cpp

Added Paths

trunk/LayoutTests/fast/dom/HTMLSelectElement/option-add-crash-expected.txt
trunk/LayoutTests/fast/dom/HTMLSelectElement/option-add-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (116863 => 116864)


--- trunk/LayoutTests/ChangeLog	2012-05-13 03:51:08 UTC (rev 116863)
+++ trunk/LayoutTests/ChangeLog	2012-05-13 04:22:42 UTC (rev 116864)
@@ -1,3 +1,13 @@
+2012-05-12  Abhishek Arya  <[email protected]>
+
+        Crash in HTMLSelectElement::setOption
+        https://bugs.webkit.org/show_bug.cgi?id=85420
+
+        Reviewed by Eric Seidel.
+
+        * fast/dom/HTMLSelectElement/option-add-crash-expected.txt: Added.
+        * fast/dom/HTMLSelectElement/option-add-crash.html: Added.
+
 2012-05-12  Philip Rogers  <[email protected]>
 
         Cleanup before changing attributeName in SVG <animate>

Added: trunk/LayoutTests/fast/dom/HTMLSelectElement/option-add-crash-expected.txt (0 => 116864)


--- trunk/LayoutTests/fast/dom/HTMLSelectElement/option-add-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/HTMLSelectElement/option-add-crash-expected.txt	2012-05-13 04:22:42 UTC (rev 116864)
@@ -0,0 +1,4 @@
+PASS successfullyParsed is true
+
+TEST COMPLETE
+PASS. WebKit didn't crash.

Added: trunk/LayoutTests/fast/dom/HTMLSelectElement/option-add-crash.html (0 => 116864)


--- trunk/LayoutTests/fast/dom/HTMLSelectElement/option-add-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/HTMLSelectElement/option-add-crash.html	2012-05-13 04:22:42 UTC (rev 116864)
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+<script src=""
+<script>
+function crash()
+{
+    try {
+    document.getElementsByTagName('option')[0].parentNode.removeChild(document.getElementsByTagName('option')[0]);
+    } catch (Exception) {}
+
+    gc();
+}
+document.write("PASS. WebKit didn't crash.<select></select>");
+var select1 = document.getElementsByTagName('select')[0];
+select1.appendChild(document.createElement('option'));
+select1.appendChild(document.createElement('option'));
+document.addEventListener("DOMSubtreeModified", crash, false);
+try {
+  select1.options[0] = new Option("", "");
+} catch (Exception) { }
+</script>
+<script src=""
+</html>
Property changes on: trunk/LayoutTests/fast/dom/HTMLSelectElement/option-add-crash.html
___________________________________________________________________

Added: svn:executable

Modified: trunk/Source/WebCore/ChangeLog (116863 => 116864)


--- trunk/Source/WebCore/ChangeLog	2012-05-13 03:51:08 UTC (rev 116863)
+++ trunk/Source/WebCore/ChangeLog	2012-05-13 04:22:42 UTC (rev 116864)
@@ -1,3 +1,18 @@
+2012-05-12  Abhishek Arya  <[email protected]>
+
+        Crash in HTMLSelectElement::setOption
+        https://bugs.webkit.org/show_bug.cgi?id=85420
+
+        Reviewed by Eric Seidel
+        
+        RefPtr before option in HTMLSelectElement::setOption since it
+        can get destroyed due to mutation events.
+
+        Test: fast/dom/HTMLSelectElement/option-add-crash.html
+
+        * html/HTMLSelectElement.cpp:
+        (WebCore::HTMLSelectElement::setOption):
+
 2012-05-12  Robin Dunn  <[email protected]>
 
         [wx] Restore text paste implementation.

Modified: trunk/Source/WebCore/html/HTMLSelectElement.cpp (116863 => 116864)


--- trunk/Source/WebCore/html/HTMLSelectElement.cpp	2012-05-13 03:51:08 UTC (rev 116863)
+++ trunk/Source/WebCore/html/HTMLSelectElement.cpp	2012-05-13 04:22:42 UTC (rev 116864)
@@ -413,7 +413,7 @@
     if (index > maxSelectItems - 1)
         index = maxSelectItems - 1;
     int diff = index - length();
-    HTMLElement* before = 0;
+    RefPtr<HTMLElement> before = 0;
     // Out of array bounds? First insert empty dummies.
     if (diff > 0) {
         setLength(index, ec);
@@ -424,7 +424,7 @@
     }
     // Finally add the new element.
     if (!ec) {
-        add(option, before, ec);
+        add(option, before.get(), ec);
         if (diff >= 0 && option->selected())
             optionSelectionStateChanged(option, true);
     }

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes