[webkit-changes] [118055] branches/chromium/1132

Tue, 22 May 2012 14:25:14 -0700

Title: [118055] branches/chromium/1132
Revision
118055
Author
[email protected]
Date
2012-05-22 14:24:37 -0700 (Tue, 22 May 2012)

Log Message

Merge 117224
BUG=125730
Review URL: https://chromiumcodereview.appspot.com/10411078


Modified Paths




Added Paths

Diff

Copied: branches/chromium/1132/LayoutTests/fast/dom/HTMLObjectElement/beforeload-set-text-crash-expected.txt (from rev 117224, trunk/LayoutTests/fast/dom/HTMLObjectElement/beforeload-set-text-crash-expected.txt) (0 => 118055)


--- branches/chromium/1132/LayoutTests/fast/dom/HTMLObjectElement/beforeload-set-text-crash-expected.txt	                        (rev 0)
+++ branches/chromium/1132/LayoutTests/fast/dom/HTMLObjectElement/beforeload-set-text-crash-expected.txt	2012-05-22 21:24:37 UTC (rev 118055)
@@ -0,0 +1,4 @@
+PASS successfullyParsed is true
+
+TEST COMPLETE
+Test passes if it does not crash.

Copied: branches/chromium/1132/LayoutTests/fast/dom/HTMLObjectElement/beforeload-set-text-crash.xhtml (from rev 117224, trunk/LayoutTests/fast/dom/HTMLObjectElement/beforeload-set-text-crash.xhtml) (0 => 118055)


--- branches/chromium/1132/LayoutTests/fast/dom/HTMLObjectElement/beforeload-set-text-crash.xhtml	                        (rev 0)
+++ branches/chromium/1132/LayoutTests/fast/dom/HTMLObjectElement/beforeload-set-text-crash.xhtml	2012-05-22 21:24:37 UTC (rev 118055)
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html xmlns="http://www.w3.org/1999/xhtml">
+Test passes if it does not crash.
+<object id="object" type="image/svg+xml" />
+<script src=""
+<script>
+window.jsTestIsAsync = true;
+var count = 0;
+function setText() {
+    count++;
+    if (count > 100) {
+        document.removeEventListener("beforeload", setText, true);
+        finishJSTest();
+    }
+    gc(); // Because we are recursively entering into setText, can't gc() after this command.
+    document.getElementById("object").textContent = "A";
+}
+document.execCommand("SelectAll");
+document.getElementById("object").textContent = "A";
+document.addEventListener("beforeload", setText, true);
+event = document.createEvent("Event");
+event.initEvent("beforeload", false);
+document.documentElement.dispatchEvent(event);
+</script>
+<script src=""
+</html>
+

Modified: branches/chromium/1132/Source/WebCore/dom/ContainerNode.cpp (118054 => 118055)


--- branches/chromium/1132/Source/WebCore/dom/ContainerNode.cpp	2012-05-22 21:22:57 UTC (rev 118054)
+++ branches/chromium/1132/Source/WebCore/dom/ContainerNode.cpp	2012-05-22 21:24:37 UTC (rev 118055)
@@ -337,11 +337,11 @@
 
 static void willRemoveChildren(ContainerNode* container)
 {
-    container->document()->nodeChildrenWillBeRemoved(container);
-
     NodeVector children;
     getChildNodes(container, children);
 
+    container->document()->nodeChildrenWillBeRemoved(container);
+
 #if ENABLE(MUTATION_OBSERVERS)
     ChildListMutationScope mutation(container);
 #endif

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to