Title: [121993] releases/WebKitGTK/webkit-1.8
- Revision
- 121993
- Author
- [email protected]
- Date
- 2012-07-06 13:00:55 -0700 (Fri, 06 Jul 2012)
Log Message
Merge 117224 - Crash in Document::nodeChildrenWillBeRemoved.
https://bugs.webkit.org/show_bug.cgi?id=85247
Patch by Abhishek Arya <[email protected]> on 2012-05-15
Reviewed by Hajime Morita.
Source/WebCore:
Reverse ordering of commands to ref ptr the children set
first before calling nodeChildrenWillBeRemoved, since it
can fire mutation events.
Test: fast/dom/HTMLObjectElement/beforeload-set-text-crash.xhtml
* dom/ContainerNode.cpp:
(WebCore::willRemoveChildren):
LayoutTests:
* fast/dom/HTMLObjectElement/beforeload-set-text-crash-expected.txt: Added.
* fast/dom/HTMLObjectElement/beforeload-set-text-crash.xhtml: Added.
Modified Paths
Added Paths
Diff
Modified: releases/WebKitGTK/webkit-1.8/LayoutTests/ChangeLog (121992 => 121993)
--- releases/WebKitGTK/webkit-1.8/LayoutTests/ChangeLog 2012-07-06 20:00:41 UTC (rev 121992)
+++ releases/WebKitGTK/webkit-1.8/LayoutTests/ChangeLog 2012-07-06 20:00:55 UTC (rev 121993)
@@ -1,3 +1,13 @@
+2012-05-15 Abhishek Arya <[email protected]>
+
+ Crash in Document::nodeChildrenWillBeRemoved.
+ https://bugs.webkit.org/show_bug.cgi?id=85247
+
+ Reviewed by Hajime Morita.
+
+ * fast/dom/HTMLObjectElement/beforeload-set-text-crash-expected.txt: Added.
+ * fast/dom/HTMLObjectElement/beforeload-set-text-crash.xhtml: Added.
+
2012-05-07 Ken Buchanan <[email protected]>
Crash due to positioned object list not being cleared during block flow split
Added: releases/WebKitGTK/webkit-1.8/LayoutTests/fast/dom/HTMLObjectElement/beforeload-set-text-crash-expected.txt (0 => 121993)
--- releases/WebKitGTK/webkit-1.8/LayoutTests/fast/dom/HTMLObjectElement/beforeload-set-text-crash-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-1.8/LayoutTests/fast/dom/HTMLObjectElement/beforeload-set-text-crash-expected.txt 2012-07-06 20:00:55 UTC (rev 121993)
@@ -0,0 +1,4 @@
+PASS successfullyParsed is true
+
+TEST COMPLETE
+Test passes if it does not crash.
Property changes on: releases/WebKitGTK/webkit-1.8/LayoutTests/fast/dom/HTMLObjectElement/beforeload-set-text-crash-expected.txt
___________________________________________________________________
Added: svn:eol-style
Added: releases/WebKitGTK/webkit-1.8/LayoutTests/fast/dom/HTMLObjectElement/beforeload-set-text-crash.xhtml (0 => 121993)
--- releases/WebKitGTK/webkit-1.8/LayoutTests/fast/dom/HTMLObjectElement/beforeload-set-text-crash.xhtml (rev 0)
+++ releases/WebKitGTK/webkit-1.8/LayoutTests/fast/dom/HTMLObjectElement/beforeload-set-text-crash.xhtml 2012-07-06 20:00:55 UTC (rev 121993)
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html xmlns="http://www.w3.org/1999/xhtml">
+Test passes if it does not crash.
+<object id="object" type="image/svg+xml" />
+<script src=""
+<script>
+window.jsTestIsAsync = true;
+var count = 0;
+function setText() {
+ count++;
+ if (count > 100) {
+ document.removeEventListener("beforeload", setText, true);
+ finishJSTest();
+ }
+ gc(); // Because we are recursively entering into setText, can't gc() after this command.
+ document.getElementById("object").textContent = "A";
+}
+document.execCommand("SelectAll");
+document.getElementById("object").textContent = "A";
+document.addEventListener("beforeload", setText, true);
+event = document.createEvent("Event");
+event.initEvent("beforeload", false);
+document.documentElement.dispatchEvent(event);
+</script>
+<script src=""
+</html>
+
Property changes on: releases/WebKitGTK/webkit-1.8/LayoutTests/fast/dom/HTMLObjectElement/beforeload-set-text-crash.xhtml
___________________________________________________________________
Added: svn:executable
Modified: releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog (121992 => 121993)
--- releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog 2012-07-06 20:00:41 UTC (rev 121992)
+++ releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog 2012-07-06 20:00:55 UTC (rev 121993)
@@ -1,3 +1,19 @@
+2012-05-15 Abhishek Arya <[email protected]>
+
+ Crash in Document::nodeChildrenWillBeRemoved.
+ https://bugs.webkit.org/show_bug.cgi?id=85247
+
+ Reviewed by Hajime Morita.
+
+ Reverse ordering of commands to ref ptr the children set
+ first before calling nodeChildrenWillBeRemoved, since it
+ can fire mutation events.
+
+ Test: fast/dom/HTMLObjectElement/beforeload-set-text-crash.xhtml
+
+ * dom/ContainerNode.cpp:
+ (WebCore::willRemoveChildren):
+
2012-05-10 Abhishek Arya <[email protected]>
Crash in swapInNodePreservingAttributesAndChildren.
Modified: releases/WebKitGTK/webkit-1.8/Source/WebCore/dom/ContainerNode.cpp (121992 => 121993)
--- releases/WebKitGTK/webkit-1.8/Source/WebCore/dom/ContainerNode.cpp 2012-07-06 20:00:41 UTC (rev 121992)
+++ releases/WebKitGTK/webkit-1.8/Source/WebCore/dom/ContainerNode.cpp 2012-07-06 20:00:55 UTC (rev 121993)
@@ -403,12 +403,12 @@
static void willRemoveChildren(ContainerNode* container)
{
+ NodeVector children;
+ getChildNodes(container, children);
+
container->document()->nodeChildrenWillBeRemoved(container);
container->document()->incDOMTreeVersion();
- NodeVector children;
- getChildNodes(container, children);
-
#if ENABLE(MUTATION_OBSERVERS)
ChildListMutationScope mutation(container);
#endif
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
