Title: [129270] trunk/Source/WebCore
- Revision
- 129270
- Author
- [email protected]
- Date
- 2012-09-21 16:20:08 -0700 (Fri, 21 Sep 2012)
Log Message
Crash in WebCore::Document::fullScreenChangeDelayTimerFired
https://bugs.webkit.org/show_bug.cgi?id=97367
Patch by Jeremy Apthorp <[email protected]> on 2012-09-21
Reviewed by Abhishek Arya.
The document could be destroyed during the processing of the
fullscreenchange event, if the document was destroyed as a result of
one of the dispatchEvent calls.
This bug isn't reliably reproducible, so no new tests.
* dom/Document.cpp:
(WebCore::Document::fullScreenChangeDelayTimerFired):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (129269 => 129270)
--- trunk/Source/WebCore/ChangeLog 2012-09-21 23:18:55 UTC (rev 129269)
+++ trunk/Source/WebCore/ChangeLog 2012-09-21 23:20:08 UTC (rev 129270)
@@ -1,3 +1,19 @@
+2012-09-21 Jeremy Apthorp <[email protected]>
+
+ Crash in WebCore::Document::fullScreenChangeDelayTimerFired
+ https://bugs.webkit.org/show_bug.cgi?id=97367
+
+ Reviewed by Abhishek Arya.
+
+ The document could be destroyed during the processing of the
+ fullscreenchange event, if the document was destroyed as a result of
+ one of the dispatchEvent calls.
+
+ This bug isn't reliably reproducible, so no new tests.
+
+ * dom/Document.cpp:
+ (WebCore::Document::fullScreenChangeDelayTimerFired):
+
2012-09-21 Pratik Solanki <[email protected]>
No need to pass order file for WebCoreTestSupport build
Modified: trunk/Source/WebCore/dom/Document.cpp (129269 => 129270)
--- trunk/Source/WebCore/dom/Document.cpp 2012-09-21 23:18:55 UTC (rev 129269)
+++ trunk/Source/WebCore/dom/Document.cpp 2012-09-21 23:20:08 UTC (rev 129270)
@@ -5768,6 +5768,10 @@
void Document::fullScreenChangeDelayTimerFired(Timer<Document>*)
{
+ // Since we dispatch events in this function, it's possible that the
+ // document will be detached and GC'd. We protect it here to make sure we
+ // can finish the function successfully.
+ RefPtr<Document> protectDocument(this);
Deque<RefPtr<Node> > changeQueue;
m_fullScreenChangeEventTargetQueue.swap(changeQueue);
@@ -5775,6 +5779,9 @@
RefPtr<Node> node = changeQueue.takeFirst();
if (!node)
node = documentElement();
+ // The dispatchEvent below may have blown away our documentElement.
+ if (!node)
+ continue;
// If the element was removed from our tree, also message the documentElement. Since we may
// have a document hierarchy, check that node isn't in another document.
@@ -5791,6 +5798,9 @@
RefPtr<Node> node = errorQueue.takeFirst();
if (!node)
node = documentElement();
+ // The dispatchEvent below may have blown away our documentElement.
+ if (!node)
+ continue;
// If the element was removed from our tree, also message the documentElement. Since we may
// have a document hierarchy, check that node isn't in another document.
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
