Title: [129271] branches/chromium/1229/Source/WebCore/dom/Document.cpp
- Revision
- 129271
- Author
- [email protected]
- Date
- 2012-09-21 16:22:18 -0700 (Fri, 21 Sep 2012)
Log Message
Merge 129270 - Crash in WebCore::Document::fullScreenChangeDelayTimerFired
BUG=147700
Review URL: https://codereview.chromium.org/10969052
Modified Paths
Diff
Modified: branches/chromium/1229/Source/WebCore/dom/Document.cpp (129270 => 129271)
--- branches/chromium/1229/Source/WebCore/dom/Document.cpp 2012-09-21 23:20:08 UTC (rev 129270)
+++ branches/chromium/1229/Source/WebCore/dom/Document.cpp 2012-09-21 23:22:18 UTC (rev 129271)
@@ -5743,6 +5743,10 @@
void Document::fullScreenChangeDelayTimerFired(Timer<Document>*)
{
+ // Since we dispatch events in this function, it's possible that the
+ // document will be detached and GC'd. We protect it here to make sure we
+ // can finish the function successfully.
+ RefPtr<Document> protectDocument(this);
Deque<RefPtr<Node> > changeQueue;
m_fullScreenChangeEventTargetQueue.swap(changeQueue);
@@ -5750,6 +5754,9 @@
RefPtr<Node> node = changeQueue.takeFirst();
if (!node)
node = documentElement();
+ // The dispatchEvent below may have blown away our documentElement.
+ if (!node)
+ continue;
// If the element was removed from our tree, also message the documentElement. Since we may
// have a document hierarchy, check that node isn't in another document.
@@ -5766,6 +5773,9 @@
RefPtr<Node> node = errorQueue.takeFirst();
if (!node)
node = documentElement();
+ // The dispatchEvent below may have blown away our documentElement.
+ if (!node)
+ continue;
// If the element was removed from our tree, also message the documentElement. Since we may
// have a document hierarchy, check that node isn't in another document.
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
