Title: [132956] branches/safari-536.28-branch
- Revision
- 132956
- Author
- [email protected]
- Date
- 2012-10-30 16:21:25 -0700 (Tue, 30 Oct 2012)
Log Message
Merged r117224. <rdar://problem/12504539>
Modified Paths
Added Paths
Diff
Modified: branches/safari-536.28-branch/LayoutTests/ChangeLog (132955 => 132956)
--- branches/safari-536.28-branch/LayoutTests/ChangeLog 2012-10-30 23:17:39 UTC (rev 132955)
+++ branches/safari-536.28-branch/LayoutTests/ChangeLog 2012-10-30 23:21:25 UTC (rev 132956)
@@ -1,5 +1,19 @@
2012-10-30 Lucas Forschler <[email protected]>
+ Merge r117224
+
+ 2012-05-15 Abhishek Arya <[email protected]>
+
+ Crash in Document::nodeChildrenWillBeRemoved.
+ https://bugs.webkit.org/show_bug.cgi?id=85247
+
+ Reviewed by Hajime Morita.
+
+ * fast/dom/HTMLObjectElement/beforeload-set-text-crash-expected.txt: Added.
+ * fast/dom/HTMLObjectElement/beforeload-set-text-crash.xhtml: Added.
+
+2012-10-30 Lucas Forschler <[email protected]>
+
Merge r116255.
2012-05-06 MORITA Hajime <[email protected]>
@@ -10383,3 +10397,4 @@
.
.
.
+.
Copied: branches/safari-536.28-branch/LayoutTests/fast/dom/HTMLObjectElement/beforeload-set-text-crash-expected.txt (from rev 117224, trunk/LayoutTests/fast/dom/HTMLObjectElement/beforeload-set-text-crash-expected.txt) (0 => 132956)
--- branches/safari-536.28-branch/LayoutTests/fast/dom/HTMLObjectElement/beforeload-set-text-crash-expected.txt (rev 0)
+++ branches/safari-536.28-branch/LayoutTests/fast/dom/HTMLObjectElement/beforeload-set-text-crash-expected.txt 2012-10-30 23:21:25 UTC (rev 132956)
@@ -0,0 +1,4 @@
+PASS successfullyParsed is true
+
+TEST COMPLETE
+Test passes if it does not crash.
Copied: branches/safari-536.28-branch/LayoutTests/fast/dom/HTMLObjectElement/beforeload-set-text-crash.xhtml (from rev 117224, trunk/LayoutTests/fast/dom/HTMLObjectElement/beforeload-set-text-crash.xhtml) (0 => 132956)
--- branches/safari-536.28-branch/LayoutTests/fast/dom/HTMLObjectElement/beforeload-set-text-crash.xhtml (rev 0)
+++ branches/safari-536.28-branch/LayoutTests/fast/dom/HTMLObjectElement/beforeload-set-text-crash.xhtml 2012-10-30 23:21:25 UTC (rev 132956)
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html xmlns="http://www.w3.org/1999/xhtml">
+Test passes if it does not crash.
+<object id="object" type="image/svg+xml" />
+<script src=""
+<script>
+window.jsTestIsAsync = true;
+var count = 0;
+function setText() {
+ count++;
+ if (count > 100) {
+ document.removeEventListener("beforeload", setText, true);
+ finishJSTest();
+ }
+ gc(); // Because we are recursively entering into setText, can't gc() after this command.
+ document.getElementById("object").textContent = "A";
+}
+document.execCommand("SelectAll");
+document.getElementById("object").textContent = "A";
+document.addEventListener("beforeload", setText, true);
+event = document.createEvent("Event");
+event.initEvent("beforeload", false);
+document.documentElement.dispatchEvent(event);
+</script>
+<script src=""
+</html>
+
Modified: branches/safari-536.28-branch/Source/WebCore/ChangeLog (132955 => 132956)
--- branches/safari-536.28-branch/Source/WebCore/ChangeLog 2012-10-30 23:17:39 UTC (rev 132955)
+++ branches/safari-536.28-branch/Source/WebCore/ChangeLog 2012-10-30 23:21:25 UTC (rev 132956)
@@ -1,5 +1,25 @@
2012-10-30 Lucas Forschler <[email protected]>
+ Merge r117224
+
+ 2012-05-15 Abhishek Arya <[email protected]>
+
+ Crash in Document::nodeChildrenWillBeRemoved.
+ https://bugs.webkit.org/show_bug.cgi?id=85247
+
+ Reviewed by Hajime Morita.
+
+ Reverse ordering of commands to ref ptr the children set
+ first before calling nodeChildrenWillBeRemoved, since it
+ can fire mutation events.
+
+ Test: fast/dom/HTMLObjectElement/beforeload-set-text-crash.xhtml
+
+ * dom/ContainerNode.cpp:
+ (WebCore::willRemoveChildren):
+
+2012-10-30 Lucas Forschler <[email protected]>
+
Merge r116255.
2012-05-06 MORITA Hajime <[email protected]>
@@ -205368,3 +205388,4 @@
.
.
.
+.
Modified: branches/safari-536.28-branch/Source/WebCore/dom/ContainerNode.cpp (132955 => 132956)
--- branches/safari-536.28-branch/Source/WebCore/dom/ContainerNode.cpp 2012-10-30 23:17:39 UTC (rev 132955)
+++ branches/safari-536.28-branch/Source/WebCore/dom/ContainerNode.cpp 2012-10-30 23:21:25 UTC (rev 132956)
@@ -337,11 +337,11 @@
static void willRemoveChildren(ContainerNode* container)
{
- container->document()->nodeChildrenWillBeRemoved(container);
-
NodeVector children;
getChildNodes(container, children);
+ container->document()->nodeChildrenWillBeRemoved(container);
+
#if ENABLE(MUTATION_OBSERVERS)
ChildListMutationScope mutation(container);
#endif
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
