Title: [133710] branches/safari-536.28-branch/Source/WebCore
- Revision
- 133710
- Author
- [email protected]
- Date
- 2012-11-06 18:47:06 -0800 (Tue, 06 Nov 2012)
Log Message
Merged r129270. <rdar://problem/12536542>
Modified Paths
Diff
Modified: branches/safari-536.28-branch/Source/WebCore/ChangeLog (133709 => 133710)
--- branches/safari-536.28-branch/Source/WebCore/ChangeLog 2012-11-07 02:36:36 UTC (rev 133709)
+++ branches/safari-536.28-branch/Source/WebCore/ChangeLog 2012-11-07 02:47:06 UTC (rev 133710)
@@ -1,5 +1,25 @@
2012-11-06 Lucas Forschler <[email protected]>
+ Merge r129270
+
+ 2012-09-21 Jeremy Apthorp <[email protected]>
+
+ Crash in WebCore::Document::fullScreenChangeDelayTimerFired
+ https://bugs.webkit.org/show_bug.cgi?id=97367
+
+ Reviewed by Abhishek Arya.
+
+ The document could be destroyed during the processing of the
+ fullscreenchange event, if the document was destroyed as a result of
+ one of the dispatchEvent calls.
+
+ This bug isn't reliably reproducible, so no new tests.
+
+ * dom/Document.cpp:
+ (WebCore::Document::fullScreenChangeDelayTimerFired):
+
+2012-11-06 Lucas Forschler <[email protected]>
+
Merge r128964
2012-09-18 Eric Carlson <[email protected]>
@@ -206887,3 +206907,4 @@
.
.
.
+.
Modified: branches/safari-536.28-branch/Source/WebCore/dom/Document.cpp (133709 => 133710)
--- branches/safari-536.28-branch/Source/WebCore/dom/Document.cpp 2012-11-07 02:36:36 UTC (rev 133709)
+++ branches/safari-536.28-branch/Source/WebCore/dom/Document.cpp 2012-11-07 02:47:06 UTC (rev 133710)
@@ -5702,6 +5702,10 @@
void Document::fullScreenChangeDelayTimerFired(Timer<Document>*)
{
+ // Since we dispatch events in this function, it's possible that the
+ // document will be detached and GC'd. We protect it here to make sure we
+ // can finish the function successfully.
+ RefPtr<Document> protectDocument(this);
Deque<RefPtr<Node> > changeQueue;
m_fullScreenChangeEventTargetQueue.swap(changeQueue);
@@ -5709,6 +5713,9 @@
RefPtr<Node> node = changeQueue.takeFirst();
if (!node)
node = documentElement();
+ // The dispatchEvent below may have blown away our documentElement.
+ if (!node)
+ continue;
// If the element was removed from our tree, also message the documentElement.
if (!contains(node.get()))
@@ -5724,6 +5731,9 @@
RefPtr<Node> node = errorQueue.takeFirst();
if (!node)
node = documentElement();
+ // The dispatchEvent below may have blown away our documentElement.
+ if (!node)
+ continue;
// If the node was removed from our tree, also message the documentElement.
if (!contains(node.get()))
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
