Diff
Modified: trunk/LayoutTests/ChangeLog (159595 => 159596)
--- trunk/LayoutTests/ChangeLog 2013-11-21 00:54:05 UTC (rev 159595)
+++ trunk/LayoutTests/ChangeLog 2013-11-21 01:07:19 UTC (rev 159596)
@@ -1,3 +1,13 @@
+2013-11-20 Ryosuke Niwa <[email protected]>
+
+ Clear TemplateContentDocumentFragment::m_host when HTMLTemplateElement is destroyed
+ https://bugs.webkit.org/show_bug.cgi?id=122806
+
+ Reviewed by Antti Koivisto.
+
+ * fast/dom/HTMLTemplateElement/content-outlives-template-crash-expected.txt: Added.
+ * fast/dom/HTMLTemplateElement/content-outlives-template-crash.html: Added.
+
2013-11-20 Chris Fleizach <[email protected]>
AX: Implement CSS -webkit-alt property (text alternative for generated content pseudo-elements ::before and ::after)
Added: trunk/LayoutTests/fast/dom/HTMLTemplateElement/content-outlives-template-crash-expected.txt (0 => 159596)
--- trunk/LayoutTests/fast/dom/HTMLTemplateElement/content-outlives-template-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/dom/HTMLTemplateElement/content-outlives-template-crash-expected.txt 2013-11-21 01:07:19 UTC (rev 159596)
@@ -0,0 +1 @@
+Test passes if it does not crash
Added: trunk/LayoutTests/fast/dom/HTMLTemplateElement/content-outlives-template-crash.html (0 => 159596)
--- trunk/LayoutTests/fast/dom/HTMLTemplateElement/content-outlives-template-crash.html (rev 0)
+++ trunk/LayoutTests/fast/dom/HTMLTemplateElement/content-outlives-template-crash.html 2013-11-21 01:07:19 UTC (rev 159596)
@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<div>Test passes if it does not crash</div>
+<script src=""
+<script>
+if (window.testRunner) testRunner.dumpAsText();
+var template = document.createElement('template');
+var content = template.content;
+template = null;
+gc();
+content.appendChild(document.createElement('div'));
+</script>
Modified: trunk/Source/WebCore/ChangeLog (159595 => 159596)
--- trunk/Source/WebCore/ChangeLog 2013-11-21 00:54:05 UTC (rev 159595)
+++ trunk/Source/WebCore/ChangeLog 2013-11-21 01:07:19 UTC (rev 159596)
@@ -1,3 +1,22 @@
+2013-11-20 Ryosuke Niwa <[email protected]>
+
+ Clear TemplateContentDocumentFragment::m_host when HTMLTemplateElement is destroyed
+ https://bugs.webkit.org/show_bug.cgi?id=122806
+
+ Reviewed by Antti Koivisto.
+
+ Merge https://chromium.googlesource.com/chromium/blink/+/858ed5f6341de9d900768c1f4668fcfce870c52e
+
+ The document fragment of a template element outlives the element itself.
+ Clear the host property on the document fragment when that happens.
+
+ Test: fast/dom/HTMLTemplateElement/content-outlives-template-crash.html
+
+ * dom/TemplateContentDocumentFragment.h:
+ * html/HTMLTemplateElement.cpp:
+ (WebCore::HTMLTemplateElement::~HTMLTemplateElement):
+ * html/HTMLTemplateElement.h:
+
2013-11-20 Chris Fleizach <[email protected]>
AX: Implement CSS -webkit-alt property (text alternative for generated content pseudo-elements ::before and ::after)
Modified: trunk/Source/WebCore/dom/TemplateContentDocumentFragment.h (159595 => 159596)
--- trunk/Source/WebCore/dom/TemplateContentDocumentFragment.h 2013-11-21 00:54:05 UTC (rev 159595)
+++ trunk/Source/WebCore/dom/TemplateContentDocumentFragment.h 2013-11-21 01:07:19 UTC (rev 159596)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2012 Google Inc. All rights reserved.
+ * Copyright (C) 2012, 2013 Google Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
@@ -41,6 +41,7 @@
}
const Element* host() const { return m_host; }
+ void clearHost() { m_host = 0; }
private:
TemplateContentDocumentFragment(Document& document, const Element* host)
Modified: trunk/Source/WebCore/html/HTMLTemplateElement.cpp (159595 => 159596)
--- trunk/Source/WebCore/html/HTMLTemplateElement.cpp 2013-11-21 00:54:05 UTC (rev 159595)
+++ trunk/Source/WebCore/html/HTMLTemplateElement.cpp 2013-11-21 01:07:19 UTC (rev 159596)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2012 Google Inc. All rights reserved.
+ * Copyright (C) 2012, 2013 Google Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
@@ -51,6 +51,8 @@
HTMLTemplateElement::~HTMLTemplateElement()
{
+ if (m_content)
+ m_content->clearHost();
}
PassRefPtr<HTMLTemplateElement> HTMLTemplateElement::create(const QualifiedName& tagName, Document& document)
Modified: trunk/Source/WebCore/html/HTMLTemplateElement.h (159595 => 159596)
--- trunk/Source/WebCore/html/HTMLTemplateElement.h 2013-11-21 00:54:05 UTC (rev 159595)
+++ trunk/Source/WebCore/html/HTMLTemplateElement.h 2013-11-21 01:07:19 UTC (rev 159596)
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2012, Google Inc. All rights reserved.
+ * Copyright (c) 2012, 2013 Google Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
@@ -33,11 +33,13 @@
#if ENABLE(TEMPLATE_ELEMENT)
-#include "DocumentFragment.h"
#include "HTMLElement.h"
namespace WebCore {
+class DocumentFragment;
+class TemplateContentDocumentFragment;
+
class HTMLTemplateElement FINAL : public HTMLElement {
public:
static PassRefPtr<HTMLTemplateElement> create(const QualifiedName&, Document&);
@@ -51,7 +53,7 @@
virtual PassRefPtr<Node> cloneNode(bool deep) OVERRIDE;
virtual void didMoveToNewDocument(Document* oldDocument) OVERRIDE;
- mutable RefPtr<DocumentFragment> m_content;
+ mutable RefPtr<TemplateContentDocumentFragment> m_content;
};
NODE_TYPE_CASTS(HTMLTemplateElement)
