Title: [189308] branches/safari-601-branch
- Revision
- 189308
- Author
- [email protected]
- Date
- 2015-09-03 16:06:27 -0700 (Thu, 03 Sep 2015)
Log Message
Merged r188014. rdar://problem/22316553
Modified Paths
Added Paths
Diff
Modified: branches/safari-601-branch/LayoutTests/ChangeLog (189307 => 189308)
--- branches/safari-601-branch/LayoutTests/ChangeLog 2015-09-03 23:05:13 UTC (rev 189307)
+++ branches/safari-601-branch/LayoutTests/ChangeLog 2015-09-03 23:06:27 UTC (rev 189308)
@@ -1,5 +1,22 @@
2015-09-03 Babak Shafiei <[email protected]>
+ Merge r188014.
+
+ 2015-08-05 Chris Dumez <[email protected]>
+
+ Crash when removing children of a MathMLSelectElement
+ https://bugs.webkit.org/show_bug.cgi?id=147704
+ <rdar://problem/21940321>
+
+ Reviewed by Ryosuke Niwa.
+
+ Add layout test that reproduces the crash under guardmalloc.
+
+ * mathml/maction-removeChild-expected.txt: Added.
+ * mathml/maction-removeChild.html: Added.
+
+2015-09-03 Babak Shafiei <[email protected]>
+
Merge r187564.
2015-07-29 Zalan Bujtas <[email protected]>
Copied: branches/safari-601-branch/LayoutTests/mathml/maction-removeChild-expected.txt (from rev 188014, trunk/LayoutTests/mathml/maction-removeChild-expected.txt) (0 => 189308)
--- branches/safari-601-branch/LayoutTests/mathml/maction-removeChild-expected.txt (rev 0)
+++ branches/safari-601-branch/LayoutTests/mathml/maction-removeChild-expected.txt 2015-09-03 23:06:27 UTC (rev 189308)
@@ -0,0 +1,3 @@
+This test passes if it does not crash
+
+
Copied: branches/safari-601-branch/LayoutTests/mathml/maction-removeChild.html (from rev 188014, trunk/LayoutTests/mathml/maction-removeChild.html) (0 => 189308)
--- branches/safari-601-branch/LayoutTests/mathml/maction-removeChild.html (rev 0)
+++ branches/safari-601-branch/LayoutTests/mathml/maction-removeChild.html 2015-09-03 23:06:27 UTC (rev 189308)
@@ -0,0 +1,19 @@
+<!doctype html>
+<html>
+ <body>
+ <p>This test passes if it does not crash</p>
+ <math>
+ <maction id="testSelect" actiontype="toggle" selection="2">
+ <mi>g</mi>
+ <mspace/>
+ </maction>
+ </math>
+ <script>
+ if (window.testRunner)
+ testRunner.dumpAsText();
+
+ var testSelect = document.getElementById("testSelect");
+ testSelect.innerHTML = "123.123.123";
+ </script>
+ </body>
+</html>
Modified: branches/safari-601-branch/Source/WebCore/ChangeLog (189307 => 189308)
--- branches/safari-601-branch/Source/WebCore/ChangeLog 2015-09-03 23:05:13 UTC (rev 189307)
+++ branches/safari-601-branch/Source/WebCore/ChangeLog 2015-09-03 23:06:27 UTC (rev 189308)
@@ -1,5 +1,29 @@
2015-09-03 Babak Shafiei <[email protected]>
+ Merge r188014.
+
+ 2015-08-05 Chris Dumez <[email protected]>
+
+ Crash when removing children of a MathMLSelectElement
+ https://bugs.webkit.org/show_bug.cgi?id=147704
+ <rdar://problem/21940321>
+
+ Reviewed by Ryosuke Niwa.
+
+ When MathMLSelectElement::childrenChanged() is called after its
+ children have been removed, MathMLSelectElement calls
+ updateSelectedChild() which accesses m_selectedChild. However,
+ in this case, m_selectedChild is the previously selected child
+ and it may be destroyed as this point if it was removed. To avoid
+ this problem, MathMLSelectElement now keep a strong ref to the
+ currently selected element.
+
+ Test: mathml/maction-removeChild.html
+
+ * mathml/MathMLSelectElement.h:
+
+2015-09-03 Babak Shafiei <[email protected]>
+
Merge r187564.
2015-07-29 Zalan Bujtas <[email protected]>
Modified: branches/safari-601-branch/Source/WebCore/mathml/MathMLSelectElement.h (189307 => 189308)
--- branches/safari-601-branch/Source/WebCore/mathml/MathMLSelectElement.h 2015-09-03 23:05:13 UTC (rev 189307)
+++ branches/safari-601-branch/Source/WebCore/mathml/MathMLSelectElement.h 2015-09-03 23:06:27 UTC (rev 189308)
@@ -56,7 +56,7 @@
Element* getSelectedSemanticsChild();
void updateSelectedChild() override;
- Element* m_selectedChild;
+ RefPtr<Element> m_selectedChild;
};
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
