Diff
Modified: trunk/LayoutTests/ChangeLog (106971 => 106972)
--- trunk/LayoutTests/ChangeLog 2012-02-07 19:59:12 UTC (rev 106971)
+++ trunk/LayoutTests/ChangeLog 2012-02-07 20:01:42 UTC (rev 106972)
@@ -1,3 +1,15 @@
+2012-02-07 Abhishek Arya <infe...@chromium.org>
+
+ Crash in ContainerNode functions due to mutation events.
+ https://bugs.webkit.org/show_bug.cgi?id=77999
+
+ Reviewed by Ryosuke Niwa.
+
+ * fast/dom/remove-body-during-body-replacement-expected.txt: Added.
+ * fast/dom/remove-body-during-body-replacement.html: Added.
+ * fast/dom/remove-body-during-body-replacement2-expected.txt: Added.
+ * fast/dom/remove-body-during-body-replacement2.html: Added.
+
2012-02-07 Joshua Bell <jsb...@chromium.org>
[Chromium] storage/indexeddb/index-cursor.html timeouts on Mac Debug
Added: trunk/LayoutTests/fast/dom/remove-body-during-body-replacement-expected.txt (0 => 106972)
--- trunk/LayoutTests/fast/dom/remove-body-during-body-replacement-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/dom/remove-body-during-body-replacement-expected.txt 2012-02-07 20:01:42 UTC (rev 106972)
@@ -0,0 +1 @@
+PASS. WebKit didn't crash.
Added: trunk/LayoutTests/fast/dom/remove-body-during-body-replacement.html (0 => 106972)
--- trunk/LayoutTests/fast/dom/remove-body-during-body-replacement.html (rev 0)
+++ trunk/LayoutTests/fast/dom/remove-body-during-body-replacement.html 2012-02-07 20:01:42 UTC (rev 106972)
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+<body><div><script>
+
+if (!window.layoutTestController)
+ document.write("This test requires GCController.");
+else {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+
+ function crash() {
+ document.open();
+ document.write("PASS. WebKit didn't crash.");
+ document.close();
+ GCController.collect();
+ setTimeout("layoutTestController.notifyDone()", 0);
+ }
+
+ setTimeout(function () {
+ document.addEventListener('DOMNodeInsertedIntoDocument', function () { crash(); }, true);
+ document.addEventListener('DOMSubtreeModified', function () { /* noop */ }, false);
+ document.body = document.createElement('body');
+ }, 0);
+}
+
+</script>
+</body>
+</html>
Added: trunk/LayoutTests/fast/dom/remove-body-during-body-replacement2-expected.txt (0 => 106972)
--- trunk/LayoutTests/fast/dom/remove-body-during-body-replacement2-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/dom/remove-body-during-body-replacement2-expected.txt 2012-02-07 20:01:42 UTC (rev 106972)
@@ -0,0 +1 @@
+PASS. WebKit didn't crash.
Added: trunk/LayoutTests/fast/dom/remove-body-during-body-replacement2.html (0 => 106972)
--- trunk/LayoutTests/fast/dom/remove-body-during-body-replacement2.html (rev 0)
+++ trunk/LayoutTests/fast/dom/remove-body-during-body-replacement2.html 2012-02-07 20:01:42 UTC (rev 106972)
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+<body><div><script>
+
+if (!window.layoutTestController)
+ document.write("This test requires GCController.");
+else {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+
+ function crash() {
+ document.open();
+ document.write("PASS. WebKit didn't crash.");
+ document.close();
+ GCController.collect();
+ setTimeout("layoutTestController.notifyDone()", 0);
+ }
+
+ setTimeout(function () {
+ document.addEventListener('DOMFocusOut', function () { crash(); }, true);
+ document.addEventListener('DOMSubtreeModified', function () { /* noop */ }, false);
+ document.designMode = "on";
+ document.execCommand("SelectAll");
+ document.body.outerText = "ABC";
+ }, 0);
+}
+
+</script>
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (106971 => 106972)
--- trunk/Source/WebCore/ChangeLog 2012-02-07 19:59:12 UTC (rev 106971)
+++ trunk/Source/WebCore/ChangeLog 2012-02-07 20:01:42 UTC (rev 106972)
@@ -1,3 +1,21 @@
+2012-02-07 Abhishek Arya <infe...@chromium.org>
+
+ Crash in ContainerNode functions due to mutation events.
+ https://bugs.webkit.org/show_bug.cgi?id=77999
+
+ Reviewed by Ryosuke Niwa.
+
+ Add RefPtr to protect premature deletion of this due to mutation events.
+
+ Tests: fast/dom/remove-body-during-body-replacement.html
+ fast/dom/remove-body-during-body-replacement2.html
+
+ * dom/ContainerNode.cpp:
+ (WebCore::ContainerNode::insertBefore):
+ (WebCore::ContainerNode::replaceChild):
+ (WebCore::ContainerNode::removeChild):
+ (WebCore::ContainerNode::appendChild):
+
2012-02-07 Dana Jansens <dan...@chromium.org>
[Chromium] Memory bug during occlusion tracking if Vector::append() needs to reallocate the buffer
Modified: trunk/Source/WebCore/dom/ContainerNode.cpp (106971 => 106972)
--- trunk/Source/WebCore/dom/ContainerNode.cpp 2012-02-07 19:59:12 UTC (rev 106971)
+++ trunk/Source/WebCore/dom/ContainerNode.cpp 2012-02-07 20:01:42 UTC (rev 106972)
@@ -115,6 +115,8 @@
// If it is, it can be deleted as a side effect of sending mutation events.
ASSERT(refCount() || parentOrHostNode());
+ RefPtr<Node> protect(this);
+
ec = 0;
// insertBefore(node, 0) is equivalent to appendChild(node)
@@ -260,6 +262,8 @@
// If it is, it can be deleted as a side effect of sending mutation events.
ASSERT(refCount() || parentOrHostNode());
+ RefPtr<Node> protect(this);
+
ec = 0;
if (oldChild == newChild) // nothing to do
@@ -426,6 +430,8 @@
// If it is, it can be deleted as a side effect of sending mutation events.
ASSERT(refCount() || parentOrHostNode());
+ RefPtr<Node> protect(this);
+
ec = 0;
// NO_MODIFICATION_ALLOWED_ERR: Raised if this node is readonly.
@@ -604,7 +610,7 @@
bool ContainerNode::appendChild(PassRefPtr<Node> newChild, ExceptionCode& ec, bool shouldLazyAttach)
{
- RefPtr<ContainerNode> protector(this);
+ RefPtr<ContainerNode> protect(this);
// Check that this node is not "floating".
// If it is, it can be deleted as a side effect of sending mutation events.
