Title: [193736] branches/safari-601-branch
- Revision
- 193736
- Author
- bshaf...@apple.com
- Date
- 2015-12-08 00:51:59 -0800 (Tue, 08 Dec 2015)
Log Message
Merged r192433. rdar://problem/23787115
Modified Paths
Added Paths
Diff
Modified: branches/safari-601-branch/LayoutTests/ChangeLog (193735 => 193736)
--- branches/safari-601-branch/LayoutTests/ChangeLog 2015-12-08 08:51:08 UTC (rev 193735)
+++ branches/safari-601-branch/LayoutTests/ChangeLog 2015-12-08 08:51:59 UTC (rev 193736)
@@ -1,5 +1,20 @@
2015-12-08 Babak Shafiei <bshaf...@apple.com>
+ Merge r192433.
+
+ 2015-11-13 Jiewen Tan <jiewen_...@apple.com>
+
+ Element::focus() should acquire the ownership of Frame.
+ https://bugs.webkit.org/show_bug.cgi?id=150204
+ <rdar://problem/23136794>
+
+ Reviewed by Brent Fulgham.
+
+ * editing/selection/focus-iframe-removal-crash-expected.txt: Added.
+ * editing/selection/focus-iframe-removal-crash.html: Added.
+
+2015-12-08 Babak Shafiei <bshaf...@apple.com>
+
Merge r192389.
2015-11-12 Zalan Bujtas <za...@apple.com>
Copied: branches/safari-601-branch/LayoutTests/editing/selection/focus-iframe-removal-crash-expected.txt (from rev 193707, branches/safari-601.1.46.60-branch/LayoutTests/editing/selection/focus-iframe-removal-crash-expected.txt) (0 => 193736)
--- branches/safari-601-branch/LayoutTests/editing/selection/focus-iframe-removal-crash-expected.txt (rev 0)
+++ branches/safari-601-branch/LayoutTests/editing/selection/focus-iframe-removal-crash-expected.txt 2015-12-08 08:51:59 UTC (rev 193736)
@@ -0,0 +1 @@
+PASS. WebKit didn't crash.
Copied: branches/safari-601-branch/LayoutTests/editing/selection/focus-iframe-removal-crash.html (from rev 193707, branches/safari-601.1.46.60-branch/LayoutTests/editing/selection/focus-iframe-removal-crash.html) (0 => 193736)
--- branches/safari-601-branch/LayoutTests/editing/selection/focus-iframe-removal-crash.html (rev 0)
+++ branches/safari-601-branch/LayoutTests/editing/selection/focus-iframe-removal-crash.html 2015-12-08 08:51:59 UTC (rev 193736)
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+<body>
+<iframe></iframe>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+function run()
+{
+ var iframe = document.getElementsByTagName('iframe')[0];
+ iframe.contentDocument.documentElement.contentEditable = true;
+ iframe.contentDocument.documentElement.addEventListener('focusout', function () {
+ iframe.parentNode.removeChild(iframe);
+ }, false);
+ iframe.contentDocument.documentElement.focus();
+
+ document.write("PASS. WebKit didn't crash.");
+}
+
+document.addEventListener('DOMContentLoaded', run);
+</script>
+</body>
+</html>
Modified: branches/safari-601-branch/Source/WebCore/ChangeLog (193735 => 193736)
--- branches/safari-601-branch/Source/WebCore/ChangeLog 2015-12-08 08:51:08 UTC (rev 193735)
+++ branches/safari-601-branch/Source/WebCore/ChangeLog 2015-12-08 08:51:59 UTC (rev 193736)
@@ -1,5 +1,27 @@
2015-12-08 Babak Shafiei <bshaf...@apple.com>
+ Merge r192433.
+
+ 2015-11-13 Jiewen Tan <jiewen_...@apple.com>
+
+ Element::focus() should acquire the ownership of Frame.
+ https://bugs.webkit.org/show_bug.cgi?id=150204
+ <rdar://problem/23136794>
+
+ Reviewed by Brent Fulgham.
+
+ The FrameSelection::setSelection method sometimes releases the last reference to a frame.
+ When this happens, the Element::updateFocusAppearance would attempt to use dereferenced memory.
+ Instead, we should ensure that the Frame lifetime is guaranteed to extend through the duration
+ of the method call.
+
+ Test: editing/selection/focus-iframe-removal-crash.html
+
+ * dom/Element.cpp:
+ (WebCore::Element::updateFocusAppearance):
+
+2015-12-08 Babak Shafiei <bshaf...@apple.com>
+
Merge r192389.
2015-11-12 Zalan Bujtas <za...@apple.com>
Modified: branches/safari-601-branch/Source/WebCore/dom/Element.cpp (193735 => 193736)
--- branches/safari-601-branch/Source/WebCore/dom/Element.cpp 2015-12-08 08:51:08 UTC (rev 193735)
+++ branches/safari-601-branch/Source/WebCore/dom/Element.cpp 2015-12-08 08:51:59 UTC (rev 193736)
@@ -2182,7 +2182,8 @@
void Element::updateFocusAppearance(bool /*restorePreviousSelection*/)
{
if (isRootEditableElement()) {
- Frame* frame = document().frame();
+ // Keep frame alive in this method, since setSelection() may release the last reference to |frame|.
+ RefPtr<Frame> frame = document().frame();
if (!frame)
return;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes