[webkit-changes] [188033] releases/WebKitGTK/webkit-2.8

[carlosgc]

Title: [188033] releases/WebKitGTK/webkit-2.8

Revision

188033

Author

carlo...@webkit.org

Date

2015-08-06 01:47:54 -0700 (Thu, 06 Aug 2015)

Log Message

Merge r188014 - Crash when removing children of a MathMLSelectElement
https://bugs.webkit.org/show_bug.cgi?id=147704
<rdar://problem/21940321>

Reviewed by Ryosuke Niwa.

Source/WebCore:

When MathMLSelectElement::childrenChanged() is called after its
children have been removed, MathMLSelectElement calls
updateSelectedChild() which accesses m_selectedChild. However,
in this case, m_selectedChild is the previously selected child
and it may be destroyed as this point if it was removed. To avoid
this problem, MathMLSelectElement now keep a strong ref to the
currently selected element.

Test: mathml/maction-removeChild.html

* mathml/MathMLSelectElement.h:

LayoutTests:

Add layout test that reproduces the crash under guardmalloc.

* mathml/maction-removeChild-expected.txt: Added.
* mathml/maction-removeChild.html: Added.

Modified Paths

• releases/WebKitGTK/webkit-2.8/LayoutTests/ChangeLog
• releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog
• releases/WebKitGTK/webkit-2.8/Source/WebCore/mathml/MathMLSelectElement.h

Added Paths

• releases/WebKitGTK/webkit-2.8/LayoutTests/mathml/maction-removeChild-expected.txt
• releases/WebKitGTK/webkit-2.8/LayoutTests/mathml/maction-removeChild.html

Diff

Modified: releases/WebKitGTK/webkit-2.8/LayoutTests/ChangeLog (188032 => 188033)

--- releases/WebKitGTK/webkit-2.8/LayoutTests/ChangeLog	2015-08-06 08:19:48 UTC (rev 188032)
+++ releases/WebKitGTK/webkit-2.8/LayoutTests/ChangeLog	2015-08-06 08:47:54 UTC (rev 188033)
@@ -1,3 +1,16 @@
+2015-08-05  Chris Dumez  <cdu...@apple.com>
+
+        Crash when removing children of a MathMLSelectElement
+        https://bugs.webkit.org/show_bug.cgi?id=147704
+        <rdar://problem/21940321>
+
+        Reviewed by Ryosuke Niwa.
+
+        Add layout test that reproduces the crash under guardmalloc.
+
+        * mathml/maction-removeChild-expected.txt: Added.
+        * mathml/maction-removeChild.html: Added.
+
 2015-07-28  Simon Fraser  <simon.fra...@apple.com>
 
         Animations sometimes fail to start

Added: releases/WebKitGTK/webkit-2.8/LayoutTests/mathml/maction-removeChild-expected.txt (0 => 188033)

--- releases/WebKitGTK/webkit-2.8/LayoutTests/mathml/maction-removeChild-expected.txt	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.8/LayoutTests/mathml/maction-removeChild-expected.txt	2015-08-06 08:47:54 UTC (rev 188033)
@@ -0,0 +1,3 @@
+This test passes if it does not crash
+
+

Added: releases/WebKitGTK/webkit-2.8/LayoutTests/mathml/maction-removeChild.html (0 => 188033)

--- releases/WebKitGTK/webkit-2.8/LayoutTests/mathml/maction-removeChild.html	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.8/LayoutTests/mathml/maction-removeChild.html	2015-08-06 08:47:54 UTC (rev 188033)
@@ -0,0 +1,19 @@
+<!doctype html>
+<html>
+  <body>
+    <p>This test passes if it does not crash</p>
+    <math>
+      <maction id="testSelect" actiontype="toggle" selection="2">
+        <mi>g</mi>
+        <mspace/>
+      </maction>
+    </math>
+    <script>
+      if (window.testRunner)
+        testRunner.dumpAsText();
+
+      var testSelect = document.getElementById("testSelect");
+      testSelect.innerHTML = "123.123.123";
+    </script>
+  </body>
+</html>

Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog (188032 => 188033)

--- releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog	2015-08-06 08:19:48 UTC (rev 188032)
+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog	2015-08-06 08:47:54 UTC (rev 188033)
@@ -1,3 +1,23 @@
+2015-08-05  Chris Dumez  <cdu...@apple.com>
+
+        Crash when removing children of a MathMLSelectElement
+        https://bugs.webkit.org/show_bug.cgi?id=147704
+        <rdar://problem/21940321>
+
+        Reviewed by Ryosuke Niwa.
+
+        When MathMLSelectElement::childrenChanged() is called after its
+        children have been removed, MathMLSelectElement calls
+        updateSelectedChild() which accesses m_selectedChild. However,
+        in this case, m_selectedChild is the previously selected child
+        and it may be destroyed as this point if it was removed. To avoid
+        this problem, MathMLSelectElement now keep a strong ref to the
+        currently selected element.
+
+        Test: mathml/maction-removeChild.html
+
+        * mathml/MathMLSelectElement.h:
+
 2015-08-03  Brady Eidson  <beid...@apple.com>
 
         Crash when signing into twitter calling WebCore::DocumentLoader::responseReceived(WebCore::CachedResource*, WebCore::ResourceResponse const&).

Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/mathml/MathMLSelectElement.h (188032 => 188033)

--- releases/WebKitGTK/webkit-2.8/Source/WebCore/mathml/MathMLSelectElement.h	2015-08-06 08:19:48 UTC (rev 188032)
+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/mathml/MathMLSelectElement.h	2015-08-06 08:47:54 UTC (rev 188033)
@@ -56,7 +56,7 @@
     Element* getSelectedSemanticsChild();
 
     void updateSelectedChild() override;
-    Element* m_selectedChild;
+    RefPtr<Element> m_selectedChild;
 };
 
 }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes