Skip to site navigation (Press enter)

[webkit-changes] [116717] trunk/Source/WebCore

inferno Thu, 10 May 2012 19:05:20 -0700

Title: [116717] trunk/Source/WebCore

Revision: 116717
Author: infe...@chromium.org
Date: 2012-05-10 19:06:11 -0700 (Thu, 10 May 2012)

Log Message

Crash in swapInNodePreservingAttributesAndChildren.
https://bugs.webkit.org/show_bug.cgi?id=85197


Reviewed by Ryosuke Niwa.

Keep the children in a ref vector before adding them to newNode.
They can get destroyed due to mutation events.

No new tests because we don't have a reduction.

* editing/ReplaceNodeWithSpanCommand.cpp:
(WebCore::swapInNodePreservingAttributesAndChildren):

Modified Paths

trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/editing/ReplaceNodeWithSpanCommand.cpp

Diff

Modified: trunk/Source/WebCore/ChangeLog (116716 => 116717)


--- trunk/Source/WebCore/ChangeLog	2012-05-11 01:49:40 UTC (rev 116716)
+++ trunk/Source/WebCore/ChangeLog	2012-05-11 02:06:11 UTC (rev 116717)
@@ -1,3 +1,18 @@
+2012-05-10  Abhishek Arya  <infe...@chromium.org>
+
+        Crash in swapInNodePreservingAttributesAndChildren.
+        https://bugs.webkit.org/show_bug.cgi?id=85197
+ 
+        Reviewed by Ryosuke Niwa.
+ 
+        Keep the children in a ref vector before adding them to newNode.
+        They can get destroyed due to mutation events.
+
+        No new tests because we don't have a reduction.
+
+        * editing/ReplaceNodeWithSpanCommand.cpp:
+        (WebCore::swapInNodePreservingAttributesAndChildren):
+
 2012-05-10  Shinya Kawanaka  <shin...@chromium.org>
 
         [Refactoring] Move Selection from DOMWindow to TreeScope.

Modified: trunk/Source/WebCore/editing/ReplaceNodeWithSpanCommand.cpp (116716 => 116717)


--- trunk/Source/WebCore/editing/ReplaceNodeWithSpanCommand.cpp	2012-05-11 01:49:40 UTC (rev 116716)
+++ trunk/Source/WebCore/editing/ReplaceNodeWithSpanCommand.cpp	2012-05-11 02:06:11 UTC (rev 116717)
@@ -56,10 +56,10 @@
     parentNode->insertBefore(newNode, nodeToReplace, ec);
     ASSERT(!ec);
 
-    RefPtr<Node> nextChild;
-    for (Node* child = nodeToReplace->firstChild(); child; child = nextChild.get()) {
-        nextChild = child->nextSibling();
-        newNode->appendChild(child, ec);
+    NodeVector children;
+    getChildNodes(nodeToReplace, children);
+    for (size_t i = 0; i < children.size(); ++i) {
+        newNode->appendChild(children[i], ec);
         ASSERT(!ec);
     }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes