[webkit-changes] [121992] releases/WebKitGTK/webkit-1.8/Source/WebCore

[mrobinson]

Title: [121992] releases/WebKitGTK/webkit-1.8/Source/WebCore

Revision

121992

Author

mrobin...@webkit.org

Date

2012-07-06 13:00:41 -0700 (Fri, 06 Jul 2012)

Log Message

Merge 116717 - Crash in swapInNodePreservingAttributesAndChildren.
https://bugs.webkit.org/show_bug.cgi?id=85197

Patch by Abhishek Arya <infe...@chromium.org> on 2012-05-10
Reviewed by Ryosuke Niwa.

Keep the children in a ref vector before adding them to newNode.
They can get destroyed due to mutation events.

No new tests because we don't have a reduction.

* editing/ReplaceNodeWithSpanCommand.cpp:
(WebCore::swapInNodePreservingAttributesAndChildren):

Modified Paths

• releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog
• releases/WebKitGTK/webkit-1.8/Source/WebCore/editing/ReplaceNodeWithSpanCommand.cpp

Diff

Modified: releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog (121991 => 121992)

--- releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog	2012-07-06 20:00:27 UTC (rev 121991)
+++ releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog	2012-07-06 20:00:41 UTC (rev 121992)
@@ -1,3 +1,18 @@
+2012-05-10  Abhishek Arya  <infe...@chromium.org>
+
+        Crash in swapInNodePreservingAttributesAndChildren.
+        https://bugs.webkit.org/show_bug.cgi?id=85197
+ 
+        Reviewed by Ryosuke Niwa.
+ 
+        Keep the children in a ref vector before adding them to newNode.
+        They can get destroyed due to mutation events.
+
+        No new tests because we don't have a reduction.
+
+        * editing/ReplaceNodeWithSpanCommand.cpp:
+        (WebCore::swapInNodePreservingAttributesAndChildren):
+
 2012-05-07  Ken Buchanan  <ke...@chromium.org>
 
         Crash due to positioned object list not being cleared during block flow split

Modified: releases/WebKitGTK/webkit-1.8/Source/WebCore/editing/ReplaceNodeWithSpanCommand.cpp (121991 => 121992)

--- releases/WebKitGTK/webkit-1.8/Source/WebCore/editing/ReplaceNodeWithSpanCommand.cpp	2012-07-06 20:00:27 UTC (rev 121991)
+++ releases/WebKitGTK/webkit-1.8/Source/WebCore/editing/ReplaceNodeWithSpanCommand.cpp	2012-07-06 20:00:41 UTC (rev 121992)
@@ -56,10 +56,10 @@
     parentNode->insertBefore(newNode, nodeToReplace, ec);
     ASSERT(!ec);
 
-    RefPtr<Node> nextChild;
-    for (Node* child = nodeToReplace->firstChild(); child; child = nextChild.get()) {
-        nextChild = child->nextSibling();
-        newNode->appendChild(child, ec);
+    NodeVector children;
+    getChildNodes(nodeToReplace, children);
+    for (size_t i = 0; i < children.size(); ++i) {
+        newNode->appendChild(children[i], ec);
         ASSERT(!ec);
     }
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes