Title: [121994] releases/WebKitGTK/webkit-1.8
- Revision
- 121994
- Author
- mrobin...@webkit.org
- Date
- 2012-07-06 13:01:05 -0700 (Fri, 06 Jul 2012)
Log Message
Merge 116864 - Crash in HTMLSelectElement::setOption
https://bugs.webkit.org/show_bug.cgi?id=85420
Source/WebCore:
Patch by Abhishek Arya <infe...@chromium.org> on 2012-05-12
Reviewed by Eric Seidel
RefPtr before option in HTMLSelectElement::setOption since it
can get destroyed due to mutation events.
Test: fast/dom/HTMLSelectElement/option-add-crash.html
* html/HTMLSelectElement.cpp:
(WebCore::HTMLSelectElement::setOption):
LayoutTests:
Patch by Abhishek Arya <infe...@chromium.org> on 2012-05-12
Reviewed by Eric Seidel.
* fast/dom/HTMLSelectElement/option-add-crash-expected.txt: Added.
* fast/dom/HTMLSelectElement/option-add-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: releases/WebKitGTK/webkit-1.8/LayoutTests/ChangeLog (121993 => 121994)
--- releases/WebKitGTK/webkit-1.8/LayoutTests/ChangeLog 2012-07-06 20:00:55 UTC (rev 121993)
+++ releases/WebKitGTK/webkit-1.8/LayoutTests/ChangeLog 2012-07-06 20:01:05 UTC (rev 121994)
@@ -1,3 +1,13 @@
+2012-05-12 Abhishek Arya <infe...@chromium.org>
+
+ Crash in HTMLSelectElement::setOption
+ https://bugs.webkit.org/show_bug.cgi?id=85420
+
+ Reviewed by Eric Seidel.
+
+ * fast/dom/HTMLSelectElement/option-add-crash-expected.txt: Added.
+ * fast/dom/HTMLSelectElement/option-add-crash.html: Added.
+
2012-05-15 Abhishek Arya <infe...@chromium.org>
Crash in Document::nodeChildrenWillBeRemoved.
Added: releases/WebKitGTK/webkit-1.8/LayoutTests/fast/dom/HTMLSelectElement/option-add-crash-expected.txt (0 => 121994)
--- releases/WebKitGTK/webkit-1.8/LayoutTests/fast/dom/HTMLSelectElement/option-add-crash-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-1.8/LayoutTests/fast/dom/HTMLSelectElement/option-add-crash-expected.txt 2012-07-06 20:01:05 UTC (rev 121994)
@@ -0,0 +1,4 @@
+PASS successfullyParsed is true
+
+TEST COMPLETE
+PASS. WebKit didn't crash.
Property changes on: releases/WebKitGTK/webkit-1.8/LayoutTests/fast/dom/HTMLSelectElement/option-add-crash-expected.txt
___________________________________________________________________
Added: svn:eol-style
Added: releases/WebKitGTK/webkit-1.8/LayoutTests/fast/dom/HTMLSelectElement/option-add-crash.html (0 => 121994)
--- releases/WebKitGTK/webkit-1.8/LayoutTests/fast/dom/HTMLSelectElement/option-add-crash.html (rev 0)
+++ releases/WebKitGTK/webkit-1.8/LayoutTests/fast/dom/HTMLSelectElement/option-add-crash.html 2012-07-06 20:01:05 UTC (rev 121994)
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+<script src=""
+<script>
+function crash()
+{
+ try {
+ document.getElementsByTagName('option')[0].parentNode.removeChild(document.getElementsByTagName('option')[0]);
+ } catch (Exception) {}
+
+ gc();
+}
+document.write("PASS. WebKit didn't crash.<select></select>");
+var select1 = document.getElementsByTagName('select')[0];
+select1.appendChild(document.createElement('option'));
+select1.appendChild(document.createElement('option'));
+document.addEventListener("DOMSubtreeModified", crash, false);
+try {
+ select1.options[0] = new Option("", "");
+} catch (Exception) { }
+</script>
+<script src=""
+</html>
Property changes on: releases/WebKitGTK/webkit-1.8/LayoutTests/fast/dom/HTMLSelectElement/option-add-crash.html
___________________________________________________________________
Added: svn:executable
Added: svn:eol-style
Modified: releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog (121993 => 121994)
--- releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog 2012-07-06 20:00:55 UTC (rev 121993)
+++ releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog 2012-07-06 20:01:05 UTC (rev 121994)
@@ -1,3 +1,18 @@
+2012-05-12 Abhishek Arya <infe...@chromium.org>
+
+ Crash in HTMLSelectElement::setOption
+ https://bugs.webkit.org/show_bug.cgi?id=85420
+
+ Reviewed by Eric Seidel
+
+ RefPtr before option in HTMLSelectElement::setOption since it
+ can get destroyed due to mutation events.
+
+ Test: fast/dom/HTMLSelectElement/option-add-crash.html
+
+ * html/HTMLSelectElement.cpp:
+ (WebCore::HTMLSelectElement::setOption):
+
2012-05-15 Abhishek Arya <infe...@chromium.org>
Crash in Document::nodeChildrenWillBeRemoved.
Modified: releases/WebKitGTK/webkit-1.8/Source/WebCore/html/HTMLSelectElement.cpp (121993 => 121994)
--- releases/WebKitGTK/webkit-1.8/Source/WebCore/html/HTMLSelectElement.cpp 2012-07-06 20:00:55 UTC (rev 121993)
+++ releases/WebKitGTK/webkit-1.8/Source/WebCore/html/HTMLSelectElement.cpp 2012-07-06 20:01:05 UTC (rev 121994)
@@ -397,7 +397,7 @@
if (index > maxSelectItems - 1)
index = maxSelectItems - 1;
int diff = index - length();
- HTMLElement* before = 0;
+ RefPtr<HTMLElement> before = 0;
// Out of array bounds? First insert empty dummies.
if (diff > 0) {
setLength(index, ec);
@@ -408,7 +408,7 @@
}
// Finally add the new element.
if (!ec) {
- add(option, before, ec);
+ add(option, before.get(), ec);
if (diff >= 0 && option->selected())
optionSelectionStateChanged(option, true);
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
