Title: [129403] branches/chromium/1271/Source/WebCore/dom/Document.cpp
- Revision
- 129403
- Author
- [email protected]
- Date
- 2012-09-24 13:09:58 -0700 (Mon, 24 Sep 2012)
Log Message
Merge 129270
BUG=147700
Review URL: https://codereview.chromium.org/10957065
Modified Paths
Diff
Modified: branches/chromium/1271/Source/WebCore/dom/Document.cpp (129402 => 129403)
--- branches/chromium/1271/Source/WebCore/dom/Document.cpp 2012-09-24 20:07:13 UTC (rev 129402)
+++ branches/chromium/1271/Source/WebCore/dom/Document.cpp 2012-09-24 20:09:58 UTC (rev 129403)
@@ -5768,6 +5768,10 @@
void Document::fullScreenChangeDelayTimerFired(Timer<Document>*)
{
+ // Since we dispatch events in this function, it's possible that the
+ // document will be detached and GC'd. We protect it here to make sure we
+ // can finish the function successfully.
+ RefPtr<Document> protectDocument(this);
Deque<RefPtr<Node> > changeQueue;
m_fullScreenChangeEventTargetQueue.swap(changeQueue);
@@ -5775,6 +5779,9 @@
RefPtr<Node> node = changeQueue.takeFirst();
if (!node)
node = documentElement();
+ // The dispatchEvent below may have blown away our documentElement.
+ if (!node)
+ continue;
// If the element was removed from our tree, also message the documentElement. Since we may
// have a document hierarchy, check that node isn't in another document.
@@ -5791,6 +5798,9 @@
RefPtr<Node> node = errorQueue.takeFirst();
if (!node)
node = documentElement();
+ // The dispatchEvent below may have blown away our documentElement.
+ if (!node)
+ continue;
// If the element was removed from our tree, also message the documentElement. Since we may
// have a document hierarchy, check that node isn't in another document.
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
