[webkit-changes] [197284] releases/WebKitGTK/webkit-2.4

Sun, 28 Feb 2016 05:42:08 -0800

Title: [197284] releases/WebKitGTK/webkit-2.4
Revision
197284
Author
carlo...@webkit.org
Date
2016-02-28 05:42:16 -0800 (Sun, 28 Feb 2016)

Log Message

Merge r188014 - Crash when removing children of a MathMLSelectElement
https://bugs.webkit.org/show_bug.cgi?id=147704
<rdar://problem/21940321>

Reviewed by Ryosuke Niwa.

Source/WebCore:

When MathMLSelectElement::childrenChanged() is called after its
children have been removed, MathMLSelectElement calls
updateSelectedChild() which accesses m_selectedChild. However,
in this case, m_selectedChild is the previously selected child
and it may be destroyed as this point if it was removed. To avoid
this problem, MathMLSelectElement now keep a strong ref to the
currently selected element.

Test: mathml/maction-removeChild.html

* mathml/MathMLSelectElement.h:

LayoutTests:

Add layout test that reproduces the crash under guardmalloc.

* mathml/maction-removeChild-expected.txt: Added.
* mathml/maction-removeChild.html: Added.

Modified Paths

Added Paths

Diff

Modified: releases/WebKitGTK/webkit-2.4/LayoutTests/ChangeLog (197283 => 197284)


--- releases/WebKitGTK/webkit-2.4/LayoutTests/ChangeLog	2016-02-28 13:29:31 UTC (rev 197283)
+++ releases/WebKitGTK/webkit-2.4/LayoutTests/ChangeLog	2016-02-28 13:42:16 UTC (rev 197284)
@@ -1,3 +1,16 @@
+2015-08-05  Chris Dumez  <cdu...@apple.com>
+
+        Crash when removing children of a MathMLSelectElement
+        https://bugs.webkit.org/show_bug.cgi?id=147704
+        <rdar://problem/21940321>
+
+        Reviewed by Ryosuke Niwa.
+
+        Add layout test that reproduces the crash under guardmalloc.
+
+        * mathml/maction-removeChild-expected.txt: Added.
+        * mathml/maction-removeChild.html: Added.
+
 2015-06-09  Said Abou-Hallawa  <sabouhall...@apple.com>
 
         feComposite filter does not clip the paint rect to its effect rect when the operator is 'in' or 'atop'

Added: releases/WebKitGTK/webkit-2.4/LayoutTests/mathml/maction-removeChild-expected.txt (0 => 197284)


--- releases/WebKitGTK/webkit-2.4/LayoutTests/mathml/maction-removeChild-expected.txt	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.4/LayoutTests/mathml/maction-removeChild-expected.txt	2016-02-28 13:42:16 UTC (rev 197284)
@@ -0,0 +1,3 @@
+This test passes if it does not crash
+
+

Added: releases/WebKitGTK/webkit-2.4/LayoutTests/mathml/maction-removeChild.html (0 => 197284)


--- releases/WebKitGTK/webkit-2.4/LayoutTests/mathml/maction-removeChild.html	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.4/LayoutTests/mathml/maction-removeChild.html	2016-02-28 13:42:16 UTC (rev 197284)
@@ -0,0 +1,19 @@
+<!doctype html>
+<html>
+  <body>
+    <p>This test passes if it does not crash</p>
+    <math>
+      <maction id="testSelect" actiontype="toggle" selection="2">
+        <mi>g</mi>
+        <mspace/>
+      </maction>
+    </math>
+    <script>
+      if (window.testRunner)
+        testRunner.dumpAsText();
+
+      var testSelect = document.getElementById("testSelect");
+      testSelect.innerHTML = "123.123.123";
+    </script>
+  </body>
+</html>

Modified: releases/WebKitGTK/webkit-2.4/Source/WebCore/ChangeLog (197283 => 197284)


--- releases/WebKitGTK/webkit-2.4/Source/WebCore/ChangeLog	2016-02-28 13:29:31 UTC (rev 197283)
+++ releases/WebKitGTK/webkit-2.4/Source/WebCore/ChangeLog	2016-02-28 13:42:16 UTC (rev 197284)
@@ -1,3 +1,23 @@
+2015-08-05  Chris Dumez  <cdu...@apple.com>
+
+        Crash when removing children of a MathMLSelectElement
+        https://bugs.webkit.org/show_bug.cgi?id=147704
+        <rdar://problem/21940321>
+
+        Reviewed by Ryosuke Niwa.
+
+        When MathMLSelectElement::childrenChanged() is called after its
+        children have been removed, MathMLSelectElement calls
+        updateSelectedChild() which accesses m_selectedChild. However,
+        in this case, m_selectedChild is the previously selected child
+        and it may be destroyed as this point if it was removed. To avoid
+        this problem, MathMLSelectElement now keep a strong ref to the
+        currently selected element.
+
+        Test: mathml/maction-removeChild.html
+
+        * mathml/MathMLSelectElement.h:
+
 2015-05-28  Myles C. Maxfield  <mmaxfi...@apple.com>
 
         Crash under ICU with ASAN during editing/selection/move-by-word-visually-crash-test-5.html

Modified: releases/WebKitGTK/webkit-2.4/Source/WebCore/mathml/MathMLSelectElement.h (197283 => 197284)


--- releases/WebKitGTK/webkit-2.4/Source/WebCore/mathml/MathMLSelectElement.h	2016-02-28 13:29:31 UTC (rev 197283)
+++ releases/WebKitGTK/webkit-2.4/Source/WebCore/mathml/MathMLSelectElement.h	2016-02-28 13:42:16 UTC (rev 197284)
@@ -53,7 +53,7 @@
     Element* getSelectedSemanticsChild();
 
     void updateSelectedChild() override;
-    Element* m_selectedChild;
+    RefPtr<Element> m_selectedChild;
 };
 
 }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to