review.tizen.org Git - profile/ivi/webkit-efl.git/commit

Crash in WebCore::SVGElement::removedFromDocument
https://bugs.webkit.org/show_bug.cgi?id=77270

Reviewed by Adam Barth.

Source/WebCore:

Add a protector before calling NodeRemovalDispatcher::dispatch since
NodeRemovalDispatcher::dispatch may remove the last RefPtr to this node.

Test: fast/dom/Range/surround-contents-font-face-crash.svg

* dom/ContainerNodeAlgorithms.h:
(WebCore::Private::addChildNodesToDeletionQueue):

LayoutTests:

Add a regression test for the crash.

* fast/dom/Range/surround-contents-font-face-crash-expected.txt: Added.
* fast/dom/Range/surround-contents-font-face-crash.svg: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@107749 268f45cc-cd09-0410-ab3c-d52691b4dbfc

author	rniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
	Tue, 14 Feb 2012 23:54:40 +0000 (23:54 +0000)
committer	rniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
	Tue, 14 Feb 2012 23:54:40 +0000 (23:54 +0000)
commit	2b5ec68f160cb1c34a306ee5b169f65ae09df0e3
tree	4d11697decb7b0847f9e922602188d0b07e37c85	tree \| snapshot
parent	1711d48189bd36062832657ea26e00309aec1569	commit \| diff

LayoutTests/ChangeLog		diff \| blob \| history
LayoutTests/fast/dom/Range/surround-contents-font-face-crash-expected.txt	[new file with mode: 0644]	blob
LayoutTests/fast/dom/Range/surround-contents-font-face-crash.svg	[new file with mode: 0644]	blob
Source/WebCore/ChangeLog		diff \| blob \| history
Source/WebCore/dom/ContainerNodeAlgorithms.h		diff \| blob \| history