https://bugs.webkit.org/show_bug.cgi?id=85247
Reviewed by Hajime Morita.
Source/WebCore:
Reverse ordering of commands to ref ptr the children set
first before calling nodeChildrenWillBeRemoved, since it
can fire mutation events.
Test: fast/dom/HTMLObjectElement/beforeload-set-text-crash.xhtml
* dom/ContainerNode.cpp:
(WebCore::willRemoveChildren):
LayoutTests:
* fast/dom/HTMLObjectElement/beforeload-set-text-crash-expected.txt: Added.
* fast/dom/HTMLObjectElement/beforeload-set-text-crash.xhtml: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@117224
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2012-05-15 Abhishek Arya <inferno@chromium.org>
+
+ Crash in Document::nodeChildrenWillBeRemoved.
+ https://bugs.webkit.org/show_bug.cgi?id=85247
+
+ Reviewed by Hajime Morita.
+
+ * fast/dom/HTMLObjectElement/beforeload-set-text-crash-expected.txt: Added.
+ * fast/dom/HTMLObjectElement/beforeload-set-text-crash.xhtml: Added.
+
2012-05-15 Li Yin <li.yin@intel.com>
[Worker] Web Worker lacks test for posting structured data message.
--- /dev/null
+PASS successfullyParsed is true
+
+TEST COMPLETE
+Test passes if it does not crash.
--- /dev/null
+<!DOCTYPE html>
+<html xmlns="http://www.w3.org/1999/xhtml">
+Test passes if it does not crash.
+<object id="object" type="image/svg+xml" />
+<script src="../../js/resources/js-test-pre.js"></script>
+<script>
+window.jsTestIsAsync = true;
+var count = 0;
+function setText() {
+ count++;
+ if (count > 100) {
+ document.removeEventListener("beforeload", setText, true);
+ finishJSTest();
+ }
+ gc(); // Because we are recursively entering into setText, can't gc() after this command.
+ document.getElementById("object").textContent = "A";
+}
+document.execCommand("SelectAll");
+document.getElementById("object").textContent = "A";
+document.addEventListener("beforeload", setText, true);
+event = document.createEvent("Event");
+event.initEvent("beforeload", false);
+document.documentElement.dispatchEvent(event);
+</script>
+<script src="../../js/resources/js-test-post.js"></script>
+</html>
+
+2012-05-15 Abhishek Arya <inferno@chromium.org>
+
+ Crash in Document::nodeChildrenWillBeRemoved.
+ https://bugs.webkit.org/show_bug.cgi?id=85247
+
+ Reviewed by Hajime Morita.
+
+ Reverse ordering of commands to ref ptr the children set
+ first before calling nodeChildrenWillBeRemoved, since it
+ can fire mutation events.
+
+ Test: fast/dom/HTMLObjectElement/beforeload-set-text-crash.xhtml
+
+ * dom/ContainerNode.cpp:
+ (WebCore::willRemoveChildren):
+
2012-05-15 Igor Oliveira <igor.o@sisa.samsung.com>
regression(111639): Issue with simultaneous CSS animations
static void willRemoveChildren(ContainerNode* container)
{
- container->document()->nodeChildrenWillBeRemoved(container);
-
NodeVector children;
getChildNodes(container, children);
+ container->document()->nodeChildrenWillBeRemoved(container);
+
#if ENABLE(MUTATION_OBSERVERS)
ChildListMutationScope mutation(container);
#endif
projects / profile / ivi / webkit-efl.git / commitdiff