-
inferno@chromium.org authored
https://bugs.webkit.org/show_bug.cgi?id=67556 Reviewed by Ryosuke Niwa. Source/WebCore: Create a temporary RefPtr Node vector to keep all the ancestor's childs so that we don't access removed child nodes. Test: fast/dom/Range/range-delete-contents-event-fire-crash.html * dom/Range.cpp: (WebCore::Range::processContents): (WebCore::Range::processAncestorsAndTheirSiblings): LayoutTests: Tests that we do not crash when removing contents of a range from the document. * fast/dom/Range/range-delete-contents-event-fire-crash-expected.txt: Added. * fast/dom/Range/range-delete-contents-event-fire-crash.html: Added. git-svn-id: http://svn.webkit.org/repository/webkit/trunk@94511 268f45cc-cd09-0410-ab3c-d52691b4dbfc
3a9798ae
