-
commit-queue@webkit.org authored
https://bugs.webkit.org/show_bug.cgi?id=113964 Source/WebCore: Object elements have the tendecny to modify or even fully remove the containing Document inside beforeload callback. While Document is removed, RenderArena gets destroyed. Retained RenderWidgets fails to function with NULL arena. Protect RendereArena from getting wiped out, when Document is removed during FrameView::updateWidget(). Patch by Zalan Bujtas <zalan@apple.com> on 2013-04-26 Reviewed by Antti Koivisto. Test: fast/frames/crash-remove-iframe-during-object-beforeload.html * dom/Document.cpp: (WebCore::Document::attach): * dom/Document.h: (Document): * page/FrameView.cpp: (WebCore::FrameView::updateWidgets): * rendering/RenderArena.h: (RenderArena): (WebCore::RenderArena::create): LayoutTests: Patch by Zalan Bujtas <zalan@apple.com> on 2013-04-26 Reviewed by Antti Koivisto. * fast/frames/crash-remove-iframe-during-object-beforeload-expected.txt: Added. * fast/frames/crash-remove-iframe-during-object-beforeload.html: Added. * fast/frames/resources/remove-this-during-object-beforeload.html: Added. git-svn-id: http://svn.webkit.org/repository/webkit/trunk@149185 268f45cc-cd09-0410-ab3c-d52691b4dbfc
89c9ced3