Skip to content
Find file Blame History Permalink
  • inferno@chromium.org's avatar
    Crash in ContainerNode::resumePostAttachCallbacks. · ed38f84f
    inferno@chromium.org authored 
    https://bugs.webkit.org/show_bug.cgi?id=82159

Reviewed by Hajime Morita.

Source/WebCore:

Test: plugins/object-onfocus-mutation-crash.html

* dom/ContainerNode.cpp:
(WebCore::ContainerNode::resumePostAttachCallbacks): dispatching post attach
callbacks when our attach depth is 1 can fire mutation events such as onfocus
which can blow away |this|. Need to protect it with a RefPtr.
* html/HTMLPlugInImageElement.cpp:
(WebCore::HTMLPlugInImageElement::attach): add calls to suspend attach callbacks
until the function completes.

LayoutTests:

* plugins/object-onfocus-mutation-crash-expected.txt: Added.
* plugins/object-onfocus-mutation-crash.html: Added.


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@112051 268f45cc-cd09-0410-ab3c-d52691b4dbfc
    ed38f84f