Assertion failure in Range::nodeWillBeRemoved

https://bugs.webkit.org/show_bug.cgi?id=121694

Patch by László Langó <llango.u-szeged@partner.samsung.com> on 2014-01-21
Reviewed by Ryosuke Niwa.

Source/WebCore:

Based on Blink a change: https://chromium.googlesource.com/chromium/blink/+/407c1d7b2c45974aa614b3f847ffe9e8fce205fa

This patch fix an assertion failure. Range::nodeWillBeRemoved() might
be called with removed node in ContainerNode, when DOMNodeRemovedFromDocument
event handler calls removeChild(), for node being removed.

Test: fast/dom/Range/remove-twice-crash.html

* dom/ContainerNode.cpp:
(WebCore::ContainerNode::willRemoveChild):
* dom/ContainerNode.h:

LayoutTests:

* fast/dom/Range/remove-twice-crash-expected.txt: Added.
* fast/dom/Range/remove-twice-crash.html: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@162492 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent a75aad25
2014-01-21 László Langó <llango.u-szeged@partner.samsung.com>
Assertion failure in Range::nodeWillBeRemoved
https://bugs.webkit.org/show_bug.cgi?id=121694
Reviewed by Ryosuke Niwa.
* fast/dom/Range/remove-twice-crash-expected.txt: Added.
* fast/dom/Range/remove-twice-crash.html: Added.
2014-01-21 Alexey Proskuryakov <ap@apple.com>
AX: Mac: Expose the visible text of a password field to AX
Range::nodeWillBeRemoved() might be called with removed node, when DOMNodeRemovedFromDocument event handler calls removeChild(), for node being removed.
PASS; NOT CRASHED
<div>
Range::nodeWillBeRemoved() might be called with removed node, when DOMNodeRemovedFromDocument event handler calls removeChild(), for node being removed.
</div>
<div id="mainDiv">
<div id="childDiv">foo</div>
</div>
<script>
if (window.testRunner)
testRunner.dumpAsText();
var done = false;
document.addEventListener("DOMNodeRemovedFromDocument", function () {
if (done)
return;
done = true;
var beingRemoved = event.srcElement;
beingRemoved.parentNode.removeChild(beingRemoved);
}, true);
var childDiv = document.getElementById('childDiv')
var range = document.createRange();
range.selectNode(childDiv);
try {
childDiv.parentNode.removeChild(childDiv);
} catch (e) {
// We get 'NotFoundError'.
}
document.getElementById('mainDiv').outerHTML = 'PASS; NOT CRASHED';
</script>
2014-01-21 László Langó <llango.u-szeged@partner.samsung.com>
Assertion failure in Range::nodeWillBeRemoved
https://bugs.webkit.org/show_bug.cgi?id=121694
Reviewed by Ryosuke Niwa.
Based on Blink a change: https://chromium.googlesource.com/chromium/blink/+/407c1d7b2c45974aa614b3f847ffe9e8fce205fa
This patch fix an assertion failure. Range::nodeWillBeRemoved() might
be called with removed node in ContainerNode, when DOMNodeRemovedFromDocument
event handler calls removeChild(), for node being removed.
Test: fast/dom/Range/remove-twice-crash.html
* dom/ContainerNode.cpp:
(WebCore::ContainerNode::willRemoveChild):
* dom/ContainerNode.h:
2014-01-21 Tim Horton <timothy_horton@apple.com>
REGRESSION (r161580): Some PDFs render outside their <img>
......@@ -480,13 +480,17 @@ bool ContainerNode::replaceChild(PassRefPtr<Node> newChild, Node* oldChild, Exce
return true;
}
static void willRemoveChild(Node& child)
void ContainerNode::willRemoveChild(Node& child)
{
ASSERT(child.parentNode());
ChildListMutationScope(*child.parentNode()).willRemoveChild(child);
child.notifyMutationObserversNodeWillDetach();
dispatchChildRemovalEvents(child);
if (child.parentNode() != this)
return;
child.document().nodeWillBeRemoved(&child); // e.g. mutation event listener can create a new range.
if (child.isContainerNode())
disconnectSubframesIfNeeded(toContainerNode(child), RootAndDescendants);
......
......@@ -171,6 +171,8 @@ private:
bool isContainerNode() const = delete;
void willRemoveChild(Node& child);
Node* m_firstChild;
Node* m_lastChild;
};
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment