[webkit-changes] [118872] branches/chromium/1132

Tue, 29 May 2012 18:24:56 -0700

Title: [118872] branches/chromium/1132
Revision
118872
Author
cev...@google.com
Date
2012-05-29 18:24:51 -0700 (Tue, 29 May 2012)

Log Message

Merge 118471
BUG=128665
Review URL: https://chromiumcodereview.appspot.com/10444080


Modified Paths




Added Paths

Diff

Copied: branches/chromium/1132/LayoutTests/fast/events/dom-character-data-modified-textarea-crash-expected.txt (from rev 118471, trunk/LayoutTests/fast/events/dom-character-data-modified-textarea-crash-expected.txt) (0 => 118872)


--- branches/chromium/1132/LayoutTests/fast/events/dom-character-data-modified-textarea-crash-expected.txt	                        (rev 0)
+++ branches/chromium/1132/LayoutTests/fast/events/dom-character-data-modified-textarea-crash-expected.txt	2012-05-30 01:24:51 UTC (rev 118872)
@@ -0,0 +1 @@
+Test passes if a DOMCharacterModified event on the textarea does not crash.

Copied: branches/chromium/1132/LayoutTests/fast/events/dom-character-data-modified-textarea-crash.html (from rev 118471, trunk/LayoutTests/fast/events/dom-character-data-modified-textarea-crash.html) (0 => 118872)


--- branches/chromium/1132/LayoutTests/fast/events/dom-character-data-modified-textarea-crash.html	                        (rev 0)
+++ branches/chromium/1132/LayoutTests/fast/events/dom-character-data-modified-textarea-crash.html	2012-05-30 01:24:51 UTC (rev 118872)
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+// This test uses a weired textarea to reproduce the issue. The condition of a crash is very sensitive to HTML.
+// If we add a new-line at EOF or add other tags in <body> part, the crash will be unlikely to happen.
+// For example, if we move this comment to the actual HTML or try to load 'js-test-pre.js', the crash won't happen.
+// Mutation events should not be dispatched on this case. This bug is being tracked by webkit bug https://bugs.webkit.org/show_bug.cgi?id=87372
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+document.addEventListener("DOMCharacterDataModified", function() {
+    document.designMode = "on";
+    document.execCommand("SelectAll");
+    document.execCommand("Delete");
+    document.body.offsetLeft;
+    document.body.innerHTML = 'Test passes if a DOMCharacterModified event on the textarea does not crash.';
+});
+</script>
+</head>
+<textarea> <
\ No newline at end of file

Modified: branches/chromium/1132/Source/WebCore/dom/CharacterData.cpp (118871 => 118872)


--- branches/chromium/1132/Source/WebCore/dom/CharacterData.cpp	2012-05-30 01:17:49 UTC (rev 118871)
+++ branches/chromium/1132/Source/WebCore/dom/CharacterData.cpp	2012-05-30 01:24:51 UTC (rev 118872)
@@ -44,6 +44,8 @@
     if (m_data == nonNullData)
         return;
 
+    RefPtr<CharacterData> protect = this;
+
     unsigned oldLength = length();
 
     setDataAndUpdate(nonNullData, 0, oldLength, nonNullData.length());

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to