Crash in Range::processAncestorsAndTheirSiblings.
authorAbhishek Arya <inferno@chromium.org>
Mon, 5 Sep 2011 05:22:36 +0000 (05:22 +0000)
committerAdemar de Souza Reis Jr <ademar.reis@openbossa.org>
Mon, 5 Sep 2011 17:51:28 +0000 (14:51 -0300)
commitd8fc9f5058f7a639900a2feefc6fbeed1bb72a07
treea4da1669c61187a935bdc18c1620323a8c7bcfaf
parentc0f2dce7f6f43ac03415101582b9f96d86b54721
Crash in Range::processAncestorsAndTheirSiblings.
https://bugs.webkit.org/show_bug.cgi?id=67556

Reviewed by Ryosuke Niwa.

Source/WebCore:

Create a temporary RefPtr Node vector to keep all the ancestor's
childs so that we don't access removed child nodes.

Test: fast/dom/Range/range-delete-contents-event-fire-crash.html

* dom/Range.cpp:
(WebCore::Range::processContents):
(WebCore::Range::processAncestorsAndTheirSiblings):

LayoutTests:

Tests that we do not crash when removing contents of
a range from the document.

* fast/dom/Range/range-delete-contents-event-fire-crash-expected.txt: Added.
* fast/dom/Range/range-delete-contents-event-fire-crash.html: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@94511 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/fast/dom/Range/range-delete-contents-event-fire-crash-expected.txt [new file with mode: 0644]
LayoutTests/fast/dom/Range/range-delete-contents-event-fire-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/dom/Range.cpp