Crash when removing children of a MathMLSelectElement
authorcdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 6 Aug 2015 01:25:30 +0000 (01:25 +0000)
committercdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 6 Aug 2015 01:25:30 +0000 (01:25 +0000)
commit49beceae9bef29f1f41c3c377d12ed9b91b15e71
tree7f47298a03a60ecdbd43ce5beed94c38baa7b16d
parentf3ce926a561ecf1210939fe4c6f5fd6de095f3d0
Crash when removing children of a MathMLSelectElement
https://bugs.webkit.org/show_bug.cgi?id=147704
<rdar://problem/21940321>

Reviewed by Ryosuke Niwa.

Source/WebCore:

When MathMLSelectElement::childrenChanged() is called after its
children have been removed, MathMLSelectElement calls
updateSelectedChild() which accesses m_selectedChild. However,
in this case, m_selectedChild is the previously selected child
and it may be destroyed as this point if it was removed. To avoid
this problem, MathMLSelectElement now keep a strong ref to the
currently selected element.

Test: mathml/maction-removeChild.html

* mathml/MathMLSelectElement.h:

LayoutTests:

Add layout test that reproduces the crash under guardmalloc.

* mathml/maction-removeChild-expected.txt: Added.
* mathml/maction-removeChild.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@188014 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/mathml/maction-removeChild-expected.txt [new file with mode: 0644]
LayoutTests/mathml/maction-removeChild.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/mathml/MathMLSelectElement.h