WebCore:
authoralice.liu@apple.com <alice.liu@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 19 Dec 2007 22:51:30 +0000 (22:51 +0000)
committeralice.liu@apple.com <alice.liu@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 19 Dec 2007 22:51:30 +0000 (22:51 +0000)
commit94ff8328cfb14e5dc0341850ff8e7da09dce637b
tree4c18772662b5ee43a2ac0fd1ef8705b4bcd516f7
parent4d15fba82a089fa032cb0a9cff6854ac059c8bb1
WebCore:

        Reviewed by Darin.

        Fixed <rdar://problem/5592485> Safari crashed trying to get a motorcycle insurance quote
        on Geico.com WebCore::Document::inPageCache()

        Calling Node::willRemove on the focusedNode would immediately tell the document to remove
        the focused node, and trigger JS events.  This means that the document is mutated while
        the engine is trying to tell all child nodes that it's about to removed.  To avoid
        crashing, we need to hold off on mutating the document until node traversal is finished.

        * dom/ContainerNode.cpp:
        (WebCore::ContainerNode::removeChild):
        (WebCore::ContainerNode::removeChildren):
        * dom/Node.cpp:
        * dom/Node.h:
        (WebCore::Node::willRemove):
        * loader/FrameLoader.cpp:
        (WebCore::FrameLoader::clear):

LayoutTests:

        Reviewed by Darin.

        Fixed <rdar://problem/5592485> Safari crashed trying to get a motorcycle insurance quote
        on Geico.com WebCore::Document::inPageCache()

        * fast/events/nested-event-remove-node-crash-expected.txt: Added.
        * fast/events/nested-event-remove-node-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@28875 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/fast/events/nested-event-remove-node-crash-expected.txt [new file with mode: 0644]
LayoutTests/fast/events/nested-event-remove-node-crash.html [new file with mode: 0644]
WebCore/ChangeLog
WebCore/dom/ContainerNode.cpp
WebCore/dom/Document.cpp
WebCore/dom/Document.h
WebCore/dom/Node.cpp
WebCore/loader/FrameLoader.cpp