Heap-use-after-free in WebCore::LiveNodeListBase::invalidateCache
authortasak@google.com <tasak@google.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 18 Jan 2013 07:14:27 +0000 (07:14 +0000)
committertasak@google.com <tasak@google.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 18 Jan 2013 07:14:27 +0000 (07:14 +0000)
commitefad4533ee2e0cab3de360abfc1a90e53e930ef3
treee7784f1b839db48c94403cce4d7e9a5cafb82558
parente9a7ebe9fee9542f961c21ca6220141bc89595ce
Heap-use-after-free in WebCore::LiveNodeListBase::invalidateCache
https://bugs.webkit.org/show_bug.cgi?id=106958

Reviewed by Ryosuke Niwa.

Need to update node lists that nodes in shadow dom trees have
when document is changed.

No new tests; it is difficult to reproduce crash by using
DumpRenderTree. Manually tested by using attached repro.html.

* dom/NodeRareData.h:
(WebCore::NodeListsNodeData::adoptTreeScope):
Added to adopt node lists when tree scope is changed.
(WebCore::NodeListsNodeData::adoptDocument):
Renamed the original adoptTreeScope to adoptDocument.
* dom/TreeScopeAdopter.cpp:
(WebCore::TreeScopeAdopter::moveTreeToNewScope):
If document scope is not changed, modify to invoke adoptTreeScope.
(WebCore::TreeScopeAdopter::moveNodeToNewDocument):
Modify to invoked adoptDocument.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@140103 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/WebCore/ChangeLog
Source/WebCore/dom/NodeRareData.h
Source/WebCore/dom/TreeScopeAdopter.cpp