Crash when removing children of a MathMLSelectElement
authorcdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 6 Aug 2015 01:25:30 +0000 (01:25 +0000)
committercdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 6 Aug 2015 01:25:30 +0000 (01:25 +0000)
https://bugs.webkit.org/show_bug.cgi?id=147704
<rdar://problem/21940321>

Reviewed by Ryosuke Niwa.

Source/WebCore:

When MathMLSelectElement::childrenChanged() is called after its
children have been removed, MathMLSelectElement calls
updateSelectedChild() which accesses m_selectedChild. However,
in this case, m_selectedChild is the previously selected child
and it may be destroyed as this point if it was removed. To avoid
this problem, MathMLSelectElement now keep a strong ref to the
currently selected element.

Test: mathml/maction-removeChild.html

* mathml/MathMLSelectElement.h:

LayoutTests:

Add layout test that reproduces the crash under guardmalloc.

* mathml/maction-removeChild-expected.txt: Added.
* mathml/maction-removeChild.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@188014 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/mathml/maction-removeChild-expected.txt [new file with mode: 0644]
LayoutTests/mathml/maction-removeChild.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/mathml/MathMLSelectElement.h

index 2e8fe1f..57b9bb0 100644 (file)
@@ -1,3 +1,16 @@
+2015-08-05  Chris Dumez  <cdumez@apple.com>
+
+        Crash when removing children of a MathMLSelectElement
+        https://bugs.webkit.org/show_bug.cgi?id=147704
+        <rdar://problem/21940321>
+
+        Reviewed by Ryosuke Niwa.
+
+        Add layout test that reproduces the crash under guardmalloc.
+
+        * mathml/maction-removeChild-expected.txt: Added.
+        * mathml/maction-removeChild.html: Added.
+
 2015-08-05  Simon Fraser  <simon.fraser@apple.com>
 
         Move platform/ios-simulator/ios/fast/events/touch tests to fast/events/touch
diff --git a/LayoutTests/mathml/maction-removeChild-expected.txt b/LayoutTests/mathml/maction-removeChild-expected.txt
new file mode 100644 (file)
index 0000000..e53ea9b
--- /dev/null
@@ -0,0 +1,3 @@
+This test passes if it does not crash
+
+
diff --git a/LayoutTests/mathml/maction-removeChild.html b/LayoutTests/mathml/maction-removeChild.html
new file mode 100644 (file)
index 0000000..0d66261
--- /dev/null
@@ -0,0 +1,19 @@
+<!doctype html>
+<html>
+  <body>
+    <p>This test passes if it does not crash</p>
+    <math>
+      <maction id="testSelect" actiontype="toggle" selection="2">
+        <mi>g</mi>
+        <mspace/>
+      </maction>
+    </math>
+    <script>
+      if (window.testRunner)
+        testRunner.dumpAsText();
+
+      var testSelect = document.getElementById("testSelect");
+      testSelect.innerHTML = "123.123.123";
+    </script>
+  </body>
+</html>
index 56f88e3..4edfb6f 100644 (file)
@@ -1,3 +1,23 @@
+2015-08-05  Chris Dumez  <cdumez@apple.com>
+
+        Crash when removing children of a MathMLSelectElement
+        https://bugs.webkit.org/show_bug.cgi?id=147704
+        <rdar://problem/21940321>
+
+        Reviewed by Ryosuke Niwa.
+
+        When MathMLSelectElement::childrenChanged() is called after its
+        children have been removed, MathMLSelectElement calls
+        updateSelectedChild() which accesses m_selectedChild. However,
+        in this case, m_selectedChild is the previously selected child
+        and it may be destroyed as this point if it was removed. To avoid
+        this problem, MathMLSelectElement now keep a strong ref to the
+        currently selected element.
+
+        Test: mathml/maction-removeChild.html
+
+        * mathml/MathMLSelectElement.h:
+
 2015-08-05  Myles C. Maxfield  <mmaxfield@apple.com>
 
         Migrate FontCascade.cpp to NeverDestroyed
index 4263bb3..38ed70c 100644 (file)
@@ -56,7 +56,7 @@ private:
     Element* getSelectedSemanticsChild();
 
     void updateSelectedChild() override;
-    Element* m_selectedChild;
+    RefPtr<Element> m_selectedChild;
 };
 
 }