Reviewed by Darin.
authorap@webkit.org <ap@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 8 Jan 2008 19:52:24 +0000 (19:52 +0000)
committerap@webkit.org <ap@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 8 Jan 2008 19:52:24 +0000 (19:52 +0000)
        <rdar://problem/5659812> CrashTracer: 462 crashes in Safari at com.apple.WebCore:
        WebCore::Node::setChanged + 96

        Test: fast/dom/cssTarget-crash.html

        * dom/Node.cpp: (WebCore::Node::removedFromDocument):
        Check to see if the node being removed is currently set as the Document's cssTarget.
Ê Ê Ê Ê If it is, clear the cssTarget to prevent a hanging reference to it.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@29311 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/dom/cssTarget-crash-expected.txt [new file with mode: 0644]
LayoutTests/fast/dom/cssTarget-crash.html [new file with mode: 0644]
WebCore/ChangeLog
WebCore/dom/Node.cpp

index 2229c7a..b847eed 100644 (file)
@@ -1,3 +1,13 @@
+2008-01-08  Alexey Proskuryakov  <ap@webkit.org>
+
+        Reviewed by Darin.
+
+        <rdar://problem/5659812> CrashTracer: 462 crashes in Safari at com.apple.WebCore:
+        WebCore::Node::setChanged + 96
+
+        * fast/dom/cssTarget-crash-expected.txt: Added.
+        * fast/dom/cssTarget-crash.html: Added.
+
 2008-01-08  Anders Carlsson  <andersca@apple.com>
 
         Reviewed by Mitz.
diff --git a/LayoutTests/fast/dom/cssTarget-crash-expected.txt b/LayoutTests/fast/dom/cssTarget-crash-expected.txt
new file mode 100644 (file)
index 0000000..2d5735c
--- /dev/null
@@ -0,0 +1,2 @@
+Should not crash.
+
diff --git a/LayoutTests/fast/dom/cssTarget-crash.html b/LayoutTests/fast/dom/cssTarget-crash.html
new file mode 100644 (file)
index 0000000..db5669c
--- /dev/null
@@ -0,0 +1,30 @@
+<html>
+<body>
+<div><a href="rdar://4504805&4577323&4643028&5659812">Should not crash.</a></div>
+<form name="f" method="GET" action="#a"></form>
+<div id="anchors"><a name="a"></a></div>
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+
+var stopped = false;
+setTimeout("doIt()", 0);
+setTimeout("stopped = true;", 100);
+function doIt() {
+    if (stopped) {
+        if (window.layoutTestController)
+            layoutTestController.notifyDone();
+        return;
+    }
+    document.forms.f.submit();
+    var x=Math.random();
+    setTimeout("doIt("+x+")",10);
+    document.forms.f.action="#"+x;
+    document.getElementById("anchors").innerHTML+=
+        "<img width=100 height=100><a name=\""+x+"\"></a>";
+}
+</script>
+</body>
+</html>
index 2d669ab..ddb84a8 100644 (file)
@@ -1,3 +1,16 @@
+2008-01-08  Alexey Proskuryakov  <ap@webkit.org>
+
+        Reviewed by Darin.
+
+        <rdar://problem/5659812> CrashTracer: 462 crashes in Safari at com.apple.WebCore:
+        WebCore::Node::setChanged + 96
+
+        Test: fast/dom/cssTarget-crash.html
+
+        * dom/Node.cpp: (WebCore::Node::removedFromDocument):
+        Check to see if the node being removed is currently set as the Document's cssTarget.
+Ê Ê Ê Ê If it is, clear the cssTarget to prevent a hanging reference to it.
+
 2008-01-08  Adam Roben  <aroben@apple.com>
 
         * svg/svgtags.in: Touch this again for the sake of the Windows bots.
index dd835e4..976f4ee 100644 (file)
@@ -847,6 +847,9 @@ void Node::insertedIntoDocument()
 
 void Node::removedFromDocument()
 {
+    if (m_document && m_document->getCSSTarget() == this)
+        m_document->setCSSTarget(0);
+
     setInDocument(false);
     removedFromTree(false);
 }