Fix crash due to unexpected Node deletion during MutationObserver registration book...
authorrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 30 Jul 2013 00:12:02 +0000 (00:12 +0000)
committerrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 30 Jul 2013 00:12:02 +0000 (00:12 +0000)
commit1dcb35cc5697c04409b011a7ad6342f4d3fd816c
treebc5fbb7a706023f33ba31f62274f3e0d4bb8dfe4
parentecde3b961ed0271515018c89ae633377e4c1c3bb
Fix crash due to unexpected Node deletion during MutationObserver registration book-keeping
https://bugs.webkit.org/show_bug.cgi?id=119124

Reviewed by Sam Weinig.

Merge https://chromium.googlesource.com/chromium/blink/+/b6afb927695b3acf2c75c25f05e99682660993e2

No new tests since I could not reproduce the crash with the test attached in the Blink change.

The bug was caused by Node::unregisterMutationObserver removing the MutationObserverRegistration
that holds the last ref to the node. Avoid that by explicitly allocating a local RefPtr to the node
in MutationObserverRegistration::unregister. Also rename it to unregisterAndDelete to clarify
the semantics and make it a static member function to be even safer.

* dom/MutationObserver.cpp:
(WebCore::MutationObserver::disconnect):
* dom/MutationObserverRegistration.cpp:
(WebCore::MutationObserverRegistration::unregisterAndDelete):
* dom/MutationObserverRegistration.h:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153447 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/WebCore/ChangeLog
Source/WebCore/dom/MutationObserver.cpp
Source/WebCore/dom/MutationObserverRegistration.cpp
Source/WebCore/dom/MutationObserverRegistration.h