WebKit GIT trees - WebKit-https.git/commit

Element::focus() should acquire the ownership of Frame.
https://bugs.webkit.org/show_bug.cgi?id=150204
<rdar://problem/23136794>

Reviewed by Brent Fulgham.

Source/WebCore:

The FrameSelection::setSelection method sometimes releases the last reference to a frame.
When this happens, the Element::updateFocusAppearance would attempt to use dereferenced memory.
Instead, we should ensure that the Frame lifetime is guaranteed to extend through the duration
of the method call.

Test: editing/selection/focus-iframe-removal-crash.html

* dom/Element.cpp:
(WebCore::Element::updateFocusAppearance):

LayoutTests:

* editing/selection/focus-iframe-removal-crash-expected.txt: Added.
* editing/selection/focus-iframe-removal-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@192433 268f45cc-cd09-0410-ab3c-d52691b4dbfc

author	jiewen_tan@apple.com <jiewen_tan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
	Fri, 13 Nov 2015 18:36:31 +0000 (18:36 +0000)
committer	jiewen_tan@apple.com <jiewen_tan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
	Fri, 13 Nov 2015 18:36:31 +0000 (18:36 +0000)
commit	2793675bbbff6620f78c10a9219db3740168c890
tree	c7dc9ac0f5e892158874fcc249e650963ece64a0	tree \| snapshot
parent	3877b6974febd0a941cb3febacd7a469e59554cc	commit \| diff

LayoutTests/ChangeLog		diff \| blob \| history
LayoutTests/editing/selection/focus-iframe-removal-crash-expected.txt	[new file with mode: 0644]	blob
LayoutTests/editing/selection/focus-iframe-removal-crash.html	[new file with mode: 0644]	blob
Source/WebCore/ChangeLog		diff \| blob \| history
Source/WebCore/dom/Element.cpp		diff \| blob \| history