Element::focus() should acquire the ownership of Frame.
https://bugs.webkit.org/show_bug.cgi?id=150204
<rdar://problem/
23136794>
Reviewed by Brent Fulgham.
Source/WebCore:
The FrameSelection::setSelection method sometimes releases the last reference to a frame.
When this happens, the Element::updateFocusAppearance would attempt to use dereferenced memory.
Instead, we should ensure that the Frame lifetime is guaranteed to extend through the duration
of the method call.
Test: editing/selection/focus-iframe-removal-crash.html
* dom/Element.cpp:
(WebCore::Element::updateFocusAppearance):
LayoutTests:
* editing/selection/focus-iframe-removal-crash-expected.txt: Added.
* editing/selection/focus-iframe-removal-crash.html: Added.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@192433
268f45cc-cd09-0410-ab3c-
d52691b4dbfc