Bug 147704

Summary: Crash when removing children of a MathMLSelectElement
Product: WebKit Reporter: Chris Dumez <cdumez>
Component: MathMLAssignee: Chris Dumez <cdumez>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, dbarton, fred.wang, kling, mrobinson, rniwa, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch none

Chris Dumez
Reported 2015-08-05 16:11:24 PDT
Crash when removing children of a MathMLSelectElement: Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x00007fff90cf0ef9 WebCore::MathMLSelectElement::updateSelectedChild() + 73 1 com.apple.WebCore 0x00007fff90cf0f42 WebCore::MathMLSelectElement::childrenChanged(WebCore::ContainerNode::ChildChange const&) + 18 2 com.apple.WebCore 0x00007fff90252198 WebCore::ContainerNode::removeChildren() + 1064 3 com.apple.WebCore 0x00007fff90ce9eda WebCore::replaceChildrenWithFragment(WebCore::ContainerNode&, WTF::PassRefPtr<WebCore::DocumentFragment>, int&) + 74 4 com.apple.WebCore 0x00007fff90759f94 WebCore::Element::setInnerHTML(WTF::String const&, int&) + 116 5 com.apple.WebCore 0x00007fff90a4ffa5 WebCore::setJSElementInnerHTML(JSC::ExecState*, JSC::JSObject*, long long, long long) + 117
Attachments
Patch (3.71 KB, patch)
2015-08-05 16:19 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Patch (3.40 KB, patch)
2015-08-05 16:25 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Chris Dumez
Comment 1 2015-08-05 16:11:44 PDT
rdar://problem/21940321
Chris Dumez
Comment 2 2015-08-05 16:19:53 PDT
Created attachment 258317 [details] Patch
Ryosuke Niwa
Comment 3 2015-08-05 16:21:18 PDT
Comment on attachment 258317 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=258317&action=review > LayoutTests/mathml/maction-removeChild.html:15 > + var testSelect = document.getElementById("testSelect"); > + testSelect.innerHTML = "123.123.123"; Can we just turn this into a text test by calling testRunner.dumpAsText()?
Chris Dumez
Comment 4 2015-08-05 16:25:28 PDT
Created attachment 258320 [details] Patch
WebKit Commit Bot
Comment 5 2015-08-05 18:25:44 PDT
Comment on attachment 258320 [details] Patch Clearing flags on attachment: 258320 Committed r188014: <http://trac.webkit.org/changeset/188014>
WebKit Commit Bot
Comment 6 2015-08-05 18:25:48 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.