Bug 147704

Summary: Crash when removing children of a MathMLSelectElement
Product: WebKit Reporter: Chris Dumez <cdumez>
Component: MathMLAssignee: Chris Dumez <cdumez>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, dbarton, fred.wang, kling, mrobinson, rniwa, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch none

Description Chris Dumez 2015-08-05 16:11:24 PDT 
Crash when removing children of a MathMLSelectElement:
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x00007fff90cf0ef9 WebCore::MathMLSelectElement::updateSelectedChild() + 73
1   com.apple.WebCore             	0x00007fff90cf0f42 WebCore::MathMLSelectElement::childrenChanged(WebCore::ContainerNode::ChildChange const&) + 18
2   com.apple.WebCore             	0x00007fff90252198 WebCore::ContainerNode::removeChildren() + 1064
3   com.apple.WebCore             	0x00007fff90ce9eda WebCore::replaceChildrenWithFragment(WebCore::ContainerNode&, WTF::PassRefPtr<WebCore::DocumentFragment>, int&) + 74
4   com.apple.WebCore             	0x00007fff90759f94 WebCore::Element::setInnerHTML(WTF::String const&, int&) + 116
5   com.apple.WebCore             	0x00007fff90a4ffa5 WebCore::setJSElementInnerHTML(JSC::ExecState*, JSC::JSObject*, long long, long long) + 117
Comment 1 Chris Dumez 2015-08-05 16:11:44 PDT 
rdar://problem/21940321
Comment 2 Chris Dumez 2015-08-05 16:19:53 PDT 
Created attachment 258317 [details]
Patch
Comment 3 Ryosuke Niwa 2015-08-05 16:21:18 PDT 
Comment on attachment 258317 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=258317&action=review

> LayoutTests/mathml/maction-removeChild.html:15
> +      var testSelect = document.getElementById("testSelect");
> +      testSelect.innerHTML = "123.123.123";

Can we just turn this into a text test by calling testRunner.dumpAsText()?
Comment 4 Chris Dumez 2015-08-05 16:25:28 PDT 
Created attachment 258320 [details]
Patch
Comment 5 WebKit Commit Bot 2015-08-05 18:25:44 PDT 
Comment on attachment 258320 [details]
Patch

Clearing flags on attachment: 258320

Committed r188014: <http://trac.webkit.org/changeset/188014>
Comment 6 WebKit Commit Bot 2015-08-05 18:25:48 PDT 
All reviewed patches have been landed.  Closing bug.