147704 – Crash when removing children of a MathMLSelectElement

RESOLVED FIXED 147704

Crash when removing children of a MathMLSelectElement

https://bugs.webkit.org/show_bug.cgi?id=147704

Summary Crash when removing children of a MathMLSelectElement

Chris Dumez

Reported 2015-08-05 16:11:24 PDT

Crash when removing children of a MathMLSelectElement: Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x00007fff90cf0ef9 WebCore::MathMLSelectElement::updateSelectedChild() + 73 1 com.apple.WebCore 0x00007fff90cf0f42 WebCore::MathMLSelectElement::childrenChanged(WebCore::ContainerNode::ChildChange const&) + 18 2 com.apple.WebCore 0x00007fff90252198 WebCore::ContainerNode::removeChildren() + 1064 3 com.apple.WebCore 0x00007fff90ce9eda WebCore::replaceChildrenWithFragment(WebCore::ContainerNode&, WTF::PassRefPtr<WebCore::DocumentFragment>, int&) + 74 4 com.apple.WebCore 0x00007fff90759f94 WebCore::Element::setInnerHTML(WTF::String const&, int&) + 116 5 com.apple.WebCore 0x00007fff90a4ffa5 WebCore::setJSElementInnerHTML(JSC::ExecState*, JSC::JSObject*, long long, long long) + 117

Attachments
Patch (3.71 KB, patch) 2015-08-05 16:19 PDT, Chris Dumez	no flags	Details Formatted Diff Diff
Patch (3.40 KB, patch) 2015-08-05 16:25 PDT, Chris Dumez	no flags	Details Formatted Diff Diff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

Chris Dumez

Comment 1 2015-08-05 16:11:44 PDT

rdar://problem/21940321

Chris Dumez

Comment 2 2015-08-05 16:19:53 PDT

Created attachment 258317 [details] Patch

Ryosuke Niwa

Comment 3 2015-08-05 16:21:18 PDT

Comment on attachment 258317 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=258317&action=review > LayoutTests/mathml/maction-removeChild.html:15 > + var testSelect = document.getElementById("testSelect"); > + testSelect.innerHTML = "123.123.123"; Can we just turn this into a text test by calling testRunner.dumpAsText()?

Chris Dumez

Comment 4 2015-08-05 16:25:28 PDT

Created attachment 258320 [details] Patch

WebKit Commit Bot

Comment 5 2015-08-05 18:25:44 PDT

Comment on attachment 258320 [details] Patch Clearing flags on attachment: 258320 Committed r188014: <http://trac.webkit.org/changeset/188014>

WebKit Commit Bot

Comment 6 2015-08-05 18:25:48 PDT

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware Unspecified

OS Unspecified

Product WebKit

Component MathML

Assignee

Chris Dumez

Reported

2015-08-05 16:11 PDT

Modified

2015-08-05 18:25 PDT History

CC List

7 users Show

URL

Keywords InRadar

Depends on

Blocks