| Index: Source/WebCore/dom/Document.cpp
|
| ===================================================================
|
| --- Source/WebCore/dom/Document.cpp (revision 129270)
|
| +++ Source/WebCore/dom/Document.cpp (working copy)
|
| @@ -5743,6 +5743,10 @@
|
|
|
| void Document::fullScreenChangeDelayTimerFired(Timer<Document>*)
|
| {
|
| + // Since we dispatch events in this function, it's possible that the
|
| + // document will be detached and GC'd. We protect it here to make sure we
|
| + // can finish the function successfully.
|
| + RefPtr<Document> protectDocument(this);
|
| Deque<RefPtr<Node> > changeQueue;
|
| m_fullScreenChangeEventTargetQueue.swap(changeQueue);
|
|
|
| @@ -5750,6 +5754,9 @@
|
| RefPtr<Node> node = changeQueue.takeFirst();
|
| if (!node)
|
| node = documentElement();
|
| + // The dispatchEvent below may have blown away our documentElement.
|
| + if (!node)
|
| + continue;
|
|
|
| // If the element was removed from our tree, also message the documentElement. Since we may
|
| // have a document hierarchy, check that node isn't in another document.
|
| @@ -5766,6 +5773,9 @@
|
| RefPtr<Node> node = errorQueue.takeFirst();
|
| if (!node)
|
| node = documentElement();
|
| + // The dispatchEvent below may have blown away our documentElement.
|
| + if (!node)
|
| + continue;
|
|
|
| // If the element was removed from our tree, also message the documentElement. Since we may
|
| // have a document hierarchy, check that node isn't in another document.
|
|
|
Chromium Code Reviews
Issue 10969052:
Merge 129270 - Crash in WebCore::Document::fullScreenChangeDelayTimerFired (Closed)
Base URL: http://svn.webkit.org/repository/webkit/branches/chromium/1229/