Google Git
Sign in
webkit / WebKit / 886b7c51015dd539242e1a8137bbcd38e0b30885
commit886b7c51015dd539242e1a8137bbcd38e0b30885[log] [tgz]
authoralokp@chromium.org <alokp@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Tue Feb 28 19:15:16 2012 +0000
committeralokp@chromium.org <alokp@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Tue Feb 28 19:15:16 2012 +0000
treeb2ac641aba4f23ce6180422b3fa72f18767a3832
parent97f6819f86cf17f19db3294872d112bac8d90f14 [diff]
Heap-use-after-free in WebCore::RenderLayer::addChild
https://bugs.webkit.org/show_bug.cgi?id=79698

Reviewed by Simon Fraser.

Source/WebCore:

This patch fixes a regression introduced in r108659.
The reflection layer was moved to the parent by mistake. It was then
deleted and the parent was left holding on to a deleted pointer. This
patch restores the location where reflection layer is removed - before
moving the child layers.

Test: fast/reflections/toggle-reflection-crash.html

* rendering/RenderLayer.cpp:
(WebCore::RenderLayer::removeOnlyThisLayer):

LayoutTests:

* fast/reflections/toggle-reflection-crash-expected.txt: Added.
* fast/reflections/toggle-reflection-crash.html: Added.


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@109125 268f45cc-cd09-0410-ab3c-d52691b4dbfc
5 files changed
tree: b2ac641aba4f23ce6180422b3fa72f18767a3832
  1. Examples/
  2. LayoutTests/
  3. ManualTests/
  4. PerformanceTests/
  5. Source/
  6. Tools/
  7. WebKitLibraries/
  8. Websites/
  9. .dir-locals.el
  10. .gitattributes
  11. .gitignore
  12. autogen.sh
  13. ChangeLog
  14. CMakeLists.txt
  15. configure.ac
  16. GNUmakefile.am
  17. Makefile
  18. Makefile.shared
  19. WebKit.pro
  20. wscript