Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(704)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: Source/core/dom/Node.cpp

Issue 19303002: Fix crash due to unexpected Node deletion during MutationObserver registration book-keeping (Closed) Base URL: svn://svn.chromium.org/blink/trunk
Patch Set: Created 7 years, 5 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « LayoutTests/fast/dom/MutationObserver/disconnect-transient-crash-expected.txt ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: Source/core/dom/Node.cpp
diff --git a/Source/core/dom/Node.cpp b/Source/core/dom/Node.cpp
index c970b388b6136f35682a593200c75701752e03be..d165760f089b6a69d55d8ef0a625350fbdebd8d5 100644
--- a/Source/core/dom/Node.cpp
+++ b/Source/core/dom/Node.cpp
@@ -2278,6 +2278,10 @@ void Node::unregisterMutationObserver(MutationObserverRegistration* registration
if (index == notFound)
return;
+ // Deleting the registration may cause this node to be derefed, so we must make sure the Vector operation completes
+ // before that, in case |this| is destroyed (see MutationObserverRegistration::m_registrationNodeKeepAlive).
+ // FIXME: Simplify the registration/transient registration logic to make this understandable by humans.
+ RefPtr<Node> protect(this);
registry->remove(index);
}
« no previous file with comments | « LayoutTests/fast/dom/MutationObserver/disconnect-transient-crash-expected.txt ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698