Fetch parentNode after toNormalizedRange() call has happened in containsNode()
toNormalizedRange() call can trigger layout, there removing the last
reference to parentNode. We don't need to RefPtr parentNode since later
callers don't modify it.
BUG=242114
Review URL: https://chromiumcodereview.appspot.com/15390003
git-svn-id: svn://svn.chromium.org/blink/trunk@150685 bbb929c8-8fbe-4397-9dbb-9b2b20218538
diff --git a/LayoutTests/editing/selection/contains-node-crash-expected.txt b/LayoutTests/editing/selection/contains-node-crash-expected.txt
new file mode 100644
index 0000000..b41c4bb
--- /dev/null
+++ b/LayoutTests/editing/selection/contains-node-crash-expected.txt
@@ -0,0 +1 @@
+Pass. Test didn't crash.
diff --git a/LayoutTests/editing/selection/contains-node-crash.html b/LayoutTests/editing/selection/contains-node-crash.html
new file mode 100755
index 0000000..ef0c04e
--- /dev/null
+++ b/LayoutTests/editing/selection/contains-node-crash.html
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html style="display: inline-table">
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+window.onload = function() {
+ var selection = window.getSelection();
+ selection.selectAllChildren(document);
+ selection.collapseToEnd();
+ var element = document.activeElement;
+ document.open();
+ document.write("Pass. Test didn't crash.");
+ document.close();
+ selection.containsNode(element,true);
+}
+</script>
+</html>
diff --git a/Source/core/page/DOMSelection.cpp b/Source/core/page/DOMSelection.cpp
index ed91368..5e34937 100644
--- a/Source/core/page/DOMSelection.cpp
+++ b/Source/core/page/DOMSelection.cpp
@@ -454,10 +454,10 @@
if (!n || m_frame->document() != n->document() || selection->isNone())
return false;
- ContainerNode* parentNode = n->parentNode();
unsigned nodeIndex = n->nodeIndex();
RefPtr<Range> selectedRange = selection->selection().toNormalizedRange();
+ ContainerNode* parentNode = n->parentNode();
if (!parentNode)
return false;
