Title: [104845] trunk
- Revision
- 104845
- Author
- an...@apple.com
- Date
- 2012-01-12 12:21:51 -0800 (Thu, 12 Jan 2012)
Log Message
REGRESSION(r104060): Setting user stylesheet may leave CSSStyleSelector with stale rule pointers
https://bugs.webkit.org/show_bug.cgi?id=76191
Source/WebCore:
Reviewed by Andreas Kling.
Setting the user style sheet frees the existing user style sheet data structures. The code
in Document::updatePageGroupUserSheets then relies on styleSelectorChanged to clear the
style selector so it is not left with stale pointers. However under certain conditions
involving pending stylesheets it may bail out quickly without clearing.
Document::styleSelectorChanged has to take care that it never leaves the style selector stale
even when bailing out early.
Test: fast/css/user-stylesheet-crash.html
* dom/Document.cpp:
(WebCore::Document::styleSelectorChanged):
LayoutTests:
Reviewed by Andreas Kling.
* fast/css/user-stylesheet-crash-expected.txt: Added.
* fast/css/user-stylesheet-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (104844 => 104845)
--- trunk/LayoutTests/ChangeLog 2012-01-12 20:14:49 UTC (rev 104844)
+++ trunk/LayoutTests/ChangeLog 2012-01-12 20:21:51 UTC (rev 104845)
@@ -1,3 +1,13 @@
+2012-01-12 Antti Koivisto <an...@apple.com>
+
+ REGRESSION(r104060): Setting user stylesheet may leave CSSStyleSelector with stale rule pointers
+ https://bugs.webkit.org/show_bug.cgi?id=76191
+
+ Reviewed by Andreas Kling.
+
+ * fast/css/user-stylesheet-crash-expected.txt: Added.
+ * fast/css/user-stylesheet-crash.html: Added.
+
2012-01-12 Joshua Bell <jsb...@chromium.org>
IndexedDB: Raise NON_TRANSIENT_ERR when invalid mode specified for transaction
Added: trunk/LayoutTests/fast/css/user-stylesheet-crash-expected.txt (0 => 104845)
--- trunk/LayoutTests/fast/css/user-stylesheet-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/css/user-stylesheet-crash-expected.txt 2012-01-12 20:21:51 UTC (rev 104845)
@@ -0,0 +1 @@
+This test requires DRT. It passes if it doesn't crash.
Added: trunk/LayoutTests/fast/css/user-stylesheet-crash.html (0 => 104845)
--- trunk/LayoutTests/fast/css/user-stylesheet-crash.html (rev 0)
+++ trunk/LayoutTests/fast/css/user-stylesheet-crash.html 2012-01-12 20:21:51 UTC (rev 104845)
@@ -0,0 +1,31 @@
+<html>
+<head>
+<script>
+function createIframe()
+{
+ var iframe = document.createElement("iframe");
+ document.body.appendChild(iframe);
+ var iframeDocument = iframe.contentDocument;
+ var link = iframeDocument.createElement("link");
+ link.setAttribute("rel", "stylesheet");
+ link.setAttribute("href", "does_not_exist.css");
+ iframeDocument.head.appendChild(link);
+ if (window.layoutTestController) {
+ layoutTestController.addUserStyleSheet("#test { color: blue: }", true);
+ setTimeout("window.layoutTestController.notifyDone()", 100);
+ }
+}
+
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+ layoutTestController.addUserStyleSheet("#test { color: red: }", true);
+}
+setTimeout("createIframe()", 0);
+
+</script>
+</head>
+<body>
+This test requires DRT. It passes if it doesn't crash.
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (104844 => 104845)
--- trunk/Source/WebCore/ChangeLog 2012-01-12 20:14:49 UTC (rev 104844)
+++ trunk/Source/WebCore/ChangeLog 2012-01-12 20:21:51 UTC (rev 104845)
@@ -1,3 +1,23 @@
+2012-01-12 Antti Koivisto <an...@apple.com>
+
+ REGRESSION(r104060): Setting user stylesheet may leave CSSStyleSelector with stale rule pointers
+ https://bugs.webkit.org/show_bug.cgi?id=76191
+
+ Reviewed by Andreas Kling.
+
+ Setting the user style sheet frees the existing user style sheet data structures. The code
+ in Document::updatePageGroupUserSheets then relies on styleSelectorChanged to clear the
+ style selector so it is not left with stale pointers. However under certain conditions
+ involving pending stylesheets it may bail out quickly without clearing.
+
+ Document::styleSelectorChanged has to take care that it never leaves the style selector stale
+ even when bailing out early.
+
+ Test: fast/css/user-stylesheet-crash.html
+
+ * dom/Document.cpp:
+ (WebCore::Document::styleSelectorChanged):
+
2012-01-12 Nat Duca <nd...@chromium.org>
[chromium] Turn off FrameRateController timesource when it is not needed
Modified: trunk/Source/WebCore/dom/Document.cpp (104844 => 104845)
--- trunk/Source/WebCore/dom/Document.cpp 2012-01-12 20:14:49 UTC (rev 104844)
+++ trunk/Source/WebCore/dom/Document.cpp 2012-01-12 20:21:51 UTC (rev 104845)
@@ -2981,8 +2981,10 @@
{
// Don't bother updating, since we haven't loaded all our style info yet
// and haven't calculated the style selector for the first time.
- if (!attached() || (!m_didCalculateStyleSelector && !haveStylesheetsLoaded()))
+ if (!attached() || (!m_didCalculateStyleSelector && !haveStylesheetsLoaded())) {
+ m_styleSelector.clear();
return;
+ }
#ifdef INSTRUMENT_LAYOUT_SCHEDULING
if (!ownerElement())
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes