Title: [212740] branches/safari-603-branch
- Revision
- 212740
- Author
- matthew_han...@apple.com
- Date
- 2017-02-21 12:57:03 -0800 (Tue, 21 Feb 2017)
Log Message
Merge r212737. rdar://problem/30636274
Modified Paths
Added Paths
Diff
Modified: branches/safari-603-branch/LayoutTests/ChangeLog (212739 => 212740)
--- branches/safari-603-branch/LayoutTests/ChangeLog 2017-02-21 20:15:11 UTC (rev 212739)
+++ branches/safari-603-branch/LayoutTests/ChangeLog 2017-02-21 20:57:03 UTC (rev 212740)
@@ -1,3 +1,18 @@
+2017-02-21 Matthew Hanson <matthew_han...@apple.com>
+
+ Merge r212737. rdar://problem/30636274
+
+ 2017-02-21 Antti Koivisto <an...@apple.com>
+
+ REGRESSION(r207669): Crash after mutating selector text
+ https://bugs.webkit.org/show_bug.cgi?id=168655
+ <rdar://problem/30632111>
+
+ Reviewed by Brent Fulgham.
+
+ * fast/css/selector-text-mutation-crash-expected.txt: Added.
+ * fast/css/selector-text-mutation-crash.html: Added.
+
2017-02-18 Ryosuke Niwa <rn...@webkit.org>
REGRESSION(r212218): Assertion failures in and after parserRemoveChild
Added: branches/safari-603-branch/LayoutTests/fast/css/selector-text-mutation-crash-expected.txt (0 => 212740)
--- branches/safari-603-branch/LayoutTests/fast/css/selector-text-mutation-crash-expected.txt (rev 0)
+++ branches/safari-603-branch/LayoutTests/fast/css/selector-text-mutation-crash-expected.txt 2017-02-21 20:57:03 UTC (rev 212740)
@@ -0,0 +1 @@
+PASS
Added: branches/safari-603-branch/LayoutTests/fast/css/selector-text-mutation-crash.html (0 => 212740)
--- branches/safari-603-branch/LayoutTests/fast/css/selector-text-mutation-crash.html (rev 0)
+++ branches/safari-603-branch/LayoutTests/fast/css/selector-text-mutation-crash.html 2017-02-21 20:57:03 UTC (rev 212740)
@@ -0,0 +1,14 @@
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+<style id=s>
+body[foo] [id=d] { color: green };
+</style>
+<body>
+<div id=d>PASS</div>
+<script>
+d.offsetLeft;
+s.sheet.cssRules.item(0).selectorText = "body[foo]";
+document.body.setAttribute("foo", "foo");
+</script>
Modified: branches/safari-603-branch/Source/WebCore/ChangeLog (212739 => 212740)
--- branches/safari-603-branch/Source/WebCore/ChangeLog 2017-02-21 20:15:11 UTC (rev 212739)
+++ branches/safari-603-branch/Source/WebCore/ChangeLog 2017-02-21 20:57:03 UTC (rev 212740)
@@ -1,3 +1,25 @@
+2017-02-21 Matthew Hanson <matthew_han...@apple.com>
+
+ Merge r212737. rdar://problem/30636274
+
+ 2017-02-21 Antti Koivisto <an...@apple.com>
+
+ REGRESSION(r207669): Crash after mutating selector text
+ https://bugs.webkit.org/show_bug.cgi?id=168655
+ <rdar://problem/30632111>
+
+ Reviewed by Brent Fulgham.
+
+ Test: fast/css/selector-text-mutation-crash.html
+
+ * style/StyleScope.cpp:
+ (WebCore::Style::Scope::scheduleUpdate):
+
+ Clear the style resolver immediately if style sheet content changes. The resolver may
+ have data structures that point to the old sheet contents.
+
+ The resolver would get wiped anyway when the scheduled update actually occurs.
+
2017-02-17 JF Bastien <jfbast...@apple.com>
A/B test concurrent GC
Modified: branches/safari-603-branch/Source/WebCore/style/StyleScope.cpp (212739 => 212740)
--- branches/safari-603-branch/Source/WebCore/style/StyleScope.cpp 2017-02-21 20:15:11 UTC (rev 212739)
+++ branches/safari-603-branch/Source/WebCore/style/StyleScope.cpp 2017-02-21 20:57:03 UTC (rev 212740)
@@ -529,6 +529,9 @@
void Scope::scheduleUpdate(UpdateType update)
{
+ if (update == UpdateType::ContentsOrInterpretation)
+ clearResolver();
+
if (!m_pendingUpdate || *m_pendingUpdate < update) {
m_pendingUpdate = update;
if (m_shadowRoot)
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
