Diff
Modified: branches/safari-534.51-branch/LayoutTests/ChangeLog (92939 => 92940)
--- branches/safari-534.51-branch/LayoutTests/ChangeLog 2011-08-12 06:10:02 UTC (rev 92939)
+++ branches/safari-534.51-branch/LayoutTests/ChangeLog 2011-08-12 06:14:06 UTC (rev 92940)
@@ -1,5 +1,22 @@
2011-08-11 Lucas Forschler <[email protected]>
+ Merged 91965
+
+ 2011-07-28 Anders Carlsson <[email protected]>
+
+ Unreviewed, rolling out r88601. (Requested by Sam Weinig).
+ http://trac.webkit.org/changeset/88601
+ https://bugs.webkit.org/show_bug.cgi?id=62230
+
+ Caused a regression, see https://bugs.webkit.org/show_bug.cgi?id=64378
+
+ * fast/dom/body-link-decl-parent-crash-expected.txt: Removed.
+ * fast/dom/body-link-decl-parent-crash.html: Removed.
+ * fast/dom/styled-inline-style-decl-parent-crash-expected.txt: Removed.
+ * fast/dom/styled-inline-style-decl-parent-crash.html: Removed.
+
+2011-08-11 Lucas Forschler <[email protected]>
+
Merged 91908
2011-07-27 Ryosuke Niwa <[email protected]>
Deleted: branches/safari-534.51-branch/LayoutTests/fast/dom/body-link-decl-parent-crash-expected.txt (92939 => 92940)
--- branches/safari-534.51-branch/LayoutTests/fast/dom/body-link-decl-parent-crash-expected.txt 2011-08-12 06:10:02 UTC (rev 92939)
+++ branches/safari-534.51-branch/LayoutTests/fast/dom/body-link-decl-parent-crash-expected.txt 2011-08-12 06:14:06 UTC (rev 92940)
@@ -1,5 +0,0 @@
-Test passes if it does not crash.
-PASS successfullyParsed is true
-
-TEST COMPLETE
-
Deleted: branches/safari-534.51-branch/LayoutTests/fast/dom/body-link-decl-parent-crash.html (92939 => 92940)
--- branches/safari-534.51-branch/LayoutTests/fast/dom/body-link-decl-parent-crash.html 2011-08-12 06:10:02 UTC (rev 92939)
+++ branches/safari-534.51-branch/LayoutTests/fast/dom/body-link-decl-parent-crash.html 2011-08-12 06:14:06 UTC (rev 92940)
@@ -1,27 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
-<script src=""
-</head>
-<body>
-Test passes if it does not crash.
-<div id="console"></div>
-<script>
-if (window.layoutTestController)
- layoutTestController.dumpAsText();
-
-iframe1 = document.createElement('iframe');
-document.body.appendChild(iframe1);
-document1 = iframe1.contentDocument.implementation.createHTMLDocument("document");
-var body1 = document1.body;
-document1.alinkColor = "blue";
-document1.body = document1.createElement('body');
-delete document1;
-gc();
-body1.vLink = 1;
-
-var successfullyParsed = true;
-</script>
-<script src=""
-</body>
-</html>
Deleted: branches/safari-534.51-branch/LayoutTests/fast/dom/styled-inline-style-decl-parent-crash-expected.txt (92939 => 92940)
--- branches/safari-534.51-branch/LayoutTests/fast/dom/styled-inline-style-decl-parent-crash-expected.txt 2011-08-12 06:10:02 UTC (rev 92939)
+++ branches/safari-534.51-branch/LayoutTests/fast/dom/styled-inline-style-decl-parent-crash-expected.txt 2011-08-12 06:14:06 UTC (rev 92940)
@@ -1,5 +0,0 @@
-Test passes if it does not crash.
-PASS successfullyParsed is true
-
-TEST COMPLETE
-
Deleted: branches/safari-534.51-branch/LayoutTests/fast/dom/styled-inline-style-decl-parent-crash.html (92939 => 92940)
--- branches/safari-534.51-branch/LayoutTests/fast/dom/styled-inline-style-decl-parent-crash.html 2011-08-12 06:10:02 UTC (rev 92939)
+++ branches/safari-534.51-branch/LayoutTests/fast/dom/styled-inline-style-decl-parent-crash.html 2011-08-12 06:14:06 UTC (rev 92940)
@@ -1,28 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
-<script src=""
-</head>
-<body>
-Test passes if it does not crash.
-<div id="console"></div>
-<script>
-if (window.layoutTestController)
- layoutTestController.dumpAsText();
-
-iframe1 = document.createElement('iframe');
-document.body.appendChild(iframe1);
-document1 = iframe1.contentDocument.implementation.createHTMLDocument("document");
-var div1 = document1.createElement('div');
-document1.body.appendChild(div1);
-div1.style.color = "blue";
-document1.body.removeChild(div1);
-delete document1;
-gc();
-div1.style.color = "red";
-
-var successfullyParsed = true;
-</script>
-<script src=""
-</body>
-</html>
Modified: branches/safari-534.51-branch/Source/WebCore/ChangeLog (92939 => 92940)
--- branches/safari-534.51-branch/Source/WebCore/ChangeLog 2011-08-12 06:10:02 UTC (rev 92939)
+++ branches/safari-534.51-branch/Source/WebCore/ChangeLog 2011-08-12 06:14:06 UTC (rev 92940)
@@ -1,5 +1,25 @@
2011-08-11 Lucas Forschler <[email protected]>
+ Merged 91965
+
+ 2011-07-28 Anders Carlsson <[email protected]>
+
+ Unreviewed, rolling out r88601. (Requested by Sam Weinig).
+ http://trac.webkit.org/changeset/88601
+ https://bugs.webkit.org/show_bug.cgi?id=62230
+
+ Caused a regression, see https://bugs.webkit.org/show_bug.cgi?id=64378
+
+ * dom/StyledElement.cpp:
+ * dom/StyledElement.h:
+ * html/HTMLBodyElement.cpp:
+ (WebCore::HTMLBodyElement::parseMappedAttribute):
+ (WebCore::HTMLBodyElement::insertedIntoDocument):
+ (WebCore::HTMLBodyElement::didMoveToNewOwnerDocument):
+ * html/HTMLBodyElement.h:
+
+2011-08-11 Lucas Forschler <[email protected]>
+
Merged 91908
2011-07-27 Ryosuke Niwa <[email protected]>
Modified: branches/safari-534.51-branch/Source/WebCore/dom/StyledElement.cpp (92939 => 92940)
--- branches/safari-534.51-branch/Source/WebCore/dom/StyledElement.cpp 2011-08-12 06:10:02 UTC (rev 92939)
+++ branches/safari-534.51-branch/Source/WebCore/dom/StyledElement.cpp 2011-08-12 06:14:06 UTC (rev 92940)
@@ -439,22 +439,7 @@
style->addSubresourceStyleURLs(urls);
}
-void StyledElement::insertedIntoDocument()
-{
- Element::insertedIntoDocument();
- if (m_inlineStyleDecl)
- m_inlineStyleDecl->setParent(document()->elementSheet());
-}
-
-void StyledElement::removedFromDocument()
-{
- if (m_inlineStyleDecl)
- m_inlineStyleDecl->setParent(0);
-
- Element::removedFromDocument();
-}
-
void StyledElement::didMoveToNewOwnerDocument()
{
if (m_inlineStyleDecl)
Modified: branches/safari-534.51-branch/Source/WebCore/dom/StyledElement.h (92939 => 92940)
--- branches/safari-534.51-branch/Source/WebCore/dom/StyledElement.h 2011-08-12 06:10:02 UTC (rev 92939)
+++ branches/safari-534.51-branch/Source/WebCore/dom/StyledElement.h 2011-08-12 06:14:06 UTC (rev 92940)
@@ -84,8 +84,6 @@
// svgAttributeChanged (called when element.className.baseValue is set)
void classAttributeChanged(const AtomicString& newClassString);
- virtual void insertedIntoDocument();
- virtual void removedFromDocument();
virtual void didMoveToNewOwnerDocument();
private:
Modified: branches/safari-534.51-branch/Source/WebCore/html/HTMLBodyElement.cpp (92939 => 92940)
--- branches/safari-534.51-branch/Source/WebCore/html/HTMLBodyElement.cpp 2011-08-12 06:10:02 UTC (rev 92939)
+++ branches/safari-534.51-branch/Source/WebCore/html/HTMLBodyElement.cpp 2011-08-12 06:14:06 UTC (rev 92940)
@@ -116,13 +116,6 @@
} else if (attr->name() == vlinkAttr ||
attr->name() == alinkAttr ||
attr->name() == linkAttr) {
- // This tells us that we are removed from document. If our document is later destroyed
- // (not deleted since we hold a guardRef), our stylesheet list will be null causing a crash
- // later in document()->styleSelector(). So, we bail out early because we shouldn't be
- // modifying anything in that document. See webkit bug 62230.
- if (m_linkDecl && !m_linkDecl->parent())
- return;
-
if (attr->isNull()) {
if (attr->name() == linkAttr)
document()->resetLinkColor();
@@ -209,27 +202,8 @@
if (document() && document()->page())
document()->page()->updateViewportArguments();
-
- if (m_linkDecl)
- m_linkDecl->setParent(document()->elementSheet());
}
-void HTMLBodyElement::removedFromDocument()
-{
- if (m_linkDecl)
- m_linkDecl->setParent(0);
-
- HTMLElement::removedFromDocument();
-}
-
-void HTMLBodyElement::didMoveToNewOwnerDocument()
-{
- if (m_linkDecl)
- m_linkDecl->setParent(document()->elementSheet());
-
- HTMLElement::didMoveToNewOwnerDocument();
-}
-
bool HTMLBodyElement::isURLAttribute(Attribute *attr) const
{
return attr->name() == backgroundAttr;
@@ -371,4 +345,16 @@
addSubresourceURL(urls, document()->completeURL(getAttribute(backgroundAttr)));
}
+void HTMLBodyElement::didMoveToNewOwnerDocument()
+{
+ // When moving body elements between documents, we should have to reset the parent sheet for any
+ // link style declarations. If we don't we might crash later.
+ // In practice I can't reproduce this theoretical problem.
+ // webarchive/adopt-attribute-styled-body-webarchive.html tries to make sure this crash won't surface.
+ if (m_linkDecl)
+ m_linkDecl->setParent(document()->elementSheet());
+
+ HTMLElement::didMoveToNewOwnerDocument();
+}
+
} // namespace WebCore
Modified: branches/safari-534.51-branch/Source/WebCore/html/HTMLBodyElement.h (92939 => 92940)
--- branches/safari-534.51-branch/Source/WebCore/html/HTMLBodyElement.h 2011-08-12 06:10:02 UTC (rev 92939)
+++ branches/safari-534.51-branch/Source/WebCore/html/HTMLBodyElement.h 2011-08-12 06:14:06 UTC (rev 92940)
@@ -74,8 +74,6 @@
virtual void parseMappedAttribute(Attribute*);
virtual void insertedIntoDocument();
- virtual void removedFromDocument();
- virtual void didMoveToNewOwnerDocument();
void createLinkDecl();
@@ -93,6 +91,8 @@
virtual int scrollWidth() const;
virtual void addSubresourceAttributeURLs(ListHashSet<KURL>&) const;
+
+ virtual void didMoveToNewOwnerDocument();
RefPtr<CSSMutableStyleDeclaration> m_linkDecl;
};
