Diff
Modified: trunk/LayoutTests/ChangeLog (93226 => 93227)
--- trunk/LayoutTests/ChangeLog 2011-08-17 18:28:02 UTC (rev 93226)
+++ trunk/LayoutTests/ChangeLog 2011-08-17 18:29:24 UTC (rev 93227)
@@ -1,3 +1,15 @@
+2011-08-17 Abhishek Arya <[email protected]>
+
+ Tests that we do not crash when iterating through stylesheet
+ candidate list hashset.
+ https://bugs.webkit.org/show_bug.cgi?id=66335
+
+ Reviewed by Simon Fraser.
+
+ * svg/dom/resources/stylesheet-candidate-node-crash.svg: Added.
+ * svg/dom/stylesheet-candidate-node-crash-main-expected.txt: Added.
+ * svg/dom/stylesheet-candidate-node-crash-main.html: Added.
+
2011-08-17 Sam White <[email protected]>
AccessibilityObject levels are inconsistent
Added: trunk/LayoutTests/svg/dom/resources/stylesheet-candidate-node-crash.svg (0 => 93227)
--- trunk/LayoutTests/svg/dom/resources/stylesheet-candidate-node-crash.svg (rev 0)
+++ trunk/LayoutTests/svg/dom/resources/stylesheet-candidate-node-crash.svg 2011-08-17 18:29:24 UTC (rev 93227)
@@ -0,0 +1,8 @@
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+<g id="test">
+<text id="test1">PASS</text>
+</g>
+<use id="test2" xlink:href=""
+<use xlink:href=""
+<set attributeName="font-style" to="italic"/>
+</svg>
Added: trunk/LayoutTests/svg/dom/stylesheet-candidate-node-crash-main-expected.txt (0 => 93227)
--- trunk/LayoutTests/svg/dom/stylesheet-candidate-node-crash-main-expected.txt (rev 0)
+++ trunk/LayoutTests/svg/dom/stylesheet-candidate-node-crash-main-expected.txt 2011-08-17 18:29:24 UTC (rev 93227)
@@ -0,0 +1 @@
+Test passes if it does not crash.
Added: trunk/LayoutTests/svg/dom/stylesheet-candidate-node-crash-main.html (0 => 93227)
--- trunk/LayoutTests/svg/dom/stylesheet-candidate-node-crash-main.html (rev 0)
+++ trunk/LayoutTests/svg/dom/stylesheet-candidate-node-crash-main.html 2011-08-17 18:29:24 UTC (rev 93227)
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+Test passes if it does not crash.
+<script>
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+function runTest() {
+ svgdoc = document.getElementById('root').contentDocument;
+ var style = document.createElement('style');
+ var test1 = svgdoc.getElementById('test1');
+ test1.appendChild(style);
+ svgdoc.getElementById('test2').setAttribute('xlink:href', 0);
+ svgdoc.getElementById('test').setAttribute('stroke', 0);
+}
+</script>
+<object data="" id="root" _onload_="runTest();" type="image/svg+xml"></object>
+</html>
+
Modified: trunk/Source/WebCore/ChangeLog (93226 => 93227)
--- trunk/Source/WebCore/ChangeLog 2011-08-17 18:28:02 UTC (rev 93226)
+++ trunk/Source/WebCore/ChangeLog 2011-08-17 18:29:24 UTC (rev 93227)
@@ -1,3 +1,26 @@
+2011-08-17 Abhishek Arya <[email protected]>
+
+ Crash in Document::recalcStyleSelector
+ https://bugs.webkit.org/show_bug.cgi?id=66335
+
+ Reviewed by Simon Fraser.
+
+ When node is getting destroyed and its removedFromDocument
+ is not called due to entire document structure torn down(using
+ removeAllChildren), make sure to clear out the stylesheet
+ candidate node from document's structures in its destructor.
+
+ Test: svg/dom/stylesheet-candidate-node-crash-main.html
+
+ * dom/ProcessingInstruction.cpp:
+ (WebCore::ProcessingInstruction::~ProcessingInstruction):
+ * html/HTMLLinkElement.cpp:
+ (WebCore::HTMLLinkElement::~HTMLLinkElement):
+ * html/HTMLStyleElement.cpp:
+ (WebCore::HTMLStyleElement::~HTMLStyleElement):
+ * svg/SVGStyleElement.cpp:
+ (WebCore::SVGStyleElement::~SVGStyleElement):
+
2011-08-17 Sam White <[email protected]>
AccessibilityObject levels are inconsistent
Modified: trunk/Source/WebCore/dom/ProcessingInstruction.cpp (93226 => 93227)
--- trunk/Source/WebCore/dom/ProcessingInstruction.cpp 2011-08-17 18:28:02 UTC (rev 93226)
+++ trunk/Source/WebCore/dom/ProcessingInstruction.cpp 2011-08-17 18:29:24 UTC (rev 93227)
@@ -62,6 +62,9 @@
if (m_cachedSheet)
m_cachedSheet->removeClient(this);
+
+ if (inDocument())
+ document()->removeStyleSheetCandidateNode(this);
}
void ProcessingInstruction::setData(const String& data, ExceptionCode&)
Modified: trunk/Source/WebCore/dom/StyleElement.cpp (93226 => 93227)
--- trunk/Source/WebCore/dom/StyleElement.cpp 2011-08-17 18:28:02 UTC (rev 93226)
+++ trunk/Source/WebCore/dom/StyleElement.cpp 2011-08-17 18:29:24 UTC (rev 93227)
@@ -84,6 +84,15 @@
document->styleSelectorChanged(DeferRecalcStyle);
}
+void StyleElement::clearDocumentData(Document* document, Element* element)
+{
+ if (m_sheet)
+ m_sheet->clearOwnerNode();
+
+ if (element->inDocument())
+ document->removeStyleSheetCandidateNode(element);
+}
+
void StyleElement::childrenChanged(Element* element)
{
ASSERT(element);
Modified: trunk/Source/WebCore/dom/StyleElement.h (93226 => 93227)
--- trunk/Source/WebCore/dom/StyleElement.h 2011-08-17 18:28:02 UTC (rev 93226)
+++ trunk/Source/WebCore/dom/StyleElement.h 2011-08-17 18:29:24 UTC (rev 93227)
@@ -45,6 +45,7 @@
void insertedIntoDocument(Document*, Element*);
void removedFromDocument(Document*, Element*);
+ void clearDocumentData(Document*, Element*);
void childrenChanged(Element*);
void finishParsingChildren(Element*);
Modified: trunk/Source/WebCore/html/HTMLLinkElement.cpp (93226 => 93227)
--- trunk/Source/WebCore/html/HTMLLinkElement.cpp 2011-08-17 18:28:02 UTC (rev 93226)
+++ trunk/Source/WebCore/html/HTMLLinkElement.cpp 2011-08-17 18:29:24 UTC (rev 93227)
@@ -78,6 +78,9 @@
m_cachedSheet->removeClient(this);
removePendingSheet();
}
+
+ if (inDocument())
+ document()->removeStyleSheetCandidateNode(this);
}
void HTMLLinkElement::setDisabled(bool disabled)
Modified: trunk/Source/WebCore/html/HTMLStyleElement.cpp (93226 => 93227)
--- trunk/Source/WebCore/html/HTMLStyleElement.cpp 2011-08-17 18:28:02 UTC (rev 93226)
+++ trunk/Source/WebCore/html/HTMLStyleElement.cpp 2011-08-17 18:29:24 UTC (rev 93227)
@@ -44,8 +44,7 @@
HTMLStyleElement::~HTMLStyleElement()
{
- if (m_sheet)
- m_sheet->clearOwnerNode();
+ StyleElement::clearDocumentData(document(), this);
}
PassRefPtr<HTMLStyleElement> HTMLStyleElement::create(const QualifiedName& tagName, Document* document, bool createdByParser)
Modified: trunk/Source/WebCore/svg/SVGStyleElement.cpp (93226 => 93227)
--- trunk/Source/WebCore/svg/SVGStyleElement.cpp 2011-08-17 18:28:02 UTC (rev 93226)
+++ trunk/Source/WebCore/svg/SVGStyleElement.cpp 2011-08-17 18:29:24 UTC (rev 93227)
@@ -43,8 +43,7 @@
SVGStyleElement::~SVGStyleElement()
{
- if (m_sheet)
- m_sheet->clearOwnerNode();
+ StyleElement::clearDocumentData(document(), this);
}
PassRefPtr<SVGStyleElement> SVGStyleElement::create(const QualifiedName& tagName, Document* document, bool createdByParser)
