Title: [212865] tags/Safari-604.1.7
- Revision
- 212865
- Author
- [email protected]
- Date
- 2017-02-22 17:05:26 -0800 (Wed, 22 Feb 2017)
Log Message
Merge r212828. rdar://problem/30632111
Modified Paths
Added Paths
Diff
Modified: tags/Safari-604.1.7/LayoutTests/ChangeLog (212864 => 212865)
--- tags/Safari-604.1.7/LayoutTests/ChangeLog 2017-02-23 01:05:20 UTC (rev 212864)
+++ tags/Safari-604.1.7/LayoutTests/ChangeLog 2017-02-23 01:05:26 UTC (rev 212865)
@@ -1,5 +1,20 @@
2017-02-22 Jason Marcell <[email protected]>
+ Merge r212828. rdar://problem/30632111
+
+ 2017-02-22 Antti Koivisto <[email protected]>
+
+ REGRESSION(r207669): Crash after mutating selector text
+ https://bugs.webkit.org/show_bug.cgi?id=168655
+ <rdar://problem/30632111>
+
+ Reviewed by Andreas Kling.
+
+ * fast/css/selector-text-mutation-crash-expected.txt: Added.
+ * fast/css/selector-text-mutation-crash.html: Added.
+
+2017-02-22 Jason Marcell <[email protected]>
+
Merge r212841. rdar://problem/30352793
2017-02-22 Carlos Garcia Campos <[email protected]>
Added: tags/Safari-604.1.7/LayoutTests/fast/css/selector-text-mutation-crash-expected.txt (0 => 212865)
--- tags/Safari-604.1.7/LayoutTests/fast/css/selector-text-mutation-crash-expected.txt (rev 0)
+++ tags/Safari-604.1.7/LayoutTests/fast/css/selector-text-mutation-crash-expected.txt 2017-02-23 01:05:26 UTC (rev 212865)
@@ -0,0 +1 @@
+PASS
Added: tags/Safari-604.1.7/LayoutTests/fast/css/selector-text-mutation-crash.html (0 => 212865)
--- tags/Safari-604.1.7/LayoutTests/fast/css/selector-text-mutation-crash.html (rev 0)
+++ tags/Safari-604.1.7/LayoutTests/fast/css/selector-text-mutation-crash.html 2017-02-23 01:05:26 UTC (rev 212865)
@@ -0,0 +1,14 @@
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+<style id=s>
+body[foo] [id=d] { color: green };
+</style>
+<body>
+<div id=d>PASS</div>
+<script>
+d.offsetLeft;
+s.sheet.cssRules.item(0).selectorText = "body[foo]";
+document.body.setAttribute("foo", "foo");
+</script>
Modified: tags/Safari-604.1.7/Source/WebCore/ChangeLog (212864 => 212865)
--- tags/Safari-604.1.7/Source/WebCore/ChangeLog 2017-02-23 01:05:20 UTC (rev 212864)
+++ tags/Safari-604.1.7/Source/WebCore/ChangeLog 2017-02-23 01:05:26 UTC (rev 212865)
@@ -1,5 +1,35 @@
2017-02-22 Jason Marcell <[email protected]>
+ Merge r212828. rdar://problem/30632111
+
+ 2017-02-22 Antti Koivisto <[email protected]>
+
+ REGRESSION(r207669): Crash after mutating selector text
+ https://bugs.webkit.org/show_bug.cgi?id=168655
+ <rdar://problem/30632111>
+
+ Reviewed by Andreas Kling.
+
+ Test: fast/css/selector-text-mutation-crash.html
+
+ * style/StyleScope.cpp:
+ (WebCore::Style::Scope::resolver):
+ (WebCore::Style::Scope::updateStyleResolver):
+
+ Protect against entering scheduleUpdate and wiping style resolver while updating it.
+ Extension stylesheets can trigger this.
+
+ (WebCore::Style::Scope::scheduleUpdate):
+
+ Clear the style resolver immediately if style sheet content changes. The resolver may
+ have data structures that point to the old sheet contents.
+
+ The resolver would get wiped anyway when the scheduled update actually occurs.
+
+ * style/StyleScope.h:
+
+2017-02-22 Jason Marcell <[email protected]>
+
Merge r212841. rdar://problem/30352793
2017-02-22 Carlos Garcia Campos <[email protected]>
Modified: tags/Safari-604.1.7/Source/WebCore/style/StyleScope.cpp (212864 => 212865)
--- tags/Safari-604.1.7/Source/WebCore/style/StyleScope.cpp 2017-02-23 01:05:20 UTC (rev 212864)
+++ tags/Safari-604.1.7/Source/WebCore/style/StyleScope.cpp 2017-02-23 01:05:26 UTC (rev 212865)
@@ -48,6 +48,7 @@
#include "UserContentController.h"
#include "UserContentURLPattern.h"
#include "UserStyleSheet.h"
+#include <wtf/SetForScope.h>
namespace WebCore {
@@ -91,6 +92,7 @@
return m_document.userAgentShadowTreeStyleResolver();
if (!m_resolver) {
+ SetForScope<bool> isUpdatingStyleResolver { m_isUpdatingStyleResolver, true };
m_resolver = std::make_unique<StyleResolver>(m_document);
m_resolver->appendAuthorStyleSheets(m_activeStyleSheets);
}
@@ -451,6 +453,7 @@
}
auto& styleResolver = resolver();
+ SetForScope<bool> isUpdatingStyleResolver { m_isUpdatingStyleResolver, true };
if (updateType == Reset) {
styleResolver.ruleSets().resetAuthorStyle();
styleResolver.appendAuthorStyleSheets(activeStyleSheets);
@@ -521,6 +524,10 @@
void Scope::scheduleUpdate(UpdateType update)
{
+ // FIXME: The m_isUpdatingStyleResolver test is here because extension stylesheets can get us here from StyleResolver::appendAuthorStyleSheets.
+ if (update == UpdateType::ContentsOrInterpretation && !m_isUpdatingStyleResolver)
+ clearResolver();
+
if (!m_pendingUpdate || *m_pendingUpdate < update) {
m_pendingUpdate = update;
if (m_shadowRoot)
Modified: tags/Safari-604.1.7/Source/WebCore/style/StyleScope.h (212864 => 212865)
--- tags/Safari-604.1.7/Source/WebCore/style/StyleScope.h 2017-02-23 01:05:20 UTC (rev 212864)
+++ tags/Safari-604.1.7/Source/WebCore/style/StyleScope.h 2017-02-23 01:05:26 UTC (rev 212865)
@@ -161,6 +161,7 @@
String m_selectedStylesheetSetName;
bool m_usesStyleBasedEditability { false };
+ bool m_isUpdatingStyleResolver { false };
};
inline void Scope::flushPendingUpdate()
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
