Title: [213051] releases/WebKitGTK/webkit-2.16
- Revision
- 213051
- Author
- [email protected]
- Date
- 2017-02-27 05:57:24 -0800 (Mon, 27 Feb 2017)
Log Message
Merge r212828 - REGRESSION(r207669): Crash after mutating selector text
https://bugs.webkit.org/show_bug.cgi?id=168655
<rdar://problem/30632111>
Reviewed by Andreas Kling.
Source/WebCore:
Test: fast/css/selector-text-mutation-crash.html
* style/StyleScope.cpp:
(WebCore::Style::Scope::resolver):
(WebCore::Style::Scope::updateStyleResolver):
Protect against entering scheduleUpdate and wiping style resolver while updating it.
Extension stylesheets can trigger this.
(WebCore::Style::Scope::scheduleUpdate):
Clear the style resolver immediately if style sheet content changes. The resolver may
have data structures that point to the old sheet contents.
The resolver would get wiped anyway when the scheduled update actually occurs.
* style/StyleScope.h:
LayoutTests:
* fast/css/selector-text-mutation-crash-expected.txt: Added.
* fast/css/selector-text-mutation-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: releases/WebKitGTK/webkit-2.16/LayoutTests/ChangeLog (213050 => 213051)
--- releases/WebKitGTK/webkit-2.16/LayoutTests/ChangeLog 2017-02-27 13:45:11 UTC (rev 213050)
+++ releases/WebKitGTK/webkit-2.16/LayoutTests/ChangeLog 2017-02-27 13:57:24 UTC (rev 213051)
@@ -1,3 +1,14 @@
+2017-02-22 Antti Koivisto <[email protected]>
+
+ REGRESSION(r207669): Crash after mutating selector text
+ https://bugs.webkit.org/show_bug.cgi?id=168655
+ <rdar://problem/30632111>
+
+ Reviewed by Andreas Kling.
+
+ * fast/css/selector-text-mutation-crash-expected.txt: Added.
+ * fast/css/selector-text-mutation-crash.html: Added.
+
2017-02-22 Carlos Garcia Campos <[email protected]>
[GTK] Test fast/events/message-port-postMessage-recursive.html times out
Added: releases/WebKitGTK/webkit-2.16/LayoutTests/fast/css/selector-text-mutation-crash-expected.txt (0 => 213051)
--- releases/WebKitGTK/webkit-2.16/LayoutTests/fast/css/selector-text-mutation-crash-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.16/LayoutTests/fast/css/selector-text-mutation-crash-expected.txt 2017-02-27 13:57:24 UTC (rev 213051)
@@ -0,0 +1 @@
+PASS
Added: releases/WebKitGTK/webkit-2.16/LayoutTests/fast/css/selector-text-mutation-crash.html (0 => 213051)
--- releases/WebKitGTK/webkit-2.16/LayoutTests/fast/css/selector-text-mutation-crash.html (rev 0)
+++ releases/WebKitGTK/webkit-2.16/LayoutTests/fast/css/selector-text-mutation-crash.html 2017-02-27 13:57:24 UTC (rev 213051)
@@ -0,0 +1,14 @@
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+<style id=s>
+body[foo] [id=d] { color: green };
+</style>
+<body>
+<div id=d>PASS</div>
+<script>
+d.offsetLeft;
+s.sheet.cssRules.item(0).selectorText = "body[foo]";
+document.body.setAttribute("foo", "foo");
+</script>
Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/ChangeLog (213050 => 213051)
--- releases/WebKitGTK/webkit-2.16/Source/WebCore/ChangeLog 2017-02-27 13:45:11 UTC (rev 213050)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/ChangeLog 2017-02-27 13:57:24 UTC (rev 213051)
@@ -1,3 +1,29 @@
+2017-02-22 Antti Koivisto <[email protected]>
+
+ REGRESSION(r207669): Crash after mutating selector text
+ https://bugs.webkit.org/show_bug.cgi?id=168655
+ <rdar://problem/30632111>
+
+ Reviewed by Andreas Kling.
+
+ Test: fast/css/selector-text-mutation-crash.html
+
+ * style/StyleScope.cpp:
+ (WebCore::Style::Scope::resolver):
+ (WebCore::Style::Scope::updateStyleResolver):
+
+ Protect against entering scheduleUpdate and wiping style resolver while updating it.
+ Extension stylesheets can trigger this.
+
+ (WebCore::Style::Scope::scheduleUpdate):
+
+ Clear the style resolver immediately if style sheet content changes. The resolver may
+ have data structures that point to the old sheet contents.
+
+ The resolver would get wiped anyway when the scheduled update actually occurs.
+
+ * style/StyleScope.h:
+
2017-02-08 Sergio Villar Senin <[email protected]>
[css-grid] Move the track sizing algorithm to its own class
Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/style/StyleScope.cpp (213050 => 213051)
--- releases/WebKitGTK/webkit-2.16/Source/WebCore/style/StyleScope.cpp 2017-02-27 13:45:11 UTC (rev 213050)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/style/StyleScope.cpp 2017-02-27 13:57:24 UTC (rev 213051)
@@ -48,6 +48,7 @@
#include "UserContentController.h"
#include "UserContentURLPattern.h"
#include "UserStyleSheet.h"
+#include <wtf/SetForScope.h>
namespace WebCore {
@@ -91,6 +92,7 @@
return m_document.userAgentShadowTreeStyleResolver();
if (!m_resolver) {
+ SetForScope<bool> isUpdatingStyleResolver { m_isUpdatingStyleResolver, true };
m_resolver = std::make_unique<StyleResolver>(m_document);
m_resolver->appendAuthorStyleSheets(m_activeStyleSheets);
}
@@ -451,6 +453,7 @@
}
auto& styleResolver = resolver();
+ SetForScope<bool> isUpdatingStyleResolver { m_isUpdatingStyleResolver, true };
if (updateType == Reset) {
styleResolver.ruleSets().resetAuthorStyle();
styleResolver.appendAuthorStyleSheets(activeStyleSheets);
@@ -521,6 +524,10 @@
void Scope::scheduleUpdate(UpdateType update)
{
+ // FIXME: The m_isUpdatingStyleResolver test is here because extension stylesheets can get us here from StyleResolver::appendAuthorStyleSheets.
+ if (update == UpdateType::ContentsOrInterpretation && !m_isUpdatingStyleResolver)
+ clearResolver();
+
if (!m_pendingUpdate || *m_pendingUpdate < update) {
m_pendingUpdate = update;
if (m_shadowRoot)
Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/style/StyleScope.h (213050 => 213051)
--- releases/WebKitGTK/webkit-2.16/Source/WebCore/style/StyleScope.h 2017-02-27 13:45:11 UTC (rev 213050)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/style/StyleScope.h 2017-02-27 13:57:24 UTC (rev 213051)
@@ -161,6 +161,7 @@
String m_selectedStylesheetSetName;
bool m_usesStyleBasedEditability { false };
+ bool m_isUpdatingStyleResolver { false };
};
inline void Scope::flushPendingUpdate()
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
