Diff
Modified: trunk/LayoutTests/ChangeLog (214359 => 214360)
--- trunk/LayoutTests/ChangeLog 2017-03-24 18:23:48 UTC (rev 214359)
+++ trunk/LayoutTests/ChangeLog 2017-03-24 18:39:28 UTC (rev 214360)
@@ -1,3 +1,23 @@
+2017-03-24 Brent Fulgham <[email protected]>
+
+ Handle recursive calls to ProcessingInstruction::checkStyleSheet
+ https://bugs.webkit.org/show_bug.cgi?id=169982
+ <rdar://problem/31083051>
+
+ Reviewed by Antti Koivisto.
+
+ * fast/dom/beforeload/image-removed-during-before-load-expected.txt: Added.
+ * fast/dom/beforeload/image-removed-during-before-load.html: Added.
+ * fast/dom/beforeload/recursive-css-pi-before-load-expected.txt: Added.
+ * fast/dom/beforeload/recursive-css-pi-before-load.html: Added.
+ * fast/dom/beforeload/recursive-link-before-load-expected.txt: Added.
+ * fast/dom/beforeload/recursive-link-before-load.html: Added.
+ * fast/dom/beforeload/recursive-xsl-pi-before-load-expected.txt: Added.
+ * fast/dom/beforeload/recursive-xsl-pi-before-load.html: Added.
+ * fast/dom/beforeload/resources/content.xhtml: Added.
+ * fast/dom/beforeload/resources/pass.css: Added.
+ * fast/dom/beforeload/resources/test.xsl: Added.
+
2017-03-24 Myles C. Maxfield <[email protected]>
font-style needs a new CSSValue to make CSSRule.cssText work correctly
Added: trunk/LayoutTests/fast/dom/beforeload/image-removed-during-before-load-expected.txt (0 => 214360)
--- trunk/LayoutTests/fast/dom/beforeload/image-removed-during-before-load-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/dom/beforeload/image-removed-during-before-load-expected.txt 2017-03-24 18:39:28 UTC (rev 214360)
@@ -0,0 +1,5 @@
+This test confirms that image loading properly handles a 'beforeload' events that removes the image from the document. It passes if no debug assertions are fired.
+
+PASS: Hit the beforeload handler
+PASS
+PASS: No assertions hit.
Added: trunk/LayoutTests/fast/dom/beforeload/image-removed-during-before-load.html (0 => 214360)
--- trunk/LayoutTests/fast/dom/beforeload/image-removed-during-before-load.html (rev 0)
+++ trunk/LayoutTests/fast/dom/beforeload/image-removed-during-before-load.html 2017-03-24 18:39:28 UTC (rev 214360)
@@ -0,0 +1,42 @@
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<script src=""
+<script>
+function test()
+{
+ if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+ }
+
+ image = document.createElement("img");
+ image.setAttribute("style", "display:none");
+ image.addEventListener("load", function() {
+ print('PASS', 'green');
+ }, { once: true });
+ image.addEventListener("beforeload", function() {
+ print('PASS: Hit the beforeload handler', 'green');
+ document.body.removeChild(image);
+ image = null;
+ setTimeout(step2, 0);
+ }, { once: true });
+
+ document.body.appendChild(image);
+
+ image.setAttribute("src", "../../images/resources/test-load.jpg");
+}
+
+function step2()
+{
+ print("PASS: No assertions hit.", "green");
+
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+</script>
+</head>
+<body _onload_="test()">
+<p>This test confirms that image loading properly handles a 'beforeload' events that removes the image from the document. It passes if no debug assertions are fired.</p>
+<div id="console"></div>
+</body>
+</html>
Added: trunk/LayoutTests/fast/dom/beforeload/recursive-css-pi-before-load-expected.txt (0 => 214360)
--- trunk/LayoutTests/fast/dom/beforeload/recursive-css-pi-before-load-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/dom/beforeload/recursive-css-pi-before-load-expected.txt 2017-03-24 18:39:28 UTC (rev 214360)
@@ -0,0 +1,4 @@
+This test confirms that CSS stylesheets are properly handled if loaded during 'beforeload' events. It passes if no debug assertions are fired.
+
+PASS: No assertions hit.
+
Added: trunk/LayoutTests/fast/dom/beforeload/recursive-css-pi-before-load.html (0 => 214360)
--- trunk/LayoutTests/fast/dom/beforeload/recursive-css-pi-before-load.html (rev 0)
+++ trunk/LayoutTests/fast/dom/beforeload/recursive-css-pi-before-load.html 2017-03-24 18:39:28 UTC (rev 214360)
@@ -0,0 +1,45 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="utf-8"/>
+<meta http-equiv="pragma" content="no-cache"/>
+<meta http-equiv="expires" content="0"/>
+<script src=""
+<script>
+function test()
+{
+ if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+ }
+
+ frame = document.createElement("iframe");
+ frame.setAttribute("src", "resources/content.xhtml");
+ frame.addEventListener("load", function(){
+ setTimeout(step2, 0);
+ }, { once: true });
+
+ document.body.appendChild(frame);
+
+ function step2(){
+ ins = 'href="" type="text/css"';
+ pi = frame.contentDocument.createProcessingInstruction('xml-stylesheet', ins);
+ pi.addEventListener("beforeload", function(){ pi.data = ''; }, { once: true });
+ frame.contentDocument.insertBefore(pi, frame.contentDocument.firstChild);
+
+ frame.contentDocument.removeChild(pi);
+ pi = null;
+
+ print("PASS: No assertions hit.", "green");
+
+ if (window.testRunner)
+ testRunner.notifyDone();
+ }
+}
+</script>
+</head>
+<body _onload_="test()">
+<p>This test confirms that CSS stylesheets are properly handled if loaded during 'beforeload' events. It passes if no debug assertions are fired.</p>
+<div id="console"></div>
+</body>
+</html>
Added: trunk/LayoutTests/fast/dom/beforeload/recursive-link-before-load-expected.txt (0 => 214360)
--- trunk/LayoutTests/fast/dom/beforeload/recursive-link-before-load-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/dom/beforeload/recursive-link-before-load-expected.txt 2017-03-24 18:39:28 UTC (rev 214360)
@@ -0,0 +1,5 @@
+This test confirms that link elements properly handled changes during 'beforeload' events. It passes if no debug assertions are fired.
+
+PASS: Beforeload handled.
+PASS: No assertions hit.
+
Added: trunk/LayoutTests/fast/dom/beforeload/recursive-link-before-load.html (0 => 214360)
--- trunk/LayoutTests/fast/dom/beforeload/recursive-link-before-load.html (rev 0)
+++ trunk/LayoutTests/fast/dom/beforeload/recursive-link-before-load.html 2017-03-24 18:39:28 UTC (rev 214360)
@@ -0,0 +1,61 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="utf-8"/>
+<meta http-equiv="pragma" content="no-cache"/>
+<meta http-equiv="expires" content="0"/>
+<script src=""
+<script>
+function test()
+{
+ if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+ }
+
+ frame = document.createElement("iframe");
+ frame.setAttribute("src", "resources/content.xhtml");
+ frame.addEventListener("load", function(){
+ setTimeout(step2, 0);
+ }, { once: true });
+
+ document.body.appendChild(frame);
+
+ var link;
+ var head;
+
+ function step2() {
+ head = frame.contentDocument.getElementsByTagName('head')[0];
+
+ link = frame.contentDocument.createElement('link');
+ link.type = 'text/css';
+ link.rel = 'stylesheet';
+
+ link.addEventListener("beforeload", function() {
+ print("PASS: Beforeload handled.", "green");
+ link.href = '';
+ setTimeout(step3, 0);
+ }, { once: true });
+
+ link.href = '';
+
+ head.appendChild(link);
+ }
+
+ function step3() {
+ head.removeChild(link);
+ link = null;
+
+ print("PASS: No assertions hit.", "green");
+
+ if (window.testRunner)
+ testRunner.notifyDone();
+ }
+}
+</script>
+</head>
+<body _onload_="test()">
+<p>This test confirms that link elements properly handled changes during 'beforeload' events. It passes if no debug assertions are fired.</p>
+<div id="console"></div>
+</body>
+</html>
Added: trunk/LayoutTests/fast/dom/beforeload/recursive-xsl-pi-before-load-expected.txt (0 => 214360)
--- trunk/LayoutTests/fast/dom/beforeload/recursive-xsl-pi-before-load-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/dom/beforeload/recursive-xsl-pi-before-load-expected.txt 2017-03-24 18:39:28 UTC (rev 214360)
@@ -0,0 +1,4 @@
+This test confirms that XSL stylesheets are properly handled if loaded during 'beforeload' events. It passes if no debug assertions are fired.
+
+PASS: No assertions hit.
+
Added: trunk/LayoutTests/fast/dom/beforeload/recursive-xsl-pi-before-load.html (0 => 214360)
--- trunk/LayoutTests/fast/dom/beforeload/recursive-xsl-pi-before-load.html (rev 0)
+++ trunk/LayoutTests/fast/dom/beforeload/recursive-xsl-pi-before-load.html 2017-03-24 18:39:28 UTC (rev 214360)
@@ -0,0 +1,45 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="utf-8"/>
+<meta http-equiv="pragma" content="no-cache"/>
+<meta http-equiv="expires" content="0"/>
+<script src=""
+<script>
+function test()
+{
+ if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+ }
+
+ frame = document.createElement("iframe");
+ frame.setAttribute("src", "resources/content.xhtml");
+ frame.addEventListener("load", function(){
+ setTimeout(step2, 0);
+ }, { once: true });
+
+ document.body.appendChild(frame);
+
+ function step2(){
+ ins = 'href="" type="text/xsl"';
+ pi = frame.contentDocument.createProcessingInstruction('xml-stylesheet', ins);
+ pi.addEventListener("beforeload", function(){ pi.data = ''; }, { once: true });
+ frame.contentDocument.insertBefore(pi, frame.contentDocument.firstChild);
+
+ frame.contentDocument.removeChild(pi);
+ pi = null;
+
+ print("PASS: No assertions hit.", "green");
+
+ if (window.testRunner)
+ testRunner.notifyDone();
+ }
+}
+</script>
+</head>
+<body _onload_="test()">
+<p>This test confirms that XSL stylesheets are properly handled if loaded during 'beforeload' events. It passes if no debug assertions are fired.</p>
+<div id="console"></div>
+</body>
+</html>
Added: trunk/LayoutTests/fast/dom/beforeload/resources/content.xhtml (0 => 214360)
--- trunk/LayoutTests/fast/dom/beforeload/resources/content.xhtml (rev 0)
+++ trunk/LayoutTests/fast/dom/beforeload/resources/content.xhtml 2017-03-24 18:39:28 UTC (rev 214360)
@@ -0,0 +1,8 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-frameset.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+</head>
+<body>
+hi
+</body>
+</html>
Added: trunk/LayoutTests/fast/dom/beforeload/resources/pass.css (0 => 214360)
--- trunk/LayoutTests/fast/dom/beforeload/resources/pass.css (rev 0)
+++ trunk/LayoutTests/fast/dom/beforeload/resources/pass.css 2017-03-24 18:39:28 UTC (rev 214360)
@@ -0,0 +1,5 @@
+.block {
+ width: 100px;
+ height: 100px;
+ background-color: green;
+}
Added: trunk/LayoutTests/fast/dom/beforeload/resources/test.xsl (0 => 214360)
--- trunk/LayoutTests/fast/dom/beforeload/resources/test.xsl (rev 0)
+++ trunk/LayoutTests/fast/dom/beforeload/resources/test.xsl 2017-03-24 18:39:28 UTC (rev 214360)
@@ -0,0 +1,14 @@
+<?xml version="1.0"?>
+<xsl:stylesheet version="1.0"
+ xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+ <xsl:output method="html"/>
+ <xsl:template match="/">
+ <html>
+ <head>
+ </head>
+ <body>
+ Test
+ </body>
+ </html>
+ </xsl:template>
+</xsl:stylesheet>
Modified: trunk/Source/WebCore/ChangeLog (214359 => 214360)
--- trunk/Source/WebCore/ChangeLog 2017-03-24 18:23:48 UTC (rev 214359)
+++ trunk/Source/WebCore/ChangeLog 2017-03-24 18:39:28 UTC (rev 214360)
@@ -1,3 +1,40 @@
+2017-03-24 Brent Fulgham <[email protected]>
+
+ Handle recursive calls to ProcessingInstruction::checkStyleSheet
+ https://bugs.webkit.org/show_bug.cgi?id=169982
+ <rdar://problem/31083051>
+
+ Reviewed by Antti Koivisto.
+
+ See if we triggered a recursive load of the stylesheet during the 'beforeload'
+ event handler. If so, reset to a valid state before completing the load.
+
+ We should also check after 'beforeload' that we were not disconnected from (or
+ moved to a new) document.
+
+ I also looked for other cases of this pattern and fixed them.
+
+ Tests: fast/dom/beforeload/image-removed-during-before-load.html
+ fast/dom/beforeload/recursive-css-pi-before-load.html
+ fast/dom/beforeload/recursive-link-before-load.html
+ fast/dom/beforeload/recursive-xsl-pi-before-load.html
+
+ * dom/ProcessingInstruction.cpp:
+ (WebCore::ProcessingInstruction::clearExistingCachedSheet): Added.
+ (WebCore::ProcessingInstruction::checkStyleSheet): Reset to valid state
+ if necessary after the 'beforeload' handler. Also, safely handle the case where
+ the element was disconnected in the 'beforeload' handler (similar to what
+ we do in HTMLLinkElement).
+ (WebCore::ProcessingInstruction::setCSSStyleSheet): Drive-by Fix: Protect the
+ current document to match what we do in setXSLStyleSheet.
+ * dom/ProcessingInstruction.h:
+ * html/HTMLMediaElement.cpp:
+ (WebCore::HTMLMediaElement::selectMediaResource): Safely handle the case where
+ the element was disconnected in the 'beforeload' handler.
+ (WebCore::HTMLMediaElement::selectNextSourceChild): Ditto.
+ * loader/ImageLoader.cpp:
+ (WebCore::ImageLoader::dispatchPendingBeforeLoadEvent): Ditto.
+
2017-03-24 Myles C. Maxfield <[email protected]>
font-style needs a new CSSValue to make CSSRule.cssText work correctly
Modified: trunk/Source/WebCore/dom/ProcessingInstruction.cpp (214359 => 214360)
--- trunk/Source/WebCore/dom/ProcessingInstruction.cpp 2017-03-24 18:23:48 UTC (rev 214359)
+++ trunk/Source/WebCore/dom/ProcessingInstruction.cpp 2017-03-24 18:39:28 UTC (rev 214360)
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2000 Peter Kelly ([email protected])
- * Copyright (C) 2006, 2008, 2009 Apple Inc. All rights reserved.
+ * Copyright (C) 2006-2017 Apple Inc. All rights reserved.
* Copyright (C) 2013 Samsung Electronics. All rights reserved.
*
* This library is free software; you can redistribute it and/or
@@ -35,6 +35,7 @@
#include "StyleSheetContents.h"
#include "XMLDocumentParser.h"
#include "XSLStyleSheet.h"
+#include <wtf/SetForScope.h>
namespace WebCore {
@@ -80,6 +81,10 @@
void ProcessingInstruction::checkStyleSheet()
{
+ // Prevent recursive loading of stylesheet.
+ if (m_isHandlingBeforeLoad)
+ return;
+
if (m_target == "xml-stylesheet" && document().frame() && parentNode() == &document()) {
// see http://www.w3.org/TR/xml-stylesheet/
// ### support stylesheet included in a fragment of this (or another) document
@@ -134,13 +139,25 @@
document().styleScope().removePendingSheet(*this);
}
+ Ref<Document> originalDocument = document();
+
String url = ""
+
+ {
+ SetForScope<bool> change(m_isHandlingBeforeLoad, true);
if (!dispatchBeforeLoadEvent(url))
return;
+ }
+ bool didEventListenerDisconnectThisElement = !isConnected() || &document() != originalDocument.ptr();
+ if (didEventListenerDisconnectThisElement)
+ return;
+
m_loading = true;
document().styleScope().addPendingSheet(*this);
+ ASSERT_WITH_SECURITY_IMPLICATION(!m_cachedSheet);
+
#if ENABLE(XSLT)
if (m_isXSL) {
auto options = CachedResourceLoader::defaultCachedResourceOptions();
@@ -181,7 +198,8 @@
bool ProcessingInstruction::sheetLoaded()
{
if (!isLoading()) {
- document().styleScope().removePendingSheet(*this);
+ if (document().styleScope().hasPendingSheet(*this))
+ document().styleScope().removePendingSheet(*this);
#if ENABLE(XSLT)
if (m_isXSL)
document().styleScope().flushPendingUpdate();
@@ -211,6 +229,7 @@
// We don't need the cross-origin security check here because we are
// getting the sheet text in "strict" mode. This enforces a valid CSS MIME
// type.
+ Ref<Document> protect(document());
parseStyleSheet(sheet->sheetText());
}
Modified: trunk/Source/WebCore/dom/ProcessingInstruction.h (214359 => 214360)
--- trunk/Source/WebCore/dom/ProcessingInstruction.h 2017-03-24 18:23:48 UTC (rev 214359)
+++ trunk/Source/WebCore/dom/ProcessingInstruction.h 2017-03-24 18:39:28 UTC (rev 214360)
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2000 Peter Kelly ([email protected])
- * Copyright (C) 2006 Apple Inc. All rights reserved.
+ * Copyright (C) 2006-2017 Apple Inc. All rights reserved.
* Copyright (C) 2013 Samsung Electronics. All rights reserved.
*
* This library is free software; you can redistribute it and/or
@@ -74,6 +74,8 @@
void parseStyleSheet(const String& sheet);
+ void clearExistingCachedSheet();
+
String m_target;
String m_localHref;
String m_title;
@@ -87,6 +89,7 @@
#if ENABLE(XSLT)
bool m_isXSL { false };
#endif
+ bool m_isHandlingBeforeLoad { false };
};
} // namespace WebCore
Modified: trunk/Source/WebCore/html/HTMLLinkElement.cpp (214359 => 214360)
--- trunk/Source/WebCore/html/HTMLLinkElement.cpp 2017-03-24 18:23:48 UTC (rev 214359)
+++ trunk/Source/WebCore/html/HTMLLinkElement.cpp 2017-03-24 18:39:28 UTC (rev 214360)
@@ -2,7 +2,7 @@
* Copyright (C) 1999 Lars Knoll ([email protected])
* (C) 1999 Antti Koivisto ([email protected])
* (C) 2001 Dirk Mueller ([email protected])
- * Copyright (C) 2003, 2006, 2007, 2008, 2009, 2010, 2014 Apple Inc. All rights reserved.
+ * Copyright (C) 2003-2017 Apple Inc. All rights reserved.
* Copyright (C) 2009 Rob Buis ([email protected])
* Copyright (C) 2011 Google Inc. All rights reserved.
*
@@ -55,6 +55,7 @@
#include "StyleScope.h"
#include "StyleSheetContents.h"
#include <wtf/Ref.h>
+#include <wtf/SetForScope.h>
#include <wtf/StdLibExtras.h>
namespace WebCore {
@@ -224,6 +225,10 @@
return;
}
+ // Prevent recursive loading of link.
+ if (m_isHandlingBeforeLoad)
+ return;
+
URL url = ""
if (!m_linkLoader.loadLink(m_relAttribute, url, attributeWithoutSynchronization(asAttr), attributeWithoutSynchronization(crossoriginAttr), document()))
@@ -243,8 +248,11 @@
m_cachedSheet = nullptr;
}
+ {
+ SetForScope<bool> change(m_isHandlingBeforeLoad, true);
if (!shouldLoadLink())
return;
+ }
m_loading = true;
@@ -277,6 +285,7 @@
request.setAsPotentiallyCrossOrigin(crossOrigin(), document());
+ ASSERT_WITH_SECURITY_IMPLICATION(!m_cachedSheet);
m_cachedSheet = document().cachedResourceLoader().requestCSSStyleSheet(WTFMove(request));
if (m_cachedSheet)
Modified: trunk/Source/WebCore/html/HTMLLinkElement.h (214359 => 214360)
--- trunk/Source/WebCore/html/HTMLLinkElement.h 2017-03-24 18:23:48 UTC (rev 214359)
+++ trunk/Source/WebCore/html/HTMLLinkElement.h 2017-03-24 18:39:28 UTC (rev 214360)
@@ -1,7 +1,7 @@
/*
* Copyright (C) 1999 Lars Knoll ([email protected])
* (C) 1999 Antti Koivisto ([email protected])
- * Copyright (C) 2003, 2008, 2010 Apple Inc. All rights reserved.
+ * Copyright (C) 2003-2017 Apple Inc. All rights reserved.
* Copyright (C) 2011 Google Inc. All rights reserved.
*
* This library is free software; you can redistribute it and/or
@@ -132,6 +132,7 @@
bool m_createdByParser;
bool m_firedLoad;
bool m_loadedResource;
+ bool m_isHandlingBeforeLoad { false };
PendingSheetType m_pendingSheetType;
Modified: trunk/Source/WebCore/html/HTMLMediaElement.cpp (214359 => 214360)
--- trunk/Source/WebCore/html/HTMLMediaElement.cpp 2017-03-24 18:23:48 UTC (rev 214359)
+++ trunk/Source/WebCore/html/HTMLMediaElement.cpp 2017-03-24 18:39:28 UTC (rev 214360)
@@ -1325,6 +1325,8 @@
enum Mode { None, Object, Attribute, Children };
Mode mode = None;
+ Ref<Document> originalDocument = document();
+ bool didEventListenerDisconnectThisElement = false;
if (m_mediaProvider) {
// 6. If the media element has an assigned media provider object, then let mode be object.
@@ -1408,6 +1410,13 @@
return;
}
+ didEventListenerDisconnectThisElement = !isConnected() || &document() != originalDocument.ptr();
+ if (didEventListenerDisconnectThisElement) {
+ mediaLoadingFailed(MediaPlayer::FormatError);
+ LOG(Media, "HTMLMediaElement::selectMediaResource(%p) - document changed during load.", this);
+ return;
+ }
+
// 3. If absolute URL was obtained successfully, set the currentSrc attribute to absolute URL.
m_currentSrc = absoluteURL;
@@ -4215,10 +4224,12 @@
URL mediaURL;
HTMLSourceElement* source = nullptr;
+ Ref<Document> originalDocument = document();
String type;
bool lookingForStartNode = m_nextChildNodeToConsider;
bool canUseSourceElement = false;
- bool okToLoadSourceURL;
+ bool okToLoadSourceURL = false;
+ bool didEventListenerDisconnectThisElement = false;
NodeVector potentialSourceNodes;
getChildNodes(*this, potentialSourceNodes);
@@ -4291,6 +4302,13 @@
goto CheckAgain;
}
+ didEventListenerDisconnectThisElement = !isConnected() || &document() != originalDocument.ptr();
+ if (didEventListenerDisconnectThisElement) {
+ LOG(Media, "HTMLMediaElement::selectNextSourceChild(%p) - 'beforeload' changed document during load.", this);
+ source = nullptr;
+ goto CheckAgain;
+ }
+
if (!okToLoadSourceURL)
goto CheckAgain;
Modified: trunk/Source/WebCore/loader/ImageLoader.cpp (214359 => 214360)
--- trunk/Source/WebCore/loader/ImageLoader.cpp 2017-03-24 18:23:48 UTC (rev 214359)
+++ trunk/Source/WebCore/loader/ImageLoader.cpp 2017-03-24 18:39:28 UTC (rev 214360)
@@ -394,7 +394,12 @@
if (!element().document().hasLivingRenderTree())
return;
m_hasPendingBeforeLoadEvent = false;
+ Ref<Document> originalDocument = element().document();
if (element().dispatchBeforeLoadEvent(m_image->url())) {
+ bool didEventListenerDisconnectThisElement = !element().isConnected() || &element().document() != originalDocument.ptr();
+ if (didEventListenerDisconnectThisElement)
+ return;
+
updateRenderer();
return;
}
Modified: trunk/Source/WebCore/style/StyleScope.cpp (214359 => 214360)
--- trunk/Source/WebCore/style/StyleScope.cpp 2017-03-24 18:23:48 UTC (rev 214359)
+++ trunk/Source/WebCore/style/StyleScope.cpp 2017-03-24 18:39:28 UTC (rev 214360)
@@ -3,7 +3,7 @@
* (C) 1999 Antti Koivisto ([email protected])
* (C) 2001 Dirk Mueller ([email protected])
* (C) 2006 Alexey Proskuryakov ([email protected])
- * Copyright (C) 2004-2009, 2011-2012, 2015-2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2004-2009, 2011-2012, 2015-2017 Apple Inc. All rights reserved.
* Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved. (http://www.torchmobile.com/)
* Copyright (C) 2008, 2009, 2011, 2012 Google Inc. All rights reserved.
* Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies)
@@ -233,6 +233,11 @@
return m_elementsInBodyWithPendingSheets.contains(&element);
}
+bool Scope::hasPendingSheet(const ProcessingInstruction& processingInstruction) const
+{
+ return m_processingInstructionsWithPendingSheets.contains(&processingInstruction);
+}
+
void Scope::addStyleSheetCandidateNode(Node& node, bool createdByParser)
{
if (!node.isConnected())
Modified: trunk/Source/WebCore/style/StyleScope.h (214359 => 214360)
--- trunk/Source/WebCore/style/StyleScope.h 2017-03-24 18:23:48 UTC (rev 214359)
+++ trunk/Source/WebCore/style/StyleScope.h 2017-03-24 18:39:28 UTC (rev 214360)
@@ -3,7 +3,7 @@
* (C) 1999 Antti Koivisto ([email protected])
* (C) 2001 Dirk Mueller ([email protected])
* (C) 2006 Alexey Proskuryakov ([email protected])
- * Copyright (C) 2004-2010, 2012-2013, 2015-2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2004-2010, 2012-2013, 2015-2017 Apple Inc. All rights reserved.
* Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved. (http://www.torchmobile.com/)
* Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies)
* Copyright (C) 2011 Google Inc. All rights reserved.
@@ -92,6 +92,7 @@
bool hasPendingSheetsInBody() const;
bool hasPendingSheet(const Element&) const;
bool hasPendingSheetInBody(const Element&) const;
+ bool hasPendingSheet(const ProcessingInstruction&) const;
bool usesStyleBasedEditability() { return m_usesStyleBasedEditability; }
