Title: [100573] branches/chromium/912
- Revision
- 100573
- Author
- [email protected]
- Date
- 2011-11-17 00:24:00 -0800 (Thu, 17 Nov 2011)
Log Message
Merge 9964
BUG=102037
Review URL: http://codereview.chromium.org/8480029
Modified Paths
Added Paths
Diff
Copied: branches/chromium/912/LayoutTests/fast/css/css-fontface-rule-crash-expected.txt (from rev 99649, trunk/LayoutTests/fast/css/css-fontface-rule-crash-expected.txt) (0 => 100573)
--- branches/chromium/912/LayoutTests/fast/css/css-fontface-rule-crash-expected.txt (rev 0)
+++ branches/chromium/912/LayoutTests/fast/css/css-fontface-rule-crash-expected.txt 2011-11-17 08:24:00 UTC (rev 100573)
@@ -0,0 +1 @@
+PASS
Copied: branches/chromium/912/LayoutTests/fast/css/css-fontface-rule-crash.html (from rev 99649, trunk/LayoutTests/fast/css/css-fontface-rule-crash.html) (0 => 100573)
--- branches/chromium/912/LayoutTests/fast/css/css-fontface-rule-crash.html (rev 0)
+++ branches/chromium/912/LayoutTests/fast/css/css-fontface-rule-crash.html 2011-11-17 08:24:00 UTC (rev 100573)
@@ -0,0 +1,37 @@
+<html>
+<head>
+<script src=""
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+}
+
+function load()
+{
+ style = document.createElement('style');
+ style.textContent = '@font-face { font-family: "A"; }';
+ document.head.appendChild(style);
+ rulestyle = document.styleSheets[0].cssRules[0].style;
+ document.head.removeChild(style);
+ style = null;
+ setTimeout(crash, 0);
+}
+
+function crash()
+{
+ gc();
+ obj = rulestyle.parentRule;
+ // If the gc() actually successfully reaps everything it can, then obj
+ // will end up null (post-fix). gc() is not guaranteed to reap the font-face
+ // rule, however, particularly in the browser context.
+ if (obj)
+ obj = obj.foo;
+ document.body.innerText = 'PASS';
+ if (window.layoutTestController)
+ layoutTestController.notifyDone()
+}
+</script>
+</head>
+<body _onload_="load()"></body>
+</html>
Copied: branches/chromium/912/LayoutTests/resources/gc.js (from rev 99649, trunk/LayoutTests/resources/gc.js) (0 => 100573)
--- branches/chromium/912/LayoutTests/resources/gc.js (rev 0)
+++ branches/chromium/912/LayoutTests/resources/gc.js 2011-11-17 08:24:00 UTC (rev 100573)
@@ -0,0 +1,20 @@
+// If there is no window.gc() already defined, define one using the best
+// method we can find.
+// The slow fallback should not hit in the actual test environment.
+if (!window.gc)
+{
+ window.gc = function()
+ {
+ if (window.GCController)
+ return GCController.collect();
+ function gcRec(n) {
+ if (n < 1)
+ return {};
+ var temp = {i: "ab" + i + (i / 100000)};
+ temp += "foo";
+ gcRec(n-1);
+ }
+ for (var i = 0; i < 10000; i++)
+ gcRec(10);
+ }
+}
Modified: branches/chromium/912/Source/WebCore/css/CSSFontFaceRule.cpp (100572 => 100573)
--- branches/chromium/912/Source/WebCore/css/CSSFontFaceRule.cpp 2011-11-17 08:16:44 UTC (rev 100572)
+++ branches/chromium/912/Source/WebCore/css/CSSFontFaceRule.cpp 2011-11-17 08:24:00 UTC (rev 100573)
@@ -33,6 +33,8 @@
CSSFontFaceRule::~CSSFontFaceRule()
{
+ if (m_style)
+ m_style->setParent(0);
}
void CSSFontFaceRule::setDeclaration(PassRefPtr<CSSMutableStyleDeclaration> style)
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
