[webkit-changes] [102639] trunk

Mon, 12 Dec 2011 16:48:45 -0800

Title: [102639] trunk
Revision
102639
Author
[email protected]
Date
2011-12-12 16:48:36 -0800 (Mon, 12 Dec 2011)

Log Message

Don't crash in StyleAttributeMutationScope if the style declaration's element has been GCed
https://bugs.webkit.org/show_bug.cgi?id=74321

Reviewed by Ryosuke Niwa.

Source/WebCore:

In r101101, Rafael Weinstein added code to CSSMutableStyleDeclaration.cpp
which depended on isInlineStyleDeclaration returning true iff the
element it pointed to was non-null (it will be nulled-out if the
element is garbage collected).

Then, in r101172, Andreas Kling changed the semantics so that
isInlineStyleDeclaration only described the type of the declaration,
not the state of the related element.

This change updates Rafael's code with an explicit check that the
element is still alive.

Test: fast/dom/css-inline-style-declaration-crash.html

* css/CSSMutableStyleDeclaration.cpp:

LayoutTests:

* fast/dom/css-inline-style-declaration-crash-expected.txt: Added.
* fast/dom/css-inline-style-declaration-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (102638 => 102639)


--- trunk/LayoutTests/ChangeLog	2011-12-13 00:46:51 UTC (rev 102638)
+++ trunk/LayoutTests/ChangeLog	2011-12-13 00:48:36 UTC (rev 102639)
@@ -1,3 +1,13 @@
+2011-12-12  Adam Klein  <[email protected]>
+
+        Don't crash in StyleAttributeMutationScope if the style declaration's element has been GCed
+        https://bugs.webkit.org/show_bug.cgi?id=74321
+
+        Reviewed by Ryosuke Niwa.
+
+        * fast/dom/css-inline-style-declaration-crash-expected.txt: Added.
+        * fast/dom/css-inline-style-declaration-crash.html: Added.
+
 2011-12-12  Brent Fulgham  <[email protected]>
 
         [WinCairo] Unreviewed update to Skipped list to get bot green.

Added: trunk/LayoutTests/fast/dom/css-inline-style-declaration-crash-expected.txt (0 => 102639)


--- trunk/LayoutTests/fast/dom/css-inline-style-declaration-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/css-inline-style-declaration-crash-expected.txt	2011-12-13 00:48:36 UTC (rev 102639)
@@ -0,0 +1,10 @@
+Setting a CSSStyleDeclaration after its element has been GCed should not crash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS Did not crash
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/fast/dom/css-inline-style-declaration-crash.html (0 => 102639)


--- trunk/LayoutTests/fast/dom/css-inline-style-declaration-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/css-inline-style-declaration-crash.html	2011-12-13 00:48:36 UTC (rev 102639)
@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<script src=""
+<script>
+description('Setting a CSSStyleDeclaration after its element has been GCed should not crash.');
+
+var span = document.createElement('span');
+var style = span.style;
+span = null;
+gc();
+style.cssText = 'color:red';
+
+testPassed('Did not crash');
+</script>
+<script src=""

Modified: trunk/Source/WebCore/ChangeLog (102638 => 102639)


--- trunk/Source/WebCore/ChangeLog	2011-12-13 00:46:51 UTC (rev 102638)
+++ trunk/Source/WebCore/ChangeLog	2011-12-13 00:48:36 UTC (rev 102639)
@@ -1,3 +1,26 @@
+2011-12-12  Adam Klein  <[email protected]>
+
+        Don't crash in StyleAttributeMutationScope if the style declaration's element has been GCed
+        https://bugs.webkit.org/show_bug.cgi?id=74321
+
+        Reviewed by Ryosuke Niwa.
+
+        In r101101, Rafael Weinstein added code to CSSMutableStyleDeclaration.cpp
+        which depended on isInlineStyleDeclaration returning true iff the
+        element it pointed to was non-null (it will be nulled-out if the
+        element is garbage collected).
+
+        Then, in r101172, Andreas Kling changed the semantics so that
+        isInlineStyleDeclaration only described the type of the declaration,
+        not the state of the related element.
+
+        This change updates Rafael's code with an explicit check that the
+        element is still alive.
+
+        Test: fast/dom/css-inline-style-declaration-crash.html
+
+        * css/CSSMutableStyleDeclaration.cpp:
+
 2011-12-12  Chris Fleizach  <[email protected]>
 
         AX: aria-hidden inheritance broken when applying to some descendants

Modified: trunk/Source/WebCore/css/CSSMutableStyleDeclaration.cpp (102638 => 102639)


--- trunk/Source/WebCore/css/CSSMutableStyleDeclaration.cpp	2011-12-13 00:46:51 UTC (rev 102638)
+++ trunk/Source/WebCore/css/CSSMutableStyleDeclaration.cpp	2011-12-13 00:48:36 UTC (rev 102639)
@@ -67,6 +67,9 @@
             return;
 
         CSSInlineStyleDeclaration* inlineDecl = toCSSInlineStyleDeclaration(s_currentDecl);
+        if (!inlineDecl->element())
+            return;
+
         m_mutationRecipients = MutationObserverInterestGroup::createForAttributesMutation(inlineDecl->element(), HTMLNames::styleAttr);
         if (m_mutationRecipients->isEmpty()) {
             m_mutationRecipients.clear();
@@ -98,7 +101,7 @@
         CSSInlineStyleDeclaration* inlineDecl = toCSSInlineStyleDeclaration(s_currentDecl);
         s_currentDecl = 0;
         s_shouldNotifyInspector = false;
-        if (inlineDecl->element()->document())
+        if (inlineDecl->element() && inlineDecl->element()->document())
             InspectorInstrumentation::didInvalidateStyleAttr(inlineDecl->element()->document(), inlineDecl->element());
     }
 

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to