[webkit-changes] [104458] trunk/Source/WebCore

Mon, 09 Jan 2012 07:00:15 -0800

Title: [104458] trunk/Source/WebCore
Revision
104458
Author
[email protected]
Date
2012-01-09 06:59:57 -0800 (Mon, 09 Jan 2012)

Log Message

possible regression: r104060 maybe causing crashes
https://bugs.webkit.org/show_bug.cgi?id=75676

Reviewed by Andreas Kling.

Based on the stacks, CSSStyleSelector may be getting deleted from under the
CSSStyleSelector::appendAuthorStylesheets call. Protect by temporarily detaching
from the document. Also add assertions to catch the case.
        
No test, there is no known repro and the fix is speculative.

* dom/Document.cpp:
(WebCore::Document::Document):
(WebCore::Document::setDocType):
(WebCore::Document::childrenChanged):
(WebCore::Document::clearStyleSelector):
(WebCore::Document::updateActiveStylesheets):
* dom/Document.h:

Modified Paths

Diff

Modified: trunk/Source/WebCore/ChangeLog (104457 => 104458)


--- trunk/Source/WebCore/ChangeLog	2012-01-09 14:30:30 UTC (rev 104457)
+++ trunk/Source/WebCore/ChangeLog	2012-01-09 14:59:57 UTC (rev 104458)
@@ -1,3 +1,24 @@
+2012-01-09  Antti Koivisto  <[email protected]>
+
+        possible regression: r104060 maybe causing crashes
+        https://bugs.webkit.org/show_bug.cgi?id=75676
+
+        Reviewed by Andreas Kling.
+
+        Based on the stacks, CSSStyleSelector may be getting deleted from under the
+        CSSStyleSelector::appendAuthorStylesheets call. Protect by temporarily detaching
+        from the document. Also add assertions to catch the case.
+        
+        No test, there is no known repro and the fix is speculative.
+
+        * dom/Document.cpp:
+        (WebCore::Document::Document):
+        (WebCore::Document::setDocType):
+        (WebCore::Document::childrenChanged):
+        (WebCore::Document::clearStyleSelector):
+        (WebCore::Document::updateActiveStylesheets):
+        * dom/Document.h:
+
 2012-01-09  Caio Marcelo de Oliveira Filho  <[email protected]>
 
         Use Vector<OwnPtr> for m_viewportDependentMediaQueryResults in CSSStyleSelector

Modified: trunk/Source/WebCore/dom/Document.cpp (104457 => 104458)


--- trunk/Source/WebCore/dom/Document.cpp	2012-01-09 14:30:30 UTC (rev 104457)
+++ trunk/Source/WebCore/dom/Document.cpp	2012-01-09 14:59:57 UTC (rev 104458)
@@ -498,6 +498,10 @@
 
     static int docID = 0;
     m_docID = docID++;
+    
+#ifndef NDEBUG
+    m_updatingStyleSelector = false;
+#endif
 }
 
 static void histogramMutationEventUsage(const unsigned short& listenerTypes)
@@ -706,7 +710,7 @@
     if (m_docType)
         m_docType->setTreeScopeRecursively(this);
     // Doctype affects the interpretation of the stylesheets.
-    m_styleSelector.clear();
+    clearStyleSelector();
 }
 
 DOMImplementation* Document::implementation()
@@ -725,7 +729,7 @@
         return;
     m_documentElement = newDocumentElement;
     // The root style used for media query matching depends on the document element.
-    m_styleSelector.clear();
+    clearStyleSelector();
 }
 
 PassRefPtr<Element> Document::createElement(const AtomicString& name, ExceptionCode& ec)
@@ -1798,6 +1802,12 @@
                                                     !inQuirksMode(), matchAuthorAndUserStyles));
     combineCSSFeatureFlags();
 }
+    
+inline void Document::clearStyleSelector()
+{
+    ASSERT(!m_updatingStyleSelector);
+    m_styleSelector.clear();
+}
 
 void Document::attach()
 {
@@ -3227,6 +3237,8 @@
 
 bool Document::updateActiveStylesheets(StyleSelectorUpdateFlag updateFlag)
 {
+    ASSERT(!m_updatingStyleSelector);
+
     if (m_inStyleRecalc) {
         // SVG <use> element may manage to invalidate style selector in the middle of a style recalc.
         // https://bugs.webkit.org/show_bug.cgi?id=54344
@@ -3246,9 +3258,18 @@
     analyzeStylesheetChange(updateFlag, newStylesheets, requiresStyleSelectorReset, requiresFullStyleRecalc);
 
     if (requiresStyleSelectorReset)
-        m_styleSelector.clear();
+        clearStyleSelector();
     else {
-        m_styleSelector->appendAuthorStylesheets(m_styleSheets->length(), newStylesheets);
+#ifndef NDEBUG
+        m_updatingStyleSelector = true;
+#endif
+        // Detach the style selector temporarily so it can't get deleted during appendAuthorStylesheets
+        OwnPtr<CSSStyleSelector> detachedStyleSelector = m_styleSelector.release();
+        detachedStyleSelector->appendAuthorStylesheets(m_styleSheets->length(), newStylesheets);
+        m_styleSelector = detachedStyleSelector.release();
+#ifndef NDEBUG
+        m_updatingStyleSelector = false;
+#endif
         resetCSSFeatureFlags();
     }
     m_styleSheets->swap(newStylesheets);

Modified: trunk/Source/WebCore/dom/Document.h (104457 => 104458)


--- trunk/Source/WebCore/dom/Document.h	2012-01-09 14:30:30 UTC (rev 104457)
+++ trunk/Source/WebCore/dom/Document.h	2012-01-09 14:59:57 UTC (rev 104458)
@@ -1156,6 +1156,7 @@
     void buildAccessKeyMap(TreeScope* root);
 
     void createStyleSelector();
+    void clearStyleSelector();
     void combineCSSFeatureFlags();
     void resetCSSFeatureFlags();
     
@@ -1445,6 +1446,10 @@
 
     Timer<Document> m_pendingTasksTimer;
     Vector<OwnPtr<Task> > m_pendingTasks;
+    
+#ifndef NDEBUG
+    bool m_updatingStyleSelector;
+#endif
 };
 
 // Put these methods here, because they require the Document definition, but we really want to inline them.

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to