Skip to site navigation (Press enter)

[webkit-changes] [104845] trunk

antti Thu, 12 Jan 2012 12:21:58 -0800

Title: [104845] trunk

Revision: 104845
Author: an...@apple.com
Date: 2012-01-12 12:21:51 -0800 (Thu, 12 Jan 2012)

Log Message

REGRESSION(r104060): Setting user stylesheet may leave CSSStyleSelector with stale rule pointers 
https://bugs.webkit.org/show_bug.cgi?id=76191


Source/WebCore: 

Reviewed by Andreas Kling.
        
Setting the user style sheet frees the existing user style sheet data structures. The code
in Document::updatePageGroupUserSheets then relies on styleSelectorChanged to clear the
style selector so it is not left with stale pointers. However under certain conditions
involving pending stylesheets it may bail out quickly without clearing.
        
Document::styleSelectorChanged has to take care that it never leaves the style selector stale
even when bailing out early.

Test: fast/css/user-stylesheet-crash.html

* dom/Document.cpp:
(WebCore::Document::styleSelectorChanged):

LayoutTests: 

Reviewed by Andreas Kling.

* fast/css/user-stylesheet-crash-expected.txt: Added.
* fast/css/user-stylesheet-crash.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/dom/Document.cpp

Added Paths

trunk/LayoutTests/fast/css/user-stylesheet-crash-expected.txt
trunk/LayoutTests/fast/css/user-stylesheet-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (104844 => 104845)


--- trunk/LayoutTests/ChangeLog	2012-01-12 20:14:49 UTC (rev 104844)
+++ trunk/LayoutTests/ChangeLog	2012-01-12 20:21:51 UTC (rev 104845)
@@ -1,3 +1,13 @@
+2012-01-12  Antti Koivisto  <an...@apple.com>
+
+        REGRESSION(r104060): Setting user stylesheet may leave CSSStyleSelector with stale rule pointers 
+        https://bugs.webkit.org/show_bug.cgi?id=76191
+
+        Reviewed by Andreas Kling.
+
+        * fast/css/user-stylesheet-crash-expected.txt: Added.
+        * fast/css/user-stylesheet-crash.html: Added.
+
 2012-01-12  Joshua Bell  <jsb...@chromium.org>
 
         IndexedDB: Raise NON_TRANSIENT_ERR when invalid mode specified for transaction

Added: trunk/LayoutTests/fast/css/user-stylesheet-crash-expected.txt (0 => 104845)


--- trunk/LayoutTests/fast/css/user-stylesheet-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/css/user-stylesheet-crash-expected.txt	2012-01-12 20:21:51 UTC (rev 104845)
@@ -0,0 +1 @@
+This test requires DRT. It passes if it doesn't crash.

Added: trunk/LayoutTests/fast/css/user-stylesheet-crash.html (0 => 104845)


--- trunk/LayoutTests/fast/css/user-stylesheet-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/css/user-stylesheet-crash.html	2012-01-12 20:21:51 UTC (rev 104845)
@@ -0,0 +1,31 @@
+<html>
+<head>
+<script>
+function createIframe()
+{
+    var iframe = document.createElement("iframe");
+    document.body.appendChild(iframe);
+    var iframeDocument = iframe.contentDocument;
+    var link = iframeDocument.createElement("link");
+    link.setAttribute("rel", "stylesheet");
+    link.setAttribute("href", "does_not_exist.css");
+    iframeDocument.head.appendChild(link);
+    if (window.layoutTestController) {
+        layoutTestController.addUserStyleSheet("#test { color: blue: }", true);
+        setTimeout("window.layoutTestController.notifyDone()", 100);
+    }
+}
+
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+    layoutTestController.addUserStyleSheet("#test { color: red: }", true);
+}
+setTimeout("createIframe()", 0);
+
+</script>
+</head>
+<body>
+This test requires DRT. It passes if it doesn't crash.
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (104844 => 104845)


--- trunk/Source/WebCore/ChangeLog	2012-01-12 20:14:49 UTC (rev 104844)
+++ trunk/Source/WebCore/ChangeLog	2012-01-12 20:21:51 UTC (rev 104845)
@@ -1,3 +1,23 @@
+2012-01-12  Antti Koivisto  <an...@apple.com>
+
+        REGRESSION(r104060): Setting user stylesheet may leave CSSStyleSelector with stale rule pointers 
+        https://bugs.webkit.org/show_bug.cgi?id=76191
+
+        Reviewed by Andreas Kling.
+        
+        Setting the user style sheet frees the existing user style sheet data structures. The code
+        in Document::updatePageGroupUserSheets then relies on styleSelectorChanged to clear the
+        style selector so it is not left with stale pointers. However under certain conditions
+        involving pending stylesheets it may bail out quickly without clearing.
+        
+        Document::styleSelectorChanged has to take care that it never leaves the style selector stale
+        even when bailing out early.
+
+        Test: fast/css/user-stylesheet-crash.html
+
+        * dom/Document.cpp:
+        (WebCore::Document::styleSelectorChanged):
+
 2012-01-12  Nat Duca  <nd...@chromium.org>
 
         [chromium] Turn off FrameRateController timesource when it is not needed

Modified: trunk/Source/WebCore/dom/Document.cpp (104844 => 104845)


--- trunk/Source/WebCore/dom/Document.cpp	2012-01-12 20:14:49 UTC (rev 104844)
+++ trunk/Source/WebCore/dom/Document.cpp	2012-01-12 20:21:51 UTC (rev 104845)
@@ -2981,8 +2981,10 @@
 {
     // Don't bother updating, since we haven't loaded all our style info yet
     // and haven't calculated the style selector for the first time.
-    if (!attached() || (!m_didCalculateStyleSelector && !haveStylesheetsLoaded()))
+    if (!attached() || (!m_didCalculateStyleSelector && !haveStylesheetsLoaded())) {
+        m_styleSelector.clear();
         return;
+    }
 
 #ifdef INSTRUMENT_LAYOUT_SCHEDULING
     if (!ownerElement())

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes