Title: [113898] trunk
- Revision
- 113898
- Author
- an...@apple.com
- Date
- 2012-04-11 13:03:25 -0700 (Wed, 11 Apr 2012)
Log Message
Crash in CSSStyleSheet::deleteRule
https://bugs.webkit.org/show_bug.cgi?id=83708
Source/WebCore:
Reviewed by Andreas Kling.
Andreas spotted that the wrapper needs to be null checked before calling setParentStyleSheet(0).
Test: fast/css/delete-rule-crash.html
* css/CSSStyleSheet.cpp:
(WebCore::CSSStyleSheet::deleteRule):
LayoutTests:
Reviewed by Andreas Kling.
* fast/css/delete-rule-crash.html: Added.
* fast/css/delete-rule-crash-expected.txt: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (113897 => 113898)
--- trunk/LayoutTests/ChangeLog 2012-04-11 20:00:26 UTC (rev 113897)
+++ trunk/LayoutTests/ChangeLog 2012-04-11 20:03:25 UTC (rev 113898)
@@ -1,3 +1,13 @@
+2012-04-11 Antti Koivisto <an...@apple.com>
+
+ Crash in CSSStyleSheet::deleteRule
+ https://bugs.webkit.org/show_bug.cgi?id=83708
+
+ Reviewed by Andreas Kling.
+
+ * fast/css/delete-rule-crash.html: Added.
+ * fast/css/delete-rule-crash-expected.txt: Added.
+
2012-04-11 Adam Klein <ad...@chromium.org>
[MutationObservers] Setting an attributeFilter should filter out all namespaced attribute mutations
Added: trunk/LayoutTests/fast/css/delete-rule-crash-expected.txt (0 => 113898)
--- trunk/LayoutTests/fast/css/delete-rule-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/css/delete-rule-crash-expected.txt 2012-04-11 20:03:25 UTC (rev 113898)
@@ -0,0 +1 @@
+This test passes if it doesn't crash.
Added: trunk/LayoutTests/fast/css/delete-rule-crash.html (0 => 113898)
--- trunk/LayoutTests/fast/css/delete-rule-crash.html (rev 0)
+++ trunk/LayoutTests/fast/css/delete-rule-crash.html 2012-04-11 20:03:25 UTC (rev 113898)
@@ -0,0 +1,13 @@
+<script>
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+</script>
+<style>
+.rule1 {}
+.rule2 {}
+</style>
+<script>
+document.styleSheets[0].cssRules.item(0);
+document.styleSheets[0].deleteRule(1);
+</script>
+This test passes if it doesn't crash.
Modified: trunk/Source/WebCore/ChangeLog (113897 => 113898)
--- trunk/Source/WebCore/ChangeLog 2012-04-11 20:00:26 UTC (rev 113897)
+++ trunk/Source/WebCore/ChangeLog 2012-04-11 20:03:25 UTC (rev 113898)
@@ -1,3 +1,17 @@
+2012-04-11 Antti Koivisto <an...@apple.com>
+
+ Crash in CSSStyleSheet::deleteRule
+ https://bugs.webkit.org/show_bug.cgi?id=83708
+
+ Reviewed by Andreas Kling.
+
+ Andreas spotted that the wrapper needs to be null checked before calling setParentStyleSheet(0).
+
+ Test: fast/css/delete-rule-crash.html
+
+ * css/CSSStyleSheet.cpp:
+ (WebCore::CSSStyleSheet::deleteRule):
+
2012-04-11 Adam Klein <ad...@chromium.org>
[MutationObservers] Setting an attributeFilter should filter out all namespaced attribute mutations
Modified: trunk/Source/WebCore/css/CSSStyleSheet.cpp (113897 => 113898)
--- trunk/Source/WebCore/css/CSSStyleSheet.cpp 2012-04-11 20:00:26 UTC (rev 113897)
+++ trunk/Source/WebCore/css/CSSStyleSheet.cpp 2012-04-11 20:03:25 UTC (rev 113898)
@@ -317,7 +317,8 @@
success:
if (!m_childRuleCSSOMWrappers.isEmpty()) {
- m_childRuleCSSOMWrappers[index]->setParentStyleSheet(0);
+ if (m_childRuleCSSOMWrappers[index])
+ m_childRuleCSSOMWrappers[index]->setParentStyleSheet(0);
m_childRuleCSSOMWrappers.remove(index);
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
