Title: [122976] trunk
- Revision
- 122976
- Author
- [email protected]
- Date
- 2012-07-18 08:15:22 -0700 (Wed, 18 Jul 2012)
Log Message
WebCore::StylePropertySet::addParsedProperties - crash
https://bugs.webkit.org/show_bug.cgi?id=91153
Patch by Douglas Stockwell <[email protected]> on 2012-07-18
Reviewed by Andreas Kling.
Source/WebCore:
WebKitCSSKeyframeRule::style exposed an immutable StylePropertySet.
Modified to create a mutable copy on demand.
Test: fast/css/css-keyframe-style-mutate-crash.html
* css/StyleResolver.cpp:
(WebCore::StyleResolver::collectMatchingRulesForList):
* css/WebKitCSSKeyframeRule.cpp:
(WebCore::StyleKeyframe::mutableProperties): Added, creates a mutable copy of properties as required.
(WebCore::WebKitCSSKeyframeRule::style):
* css/WebKitCSSKeyframeRule.h:
(WebCore::StyleKeyframe::properties): Made const, use mutableProperties to mutate.
LayoutTests:
* fast/css/css-keyframe-style-mutate-crash-expected.txt: Added.
* fast/css/css-keyframe-style-mutate-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (122975 => 122976)
--- trunk/LayoutTests/ChangeLog 2012-07-18 15:13:34 UTC (rev 122975)
+++ trunk/LayoutTests/ChangeLog 2012-07-18 15:15:22 UTC (rev 122976)
@@ -1,3 +1,13 @@
+2012-07-18 Douglas Stockwell <[email protected]>
+
+ WebCore::StylePropertySet::addParsedProperties - crash
+ https://bugs.webkit.org/show_bug.cgi?id=91153
+
+ Reviewed by Andreas Kling.
+
+ * fast/css/css-keyframe-style-mutate-crash-expected.txt: Added.
+ * fast/css/css-keyframe-style-mutate-crash.html: Added.
+
2012-07-18 Balazs Kelemen <[email protected]>
Unreviewed gardening.
Added: trunk/LayoutTests/fast/css/css-keyframe-style-mutate-crash-expected.txt (0 => 122976)
--- trunk/LayoutTests/fast/css/css-keyframe-style-mutate-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/css/css-keyframe-style-mutate-crash-expected.txt 2012-07-18 15:15:22 UTC (rev 122976)
@@ -0,0 +1 @@
+This test passes if it does not CRASH.
Added: trunk/LayoutTests/fast/css/css-keyframe-style-mutate-crash.html (0 => 122976)
--- trunk/LayoutTests/fast/css/css-keyframe-style-mutate-crash.html (rev 0)
+++ trunk/LayoutTests/fast/css/css-keyframe-style-mutate-crash.html 2012-07-18 15:15:22 UTC (rev 122976)
@@ -0,0 +1,9 @@
+<style>
+@-webkit-keyframes foo { 1% { color: initial; } }
+</style>
+This test passes if it does not CRASH.
+<script>
+window.document.styleSheets[0].cssRules[0][0].style.color = 0;
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
Modified: trunk/Source/WebCore/ChangeLog (122975 => 122976)
--- trunk/Source/WebCore/ChangeLog 2012-07-18 15:13:34 UTC (rev 122975)
+++ trunk/Source/WebCore/ChangeLog 2012-07-18 15:15:22 UTC (rev 122976)
@@ -1,3 +1,23 @@
+2012-07-18 Douglas Stockwell <[email protected]>
+
+ WebCore::StylePropertySet::addParsedProperties - crash
+ https://bugs.webkit.org/show_bug.cgi?id=91153
+
+ Reviewed by Andreas Kling.
+
+ WebKitCSSKeyframeRule::style exposed an immutable StylePropertySet.
+ Modified to create a mutable copy on demand.
+
+ Test: fast/css/css-keyframe-style-mutate-crash.html
+
+ * css/StyleResolver.cpp:
+ (WebCore::StyleResolver::collectMatchingRulesForList):
+ * css/WebKitCSSKeyframeRule.cpp:
+ (WebCore::StyleKeyframe::mutableProperties): Added, creates a mutable copy of properties as required.
+ (WebCore::WebKitCSSKeyframeRule::style):
+ * css/WebKitCSSKeyframeRule.h:
+ (WebCore::StyleKeyframe::properties): Made const, use mutableProperties to mutate.
+
2012-07-18 Huang Dongsung <[email protected]>
[Texmap] Make TextureMapperLayer clip m_state.needsDisplayRect with the layerRect.
Modified: trunk/Source/WebCore/css/StyleResolver.cpp (122975 => 122976)
--- trunk/Source/WebCore/css/StyleResolver.cpp 2012-07-18 15:13:34 UTC (rev 122975)
+++ trunk/Source/WebCore/css/StyleResolver.cpp 2012-07-18 15:15:22 UTC (rev 122976)
@@ -1801,7 +1801,7 @@
loadPendingResources();
// Add all the animating properties to the keyframe.
- if (StylePropertySet* styleDeclaration = keyframe->properties()) {
+ if (const StylePropertySet* styleDeclaration = keyframe->properties()) {
unsigned propertyCount = styleDeclaration->propertyCount();
for (unsigned i = 0; i < propertyCount; ++i) {
CSSPropertyID property = styleDeclaration->propertyAt(i).id();
Modified: trunk/Source/WebCore/css/WebKitCSSKeyframeRule.cpp (122975 => 122976)
--- trunk/Source/WebCore/css/WebKitCSSKeyframeRule.cpp 2012-07-18 15:13:34 UTC (rev 122975)
+++ trunk/Source/WebCore/css/WebKitCSSKeyframeRule.cpp 2012-07-18 15:15:22 UTC (rev 122976)
@@ -31,6 +31,13 @@
#include "WebKitCSSKeyframesRule.h"
namespace WebCore {
+
+StylePropertySet* StyleKeyframe::mutableProperties()
+{
+ if (!m_properties->isMutable())
+ m_properties = m_properties->copy();
+ return m_properties.get();
+}
void StyleKeyframe::setProperties(PassRefPtr<StylePropertySet> properties)
{
@@ -94,7 +101,7 @@
CSSStyleDeclaration* WebKitCSSKeyframeRule::style() const
{
if (!m_propertiesCSSOMWrapper)
- m_propertiesCSSOMWrapper = StyleRuleCSSStyleDeclaration::create(m_keyframe->properties(), const_cast<WebKitCSSKeyframeRule*>(this));
+ m_propertiesCSSOMWrapper = StyleRuleCSSStyleDeclaration::create(m_keyframe->mutableProperties(), const_cast<WebKitCSSKeyframeRule*>(this));
return m_propertiesCSSOMWrapper.get();
}
Modified: trunk/Source/WebCore/css/WebKitCSSKeyframeRule.h (122975 => 122976)
--- trunk/Source/WebCore/css/WebKitCSSKeyframeRule.h 2012-07-18 15:13:34 UTC (rev 122975)
+++ trunk/Source/WebCore/css/WebKitCSSKeyframeRule.h 2012-07-18 15:15:22 UTC (rev 122976)
@@ -49,7 +49,8 @@
void getKeys(Vector<float>& keys) const { parseKeyString(m_key, keys); }
- StylePropertySet* properties() const { return m_properties.get(); }
+ const StylePropertySet* properties() const { return m_properties.get(); }
+ StylePropertySet* mutableProperties();
void setProperties(PassRefPtr<StylePropertySet>);
String cssText() const;
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
