Skip to site navigation (Press enter)

[webkit-changes] [147928] trunk

commit-queue Mon, 08 Apr 2013 10:24:12 -0700

Title: [147928] trunk

Revision: 147928
Author: [email protected]
Date: 2013-04-08 10:26:01 -0700 (Mon, 08 Apr 2013)

Log Message

Crash in WebCore::ElementRuleCollector::collectMatchingRulesForList
https://bugs.webkit.org/show_bug.cgi?id=113458


Patch by Douglas Stockwell <[email protected]> on 2013-04-08
Reviewed by Darin Adler.

Source/WebCore:

A stylesheet which has been invalidated (type changed from "" or
"text/css") was not correctly removed from the list of active
style sheets when its children are changed.

This change releases StyleElement::m_sheet in advance of calling
DocumentStyleSheetCollection::updateActiveStyleSheets.

(StyleElement::clearSheet calls CSSStyleSheet::clearOwnerNode calls
CSSStyleSheet::didMutate calls Document::styleResolverChanged calls
DocumentStyleSheetCollection::updateActiveStyleSheets)

Test: fast/css/style-element-invalidation-crash.html

* dom/StyleElement.cpp:
(WebCore::StyleElement::clearSheet): Release m_sheet before we
  trigger an update of the active style sheets.

LayoutTests:

* fast/css/style-element-invalidation-crash-expected.txt: Added.
* fast/css/style-element-invalidation-crash.html: Added.
* fast/css/stylesheet.innerHTML-calls-didmutate.html: Removed.
* fast/css/stylesheet.innerHTML-calls-didmutate-expected.txt: Removed.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/dom/StyleElement.cpp

Added Paths

trunk/LayoutTests/fast/css/style-element-invalidation-crash-expected.txt
trunk/LayoutTests/fast/css/style-element-invalidation-crash.html

Removed Paths

trunk/LayoutTests/fast/css/stylesheet.innerHTML-calls-didmutate-expected.txt
trunk/LayoutTests/fast/css/stylesheet.innerHTML-calls-didmutate.html

Diff

Modified: trunk/LayoutTests/ChangeLog (147927 => 147928)


--- trunk/LayoutTests/ChangeLog	2013-04-08 17:24:50 UTC (rev 147927)
+++ trunk/LayoutTests/ChangeLog	2013-04-08 17:26:01 UTC (rev 147928)
@@ -1,3 +1,15 @@
+2013-04-08  Douglas Stockwell  <[email protected]>
+
+        Crash in WebCore::ElementRuleCollector::collectMatchingRulesForList
+        https://bugs.webkit.org/show_bug.cgi?id=113458
+
+        Reviewed by Darin Adler.
+
+        * fast/css/style-element-invalidation-crash-expected.txt: Added.
+        * fast/css/style-element-invalidation-crash.html: Added.
+        * fast/css/stylesheet.innerHTML-calls-didmutate.html: Removed.
+        * fast/css/stylesheet.innerHTML-calls-didmutate-expected.txt: Removed.
+
 2013-04-08  Antoine Quint  <[email protected]>
 
         Stop skipping first part of test in LayoutTests/media/track/opera/interfaces/TextTrack/cues.html

Added: trunk/LayoutTests/fast/css/style-element-invalidation-crash-expected.txt (0 => 147928)


--- trunk/LayoutTests/fast/css/style-element-invalidation-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/css/style-element-invalidation-crash-expected.txt	2013-04-08 17:26:01 UTC (rev 147928)
@@ -0,0 +1 @@
+This test passes if it does not crash.

Added: trunk/LayoutTests/fast/css/style-element-invalidation-crash.html (0 => 147928)


--- trunk/LayoutTests/fast/css/style-element-invalidation-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/css/style-element-invalidation-crash.html	2013-04-08 17:26:01 UTC (rev 147928)
@@ -0,0 +1,17 @@
+<style>body{}</style>
+<body>
+This test passes if it does not crash.
+<script>
+if (window.testRunner)
+  testRunner.dumpAsText();
+var style = document.styleSheets[0].ownerNode;
+style.type = 'p';
+style.innerHTML = 't';
+console.assert(document.styleSheets.length == 0);
+
+if (document.styleSheets.length) {
+  document.body.offsetTop;
+  document.styleSheets[0].deleteRule(0);
+  document.designMode = 'on';
+}
+</script>
Property changes on: trunk/LayoutTests/fast/css/style-element-invalidation-crash.html
___________________________________________________________________

Added: svn:executable

Deleted: trunk/LayoutTests/fast/css/stylesheet.innerHTML-calls-didmutate-expected.txt (147927 => 147928)


--- trunk/LayoutTests/fast/css/stylesheet.innerHTML-calls-didmutate-expected.txt	2013-04-08 17:24:50 UTC (rev 147927)
+++ trunk/LayoutTests/fast/css/stylesheet.innerHTML-calls-didmutate-expected.txt	2013-04-08 17:26:01 UTC (rev 147928)
@@ -1 +0,0 @@
-Changing a documents stylesheet's innerHTML should not crash.

Deleted: trunk/LayoutTests/fast/css/stylesheet.innerHTML-calls-didmutate.html (147927 => 147928)


--- trunk/LayoutTests/fast/css/stylesheet.innerHTML-calls-didmutate.html	2013-04-08 17:24:50 UTC (rev 147927)
+++ trunk/LayoutTests/fast/css/stylesheet.innerHTML-calls-didmutate.html	2013-04-08 17:26:01 UTC (rev 147928)
@@ -1,23 +0,0 @@
-<style>
- h6 { 
-   text-shadow: 0.85714in -110pc -0.216688mm;
- }
- p + h6 {
-   left: 180cm;
- }
-</style>
-<script>
-function main() {
-  var styletag = document.getElementsByTagName("style")[0];
-  styletag.type = "p";
-  styletag.innerHTML = "t";
-  var second_h6 = document.getElementsByTagName("h6")[1];
-  second_h6.align = 'a';
-  document.styleSheets[0].removeRule(0);
-
-  if (window.testRunner)
-    testRunner.dumpAsText();
-}
-</script>
-<body _onload_=main()><h6><h6>
-Changing a documents stylesheet's innerHTML should not crash.

Modified: trunk/Source/WebCore/ChangeLog (147927 => 147928)


--- trunk/Source/WebCore/ChangeLog	2013-04-08 17:24:50 UTC (rev 147927)
+++ trunk/Source/WebCore/ChangeLog	2013-04-08 17:26:01 UTC (rev 147928)
@@ -1,3 +1,27 @@
+2013-04-08  Douglas Stockwell  <[email protected]>
+
+        Crash in WebCore::ElementRuleCollector::collectMatchingRulesForList
+        https://bugs.webkit.org/show_bug.cgi?id=113458
+
+        Reviewed by Darin Adler.
+
+        A stylesheet which has been invalidated (type changed from "" or
+        "text/css") was not correctly removed from the list of active
+        style sheets when its children are changed.
+
+        This change releases StyleElement::m_sheet in advance of calling
+        DocumentStyleSheetCollection::updateActiveStyleSheets.
+
+        (StyleElement::clearSheet calls CSSStyleSheet::clearOwnerNode calls
+        CSSStyleSheet::didMutate calls Document::styleResolverChanged calls
+        DocumentStyleSheetCollection::updateActiveStyleSheets)
+
+        Test: fast/css/style-element-invalidation-crash.html
+
+        * dom/StyleElement.cpp:
+        (WebCore::StyleElement::clearSheet): Release m_sheet before we
+          trigger an update of the active style sheets.
+
 2013-04-08  Carlos Garcia Campos  <[email protected]>
 
         [GTK] DOM objects created wrapping a base class have incorrect GObject type

Modified: trunk/Source/WebCore/dom/StyleElement.cpp (147927 => 147928)


--- trunk/Source/WebCore/dom/StyleElement.cpp	2013-04-08 17:24:50 UTC (rev 147927)
+++ trunk/Source/WebCore/dom/StyleElement.cpp	2013-04-08 17:26:01 UTC (rev 147928)
@@ -142,8 +142,7 @@
 void StyleElement::clearSheet()
 {
     ASSERT(m_sheet);
-    m_sheet->clearOwnerNode();
-    m_sheet = 0;
+    m_sheet.release()->clearOwnerNode();
 }
 
 void StyleElement::createSheet(Element* e, WTF::OrdinalNumber startLineNumber, const String& text)

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes