Diff
Modified: branches/safari-536.30-branch/LayoutTests/ChangeLog (148469 => 148470)
--- branches/safari-536.30-branch/LayoutTests/ChangeLog 2013-04-15 21:42:34 UTC (rev 148469)
+++ branches/safari-536.30-branch/LayoutTests/ChangeLog 2013-04-15 22:07:16 UTC (rev 148470)
@@ -1,5 +1,21 @@
2013-04-15 Tim Horton <[email protected]>
+ Merge r138460.
+
+ 2012-12-25 Alexander Pavlov <[email protected]>
+
+ Web Inspector: Crash when modifying a rule that has been removed through _javascript_
+ https://bugs.webkit.org/show_bug.cgi?id=105718
+
+ Reviewed by Yury Semikhatsky.
+
+ * http/tests/inspector/elements-test.js: Add InspectorTest.toggleMatchedStyleProperty.
+ (initialize_ElementTest.InspectorTest.toggleMatchedStyleProperty): Added.
+ * inspector/styles/removed-rule-crash-expected.txt: Added.
+ * inspector/styles/removed-rule-crash.html: Added.
+
+2013-04-15 Tim Horton <[email protected]>
+
Merge r143454.
2013-02-20 Florin Malita <[email protected]>
Modified: branches/safari-536.30-branch/LayoutTests/http/tests/inspector/elements-test.js (148469 => 148470)
--- branches/safari-536.30-branch/LayoutTests/http/tests/inspector/elements-test.js 2013-04-15 21:42:34 UTC (rev 148469)
+++ branches/safari-536.30-branch/LayoutTests/http/tests/inspector/elements-test.js 2013-04-15 22:07:16 UTC (rev 148470)
@@ -159,6 +159,12 @@
}
};
+InspectorTest.toggleMatchedStyleProperty = function(propertyName, checked)
+{
+ var treeItem = InspectorTest.getMatchedStylePropertyTreeItem(propertyName);
+ treeItem.toggleEnabled({ target: { checked: checked }, consume: function() { } });
+}
+
InspectorTest.expandAndDumpSelectedElementEventListeners = function(callback)
{
InspectorTest.expandSelectedElementEventListeners(function() {
Copied: branches/safari-536.30-branch/LayoutTests/inspector/styles/removed-rule-crash-expected.txt (from rev 138460, trunk/LayoutTests/inspector/styles/removed-rule-crash-expected.txt) (0 => 148470)
--- branches/safari-536.30-branch/LayoutTests/inspector/styles/removed-rule-crash-expected.txt (rev 0)
+++ branches/safari-536.30-branch/LayoutTests/inspector/styles/removed-rule-crash-expected.txt 2013-04-15 22:07:16 UTC (rev 148470)
@@ -0,0 +1,18 @@
+Tests that disabling style property after the style rule has been removed does not crash the inspected page.
+
+Before disable
+[expanded]
+element.style { ()
+
+======== Matched CSS Rules ========
+[expanded]
+#container { (removed-rule-crash.html:4)
+font-weight: bold;
+
+[expanded]
+div { (user agent stylesheet)
+display: block;
+
+
+PASS: No crash
+
Copied: branches/safari-536.30-branch/LayoutTests/inspector/styles/removed-rule-crash.html (from rev 138460, trunk/LayoutTests/inspector/styles/removed-rule-crash.html) (0 => 148470)
--- branches/safari-536.30-branch/LayoutTests/inspector/styles/removed-rule-crash.html (rev 0)
+++ branches/safari-536.30-branch/LayoutTests/inspector/styles/removed-rule-crash.html 2013-04-15 22:07:16 UTC (rev 148470)
@@ -0,0 +1,52 @@
+<html>
+<head>
+<style>
+#container {
+ font-weight: bold;
+}
+</style>
+<script src=""
+<script src=""
+<script>
+
+function removeRule()
+{
+ document.styleSheets[0].removeRule(0);
+}
+
+function test()
+{
+ InspectorTest.selectNodeAndWaitForStyles("container", step0);
+
+ function step0(node)
+ {
+ InspectorTest.evaluateInPage("removeRule()", step1);
+ }
+
+ function step1()
+ {
+ InspectorTest.addResult("Before disable");
+ InspectorTest.dumpSelectedElementStyles(true);
+ InspectorTest.toggleMatchedStyleProperty("font-weight", false);
+ InspectorTest.runAfterPendingDispatches(step2);
+ }
+
+ function step2()
+ {
+ InspectorTest.addResult("PASS: No crash");
+ InspectorTest.completeTest();
+ }
+}
+</script>
+</head>
+
+<body _onload_="runTest()">
+<p>
+Tests that disabling style property after the style rule has been removed does not crash the inspected page.
+</p>
+
+<div id="container">
+</div>
+
+</body>
+</html>
Modified: branches/safari-536.30-branch/Source/WebCore/ChangeLog (148469 => 148470)
--- branches/safari-536.30-branch/Source/WebCore/ChangeLog 2013-04-15 21:42:34 UTC (rev 148469)
+++ branches/safari-536.30-branch/Source/WebCore/ChangeLog 2013-04-15 22:07:16 UTC (rev 148470)
@@ -1,5 +1,28 @@
2013-04-15 Tim Horton <[email protected]>
+ Merge r138460.
+
+ 2012-12-25 Alexander Pavlov <[email protected]>
+
+ Web Inspector: Crash when modifying a rule that has been removed through _javascript_
+ https://bugs.webkit.org/show_bug.cgi?id=105718
+
+ Reviewed by Yury Semikhatsky.
+
+ CSSStyleRules should be stored by RefPtr's to avoid using stale pointers to deleted instances.
+
+ Test: inspector/styles/removed-rule-crash.html
+
+ * inspector/InspectorStyleSheet.cpp:
+ (WebCore::InspectorStyleSheet::ruleForId):
+ (WebCore::InspectorStyleSheet::revalidateStyle):
+ (WebCore::InspectorStyleSheet::buildArrayForRuleList):
+ (WebCore::InspectorStyleSheet::collectFlatRules):
+ * inspector/InspectorStyleSheet.h:
+ (InspectorStyleSheet):
+
+2013-04-15 Tim Horton <[email protected]>
+
Merge r143454.
2013-02-20 Florin Malita <[email protected]>
Modified: branches/safari-536.30-branch/Source/WebCore/inspector/InspectorStyleSheet.cpp (148469 => 148470)
--- branches/safari-536.30-branch/Source/WebCore/inspector/InspectorStyleSheet.cpp 2013-04-15 21:42:34 UTC (rev 148469)
+++ branches/safari-536.30-branch/Source/WebCore/inspector/InspectorStyleSheet.cpp 2013-04-15 22:07:16 UTC (rev 148470)
@@ -848,7 +848,7 @@
ASSERT(!id.isEmpty());
ensureFlatRules();
- return id.ordinal() >= m_flatRules.size() ? 0 : m_flatRules.at(id.ordinal());
+ return id.ordinal() >= m_flatRules.size() ? 0 : m_flatRules.at(id.ordinal()).get();
}
@@ -1102,7 +1102,7 @@
p.parseSheet(newStyleSheet.get(), m_parsedStyleSheet->text(), 0, &ruleRangeMap);
OwnPtr<ParsedStyleSheet::SourceData> rangesVector(adoptPtr(new ParsedStyleSheet::SourceData));
- Vector<CSSStyleRule*> rules;
+ CSSStyleRuleVector rules;
RefPtr<CSSRuleList> ruleList = asCSSRuleList(CSSStyleSheet::create(newStyleSheet).get());
collectFlatRules(ruleList, &rules);
for (unsigned i = 0, size = rules.size(); i < size; ++i) {
@@ -1182,7 +1182,7 @@
m_isRevalidating = true;
ensureFlatRules();
for (unsigned i = 0, size = m_flatRules.size(); i < size; ++i) {
- CSSStyleRule* parsedRule = m_flatRules.at(i);
+ CSSStyleRule* parsedRule = m_flatRules.at(i).get();
if (parsedRule->style() == pageStyle) {
if (parsedRule->styleRule()->properties()->asText() != pageStyle->cssText()) {
// Clear the disabled properties for the invalid style here.
@@ -1244,11 +1244,11 @@
return result.release();
RefPtr<CSSRuleList> refRuleList = ruleList;
- Vector<CSSStyleRule*> rules;
+ CSSStyleRuleVector rules;
collectFlatRules(refRuleList, &rules);
for (unsigned i = 0, size = rules.size(); i < size; ++i)
- result->addItem(buildObjectForRule(rules.at(i)));
+ result->addItem(buildObjectForRule(rules.at(i).get()));
return result.release();
}
@@ -1298,7 +1298,7 @@
}
}
-void InspectorStyleSheet::collectFlatRules(PassRefPtr<CSSRuleList> ruleList, Vector<CSSStyleRule*>* result)
+void InspectorStyleSheet::collectFlatRules(PassRefPtr<CSSRuleList> ruleList, CSSStyleRuleVector* result)
{
if (!ruleList)
return;
Modified: branches/safari-536.30-branch/Source/WebCore/inspector/InspectorStyleSheet.h (148469 => 148470)
--- branches/safari-536.30-branch/Source/WebCore/inspector/InspectorStyleSheet.h 2013-04-15 21:42:34 UTC (rev 148469)
+++ branches/safari-536.30-branch/Source/WebCore/inspector/InspectorStyleSheet.h 2013-04-15 22:07:16 UTC (rev 148470)
@@ -216,10 +216,11 @@
virtual bool setStyleText(CSSStyleDeclaration*, const String&);
private:
+ typedef Vector<RefPtr<CSSStyleRule> > CSSStyleRuleVector;
friend class InspectorStyle;
static void fixUnparsedPropertyRanges(CSSRuleSourceData* ruleData, const String& styleSheetText);
- static void collectFlatRules(PassRefPtr<CSSRuleList>, Vector<CSSStyleRule*>* result);
+ static void collectFlatRules(PassRefPtr<CSSRuleList>, CSSStyleRuleVector* result);
bool ensureText() const;
bool ensureSourceData();
void ensureFlatRules() const;
@@ -237,7 +238,7 @@
bool m_isRevalidating;
ParsedStyleSheet* m_parsedStyleSheet;
InspectorStyleMap m_inspectorStyles;
- mutable Vector<CSSStyleRule*> m_flatRules;
+ mutable CSSStyleRuleVector m_flatRules;
Listener* m_listener;
};
