-
commit-queue@webkit.org authored
https://bugs.webkit.org/show_bug.cgi?id=113458 Patch by Douglas Stockwell <dstockwell@chromium.org> on 2013-04-08 Reviewed by Darin Adler. Source/WebCore: A stylesheet which has been invalidated (type changed from "" or "text/css") was not correctly removed from the list of active style sheets when its children are changed. This change releases StyleElement::m_sheet in advance of calling DocumentStyleSheetCollection::updateActiveStyleSheets. (StyleElement::clearSheet calls CSSStyleSheet::clearOwnerNode calls CSSStyleSheet::didMutate calls Document::styleResolverChanged calls DocumentStyleSheetCollection::updateActiveStyleSheets) Test: fast/css/style-element-invalidation-crash.html * dom/StyleElement.cpp: (WebCore::StyleElement::clearSheet): Release m_sheet before we trigger an update of the active style sheets. LayoutTests: * fast/css/style-element-invalidation-crash-expected.txt: Added. * fast/css/style-element-invalidation-crash.html: Added. * fast/css/stylesheet.innerHTML-calls-didmutate.html: Removed. * fast/css/stylesheet.innerHTML-calls-didmutate-expected.txt: Removed. git-svn-id: http://svn.webkit.org/repository/webkit/trunk@147928 268f45cc-cd09-0410-ab3c-d52691b4dbfc
76803844
