Commit 40eacf29 authored by jschuh@chromium.org's avatar jschuh@chromium.org

2011-01-27 Cris Neckar <cdn@chromium.org>

        Reviewed by Dimitri Glazkov.

        Clear the parent on a css keyframe's m_style when removing it from the stylesheet.
        https://bugs.webkit.org/show_bug.cgi?id=52320

        Test: fast/css/css-keyframe-style-crash.html

        * css/CSSRuleList.cpp:
        (WebCore::CSSRuleList::deleteRule):
        * css/WebKitCSSKeyframesRule.cpp:
        (WebCore::WebKitCSSKeyframesRule::~WebKitCSSKeyframesRule):
2011-01-27  Cris Neckar  <cdn@chromium.org>

        Reviewed by Dimitri Glazkov.

        Test for crash when accessing a keyframe's style rule.
        https://bugs.webkit.org/show_bug.cgi?id=52320

        * fast/css/css-keyframe-style-crash-expected.txt: Added.
        * fast/css/css-keyframe-style-crash.html: Added.


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@76828 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 65c26516
2011-01-27 Cris Neckar <cdn@chromium.org>
Reviewed by Dimitri Glazkov.
Test for crash when accessing a keyframe's style rule.
https://bugs.webkit.org/show_bug.cgi?id=52320
* fast/css/css-keyframe-style-crash-expected.txt: Added.
* fast/css/css-keyframe-style-crash.html: Added.
2011-01-27 Ryosuke Niwa <rniwa@webkit.org>
Unreviewed Chromium text expectation update.
<html>
<head>
<script>
if (window.layoutTestController) {
layoutTestController.dumpAsText();
layoutTestController.waitUntilDone();
}
if (!window.gc)
{
window.gc = function()
{
if (window.GCController)
return GCController.collect();
for (var i = 0; i < 10000; i++)
var s = new String("abc");
}
}
function load()
{
style = document.createElement('style');
style.textContent = '@-webkit-keyframes anim { from { color: green } }';
document.head.appendChild(style);
rule = document.styleSheets[0].cssRules[0].findRule('from');
document.head.removeChild(style);
setTimeout(crash, 0);
}
function crash()
{
gc();
obj = rule.style.parentRule;
if (window.layoutTestController)
layoutTestController.notifyDone()
}
</script>
</head>
<body onload="load()">PASS</body>
</html>
2011-01-27 Cris Neckar <cdn@chromium.org>
Reviewed by Dimitri Glazkov.
Clear the parent on a css keyframe's m_style when removing it from the stylesheet.
https://bugs.webkit.org/show_bug.cgi?id=52320
Test: fast/css/css-keyframe-style-crash.html
* css/CSSRuleList.cpp:
(WebCore::CSSRuleList::deleteRule):
* css/WebKitCSSKeyframesRule.cpp:
(WebCore::WebKitCSSKeyframesRule::~WebKitCSSKeyframesRule):
2011-01-27 Rob Buis <rwlbuis@gmail.com>
Reviewed by Kent Tamura.
......@@ -22,8 +22,10 @@
#include "config.h"
#include "CSSRuleList.h"
#include "CSSMutableStyleDeclaration.h"
#include "CSSRule.h"
#include "StyleList.h"
#include "WebKitCSSKeyframeRule.h"
namespace WebCore {
......@@ -76,6 +78,11 @@ void CSSRuleList::deleteRule(unsigned index)
return;
}
if (m_lstCSSRules[index]->isKeyframeRule()) {
if (CSSMutableStyleDeclaration* style = static_cast<WebKitCSSKeyframeRule*>(m_lstCSSRules[index].get())->style())
style->setParent(0);
}
m_lstCSSRules[index]->setParent(0);
m_lstCSSRules.remove(index);
}
......
......@@ -24,12 +24,13 @@
*/
#include "config.h"
#include "WebKitCSSKeyframesRule.h"
#include "CSSMutableStyleDeclaration.h"
#include "CSSParser.h"
#include "WebKitCSSKeyframesRule.h"
#include "WebKitCSSKeyframeRule.h"
#include "CSSRuleList.h"
#include "StyleSheet.h"
#include "WebKitCSSKeyframeRule.h"
namespace WebCore {
......@@ -45,8 +46,13 @@ WebKitCSSKeyframesRule::~WebKitCSSKeyframesRule()
if (length == 0)
return;
for (int i = 0; i < length; i++)
for (int i = 0; i < length; i++) {
if (m_lstCSSRules->item(i)->isKeyframeRule()) {
if (CSSMutableStyleDeclaration* style = static_cast<WebKitCSSKeyframeRule*>(m_lstCSSRules->item(i))->style())
style->setParent(0);
}
m_lstCSSRules->item(i)->setParent(0);
}
}
String WebKitCSSKeyframesRule::name() const
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment