Commit c8367559 authored by inferno@chromium.org's avatar inferno@chromium.org

2011-01-06 Abhishek Arya <inferno@chromium.org>

        Reviewed by Simon Fraser.

        Null out the parent stylesheet pointer when a css rule is removed.
        https://bugs.webkit.org/show_bug.cgi?id=51993

        Tests: fast/dom/StyleSheet/removed-media-rule-deleted-parent-crash.html
               fast/dom/StyleSheet/removed-stylesheet-rule-deleted-parent-crash.html

        * css/CSSRuleList.cpp:
        (WebCore::CSSRuleList::deleteRule):
        * css/CSSStyleSheet.cpp:
        (WebCore::CSSStyleSheet::deleteRule):
2011-01-06  Abhishek Arya  <inferno@chromium.org>

        Reviewed by Simon Fraser.

        Tests that we do not crash when accessing a deleted parent stylesheet
        from a removed css rule.
        https://bugs.webkit.org/show_bug.cgi?id=51993

        * fast/dom/StyleSheet/removed-media-rule-deleted-parent-crash-expected.txt: Added.
        * fast/dom/StyleSheet/removed-media-rule-deleted-parent-crash.html: Added.
        * fast/dom/StyleSheet/removed-stylesheet-rule-deleted-parent-crash-expected.txt: Added.
        * fast/dom/StyleSheet/removed-stylesheet-rule-deleted-parent-crash.html: Added.


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@75168 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent a6ff32f7
2011-01-06 Abhishek Arya <inferno@chromium.org>
Reviewed by Simon Fraser.
Tests that we do not crash when accessing a deleted parent stylesheet
from a removed css rule.
https://bugs.webkit.org/show_bug.cgi?id=51993
* fast/dom/StyleSheet/removed-media-rule-deleted-parent-crash-expected.txt: Added.
* fast/dom/StyleSheet/removed-media-rule-deleted-parent-crash.html: Added.
* fast/dom/StyleSheet/removed-stylesheet-rule-deleted-parent-crash-expected.txt: Added.
* fast/dom/StyleSheet/removed-stylesheet-rule-deleted-parent-crash.html: Added.
2011-01-04 Adrienne Walker <enne@google.com>
Reviewed by Kenneth Russell.
......
<html>
<head>
<script>
if (window.layoutTestController)
{
layoutTestController.dumpAsText();
layoutTestController.waitUntilDone();
}
function runTest()
{
style = document.createElement('style');
style.textContent = '@media all { body { color: red } }';
document.head.appendChild(style);
ruleList = getMatchedCSSRules(document.body);
document.styleSheets[0].cssRules[0].deleteRule(0);
document.head.removeChild(style);
gc();
obj = ruleList[0].parentStyleSheet;
document.getElementById('result').innerHTML = "PASS";
if (window.layoutTestController)
layoutTestController.notifyDone();
}
function gc()
{
if (window.GCController)
return GCController.collect();
for (var i = 0; i < 10000; i++) { // > force garbage collection (FF requires about 9K allocations before a collect)
var s = new String("abc");
}
}
</script>
</head>
<body onload="runTest()">
<div id="result"></div>
</body>
</html>
<html>
<head>
<script>
if (window.layoutTestController)
{
layoutTestController.dumpAsText();
layoutTestController.waitUntilDone();
}
function runTest()
{
style = document.createElement('style');
style.textContent = 'body { color: red }';
document.head.appendChild(style);
ruleList = getMatchedCSSRules(document.body);
document.styleSheets[0].deleteRule(0);
document.head.removeChild(style);
gc();
obj = ruleList[0].parentStyleSheet;
document.getElementById('result').innerHTML = "PASS";
if (window.layoutTestController)
layoutTestController.notifyDone();
}
function gc()
{
if (window.GCController)
return GCController.collect();
for (var i = 0; i < 10000; i++) { // > force garbage collection (FF requires about 9K allocations before a collect)
var s = new String("abc");
}
}
</script>
</head>
<body onload="runTest()">
<div id="result"></div>
</body>
</html>
2011-01-06 Abhishek Arya <inferno@chromium.org>
Reviewed by Simon Fraser.
Null out the parent stylesheet pointer when a css rule is removed.
https://bugs.webkit.org/show_bug.cgi?id=51993
Tests: fast/dom/StyleSheet/removed-media-rule-deleted-parent-crash.html
fast/dom/StyleSheet/removed-stylesheet-rule-deleted-parent-crash.html
* css/CSSRuleList.cpp:
(WebCore::CSSRuleList::deleteRule):
* css/CSSStyleSheet.cpp:
(WebCore::CSSStyleSheet::deleteRule):
2011-01-04 Adrienne Walker <enne@google.com>
Reviewed by Kenneth Russell.
......
......@@ -76,6 +76,7 @@ void CSSRuleList::deleteRule(unsigned index)
return;
}
m_lstCSSRules[index]->setParent(0);
m_lstCSSRules.remove(index);
}
......
......@@ -164,6 +164,7 @@ void CSSStyleSheet::deleteRule(unsigned index, ExceptionCode& ec)
}
ec = 0;
item(index)->setParent(0);
remove(index);
styleSheetChanged();
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment