[SCM] WebKit Debian packaging branch, webkit-1.3, updated. upstream/1.3.7-4207-g178b198
jschuh at chromium.org
jschuh at chromium.org
Mon Feb 21 00:03:21 UTC 2011
The following commit has been merged in the webkit-1.3 branch:
commit 40eacf290680a8d905aea9647c3ec3a62fdc7907
Author: jschuh at chromium.org <jschuh at chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Thu Jan 27 20:47:46 2011 +0000
2011-01-27 Cris Neckar <cdn at chromium.org>
Reviewed by Dimitri Glazkov.
Clear the parent on a css keyframe's m_style when removing it from the stylesheet.
https://bugs.webkit.org/show_bug.cgi?id=52320
Test: fast/css/css-keyframe-style-crash.html
* css/CSSRuleList.cpp:
(WebCore::CSSRuleList::deleteRule):
* css/WebKitCSSKeyframesRule.cpp:
(WebCore::WebKitCSSKeyframesRule::~WebKitCSSKeyframesRule):
2011-01-27 Cris Neckar <cdn at chromium.org>
Reviewed by Dimitri Glazkov.
Test for crash when accessing a keyframe's style rule.
https://bugs.webkit.org/show_bug.cgi?id=52320
* fast/css/css-keyframe-style-crash-expected.txt: Added.
* fast/css/css-keyframe-style-crash.html: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@76828 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 42802a4..b1cd115 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2011-01-27 Cris Neckar <cdn at chromium.org>
+
+ Reviewed by Dimitri Glazkov.
+
+ Test for crash when accessing a keyframe's style rule.
+ https://bugs.webkit.org/show_bug.cgi?id=52320
+
+ * fast/css/css-keyframe-style-crash-expected.txt: Added.
+ * fast/css/css-keyframe-style-crash.html: Added.
+
2011-01-27 Ryosuke Niwa <rniwa at webkit.org>
Unreviewed Chromium text expectation update.
diff --git a/LayoutTests/compositing/overflow/get-transform-from-non-box-container-expected.txt b/LayoutTests/fast/css/css-keyframe-style-crash-expected.txt
similarity index 100%
copy from LayoutTests/compositing/overflow/get-transform-from-non-box-container-expected.txt
copy to LayoutTests/fast/css/css-keyframe-style-crash-expected.txt
diff --git a/LayoutTests/fast/css/css-keyframe-style-crash.html b/LayoutTests/fast/css/css-keyframe-style-crash.html
new file mode 100644
index 0000000..713043f
--- /dev/null
+++ b/LayoutTests/fast/css/css-keyframe-style-crash.html
@@ -0,0 +1,40 @@
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+}
+
+if (!window.gc)
+{
+ window.gc = function()
+ {
+ if (window.GCController)
+ return GCController.collect();
+ for (var i = 0; i < 10000; i++)
+ var s = new String("abc");
+ }
+}
+
+function load()
+{
+ style = document.createElement('style');
+ style.textContent = '@-webkit-keyframes anim { from { color: green } }';
+ document.head.appendChild(style);
+ rule = document.styleSheets[0].cssRules[0].findRule('from');
+ document.head.removeChild(style);
+ setTimeout(crash, 0);
+}
+
+function crash()
+{
+ gc();
+ obj = rule.style.parentRule;
+ if (window.layoutTestController)
+ layoutTestController.notifyDone()
+}
+</script>
+</head>
+<body onload="load()">PASS</body>
+</html>
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index 3c9a78c..f142930 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,17 @@
+2011-01-27 Cris Neckar <cdn at chromium.org>
+
+ Reviewed by Dimitri Glazkov.
+
+ Clear the parent on a css keyframe's m_style when removing it from the stylesheet.
+ https://bugs.webkit.org/show_bug.cgi?id=52320
+
+ Test: fast/css/css-keyframe-style-crash.html
+
+ * css/CSSRuleList.cpp:
+ (WebCore::CSSRuleList::deleteRule):
+ * css/WebKitCSSKeyframesRule.cpp:
+ (WebCore::WebKitCSSKeyframesRule::~WebKitCSSKeyframesRule):
+
2011-01-27 Rob Buis <rwlbuis at gmail.com>
Reviewed by Kent Tamura.
diff --git a/Source/WebCore/css/CSSRuleList.cpp b/Source/WebCore/css/CSSRuleList.cpp
index 0a312af..da65632 100644
--- a/Source/WebCore/css/CSSRuleList.cpp
+++ b/Source/WebCore/css/CSSRuleList.cpp
@@ -22,8 +22,10 @@
#include "config.h"
#include "CSSRuleList.h"
+#include "CSSMutableStyleDeclaration.h"
#include "CSSRule.h"
#include "StyleList.h"
+#include "WebKitCSSKeyframeRule.h"
namespace WebCore {
@@ -76,6 +78,11 @@ void CSSRuleList::deleteRule(unsigned index)
return;
}
+ if (m_lstCSSRules[index]->isKeyframeRule()) {
+ if (CSSMutableStyleDeclaration* style = static_cast<WebKitCSSKeyframeRule*>(m_lstCSSRules[index].get())->style())
+ style->setParent(0);
+ }
+
m_lstCSSRules[index]->setParent(0);
m_lstCSSRules.remove(index);
}
diff --git a/Source/WebCore/css/WebKitCSSKeyframesRule.cpp b/Source/WebCore/css/WebKitCSSKeyframesRule.cpp
index 23f9f34..bf0c463 100644
--- a/Source/WebCore/css/WebKitCSSKeyframesRule.cpp
+++ b/Source/WebCore/css/WebKitCSSKeyframesRule.cpp
@@ -24,12 +24,13 @@
*/
#include "config.h"
+#include "WebKitCSSKeyframesRule.h"
+#include "CSSMutableStyleDeclaration.h"
#include "CSSParser.h"
-#include "WebKitCSSKeyframesRule.h"
-#include "WebKitCSSKeyframeRule.h"
#include "CSSRuleList.h"
#include "StyleSheet.h"
+#include "WebKitCSSKeyframeRule.h"
namespace WebCore {
@@ -45,8 +46,13 @@ WebKitCSSKeyframesRule::~WebKitCSSKeyframesRule()
if (length == 0)
return;
- for (int i = 0; i < length; i++)
+ for (int i = 0; i < length; i++) {
+ if (m_lstCSSRules->item(i)->isKeyframeRule()) {
+ if (CSSMutableStyleDeclaration* style = static_cast<WebKitCSSKeyframeRule*>(m_lstCSSRules->item(i))->style())
+ style->setParent(0);
+ }
m_lstCSSRules->item(i)->setParent(0);
+ }
}
String WebKitCSSKeyframesRule::name() const
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list