[SCM] WebKit Debian packaging branch, debian/experimental, updated. debian/1.3.8-1-1049-g2e11a8e

Fri Jan 21 15:02:45 UTC 2011

The following commit has been merged in the debian/experimental branch:
commit c83675590d00ed07fa701e8b893c738a8fca7e24
Author: inferno at chromium.org <inferno at chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Thu Jan 6 18:52:51 2011 +0000

    2011-01-06  Abhishek Arya  <inferno at chromium.org>
    
            Reviewed by Simon Fraser.
    
            Null out the parent stylesheet pointer when a css rule is removed.
            https://bugs.webkit.org/show_bug.cgi?id=51993
    
            Tests: fast/dom/StyleSheet/removed-media-rule-deleted-parent-crash.html
                   fast/dom/StyleSheet/removed-stylesheet-rule-deleted-parent-crash.html
    
            * css/CSSRuleList.cpp:
            (WebCore::CSSRuleList::deleteRule):
            * css/CSSStyleSheet.cpp:
            (WebCore::CSSStyleSheet::deleteRule):
    2011-01-06  Abhishek Arya  <inferno at chromium.org>
    
            Reviewed by Simon Fraser.
    
            Tests that we do not crash when accessing a deleted parent stylesheet
            from a removed css rule.
            https://bugs.webkit.org/show_bug.cgi?id=51993
    
            * fast/dom/StyleSheet/removed-media-rule-deleted-parent-crash-expected.txt: Added.
            * fast/dom/StyleSheet/removed-media-rule-deleted-parent-crash.html: Added.
            * fast/dom/StyleSheet/removed-stylesheet-rule-deleted-parent-crash-expected.txt: Added.
            * fast/dom/StyleSheet/removed-stylesheet-rule-deleted-parent-crash.html: Added.
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@75168 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 48c632c..af37e61 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,16 @@
+2011-01-06  Abhishek Arya  <inferno at chromium.org>
+
+        Reviewed by Simon Fraser.
+
+        Tests that we do not crash when accessing a deleted parent stylesheet
+        from a removed css rule.
+        https://bugs.webkit.org/show_bug.cgi?id=51993
+
+        * fast/dom/StyleSheet/removed-media-rule-deleted-parent-crash-expected.txt: Added.
+        * fast/dom/StyleSheet/removed-media-rule-deleted-parent-crash.html: Added.
+        * fast/dom/StyleSheet/removed-stylesheet-rule-deleted-parent-crash-expected.txt: Added.
+        * fast/dom/StyleSheet/removed-stylesheet-rule-deleted-parent-crash.html: Added.
+
 2011-01-04  Adrienne Walker  <enne at google.com>
 
         Reviewed by Kenneth Russell.
diff --git a/LayoutTests/compositing/overflow/get-transform-from-non-box-container-expected.txt b/LayoutTests/fast/dom/StyleSheet/removed-media-rule-deleted-parent-crash-expected.txt
similarity index 100%
copy from LayoutTests/compositing/overflow/get-transform-from-non-box-container-expected.txt
copy to LayoutTests/fast/dom/StyleSheet/removed-media-rule-deleted-parent-crash-expected.txt
diff --git a/LayoutTests/fast/dom/StyleSheet/removed-media-rule-deleted-parent-crash.html b/LayoutTests/fast/dom/StyleSheet/removed-media-rule-deleted-parent-crash.html
new file mode 100644
index 0000000..65d8cd8
--- /dev/null
+++ b/LayoutTests/fast/dom/StyleSheet/removed-media-rule-deleted-parent-crash.html
@@ -0,0 +1,44 @@
+<html>
+<head>
+<script>
+if (window.layoutTestController)
+{
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+
+function runTest()
+{
+    style = document.createElement('style');
+    style.textContent = '@media all { body { color: red } }';
+    document.head.appendChild(style);
+ 
+    ruleList = getMatchedCSSRules(document.body);
+ 
+    document.styleSheets[0].cssRules[0].deleteRule(0);
+    document.head.removeChild(style);
+    
+    gc();
+    obj = ruleList[0].parentStyleSheet;
+
+    document.getElementById('result').innerHTML = "PASS";
+    if (window.layoutTestController)
+        layoutTestController.notifyDone();
+}
+
+function gc()
+{
+    if (window.GCController)
+        return GCController.collect();
+
+    for (var i = 0; i < 10000; i++) { // > force garbage collection (FF requires about 9K allocations before a collect)
+        var s = new String("abc");
+    }
+}
+</script>
+</head>
+<body onload="runTest()">
+<div id="result"></div>
+</body>
+</html>
+
diff --git a/LayoutTests/compositing/overflow/get-transform-from-non-box-container-expected.txt b/LayoutTests/fast/dom/StyleSheet/removed-stylesheet-rule-deleted-parent-crash-expected.txt
similarity index 100%
copy from LayoutTests/compositing/overflow/get-transform-from-non-box-container-expected.txt
copy to LayoutTests/fast/dom/StyleSheet/removed-stylesheet-rule-deleted-parent-crash-expected.txt
diff --git a/LayoutTests/fast/dom/StyleSheet/removed-stylesheet-rule-deleted-parent-crash.html b/LayoutTests/fast/dom/StyleSheet/removed-stylesheet-rule-deleted-parent-crash.html
new file mode 100644
index 0000000..f4c6161
--- /dev/null
+++ b/LayoutTests/fast/dom/StyleSheet/removed-stylesheet-rule-deleted-parent-crash.html
@@ -0,0 +1,44 @@
+<html>
+<head>
+<script>
+if (window.layoutTestController)
+{
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+
+function runTest()
+{
+    style = document.createElement('style');
+    style.textContent = 'body { color: red }';
+    document.head.appendChild(style);
+  
+    ruleList = getMatchedCSSRules(document.body);
+  
+    document.styleSheets[0].deleteRule(0);
+    document.head.removeChild(style);
+
+    gc();
+    obj = ruleList[0].parentStyleSheet;
+
+    document.getElementById('result').innerHTML = "PASS";
+    if (window.layoutTestController)
+        layoutTestController.notifyDone();
+}
+
+function gc()
+{
+    if (window.GCController)
+        return GCController.collect();
+
+    for (var i = 0; i < 10000; i++) { // > force garbage collection (FF requires about 9K allocations before a collect)
+        var s = new String("abc");
+    }
+}
+</script>
+</head>
+<body onload="runTest()">
+<div id="result"></div>
+</body>
+</html>
+
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 4d9aedf..7658e56 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,18 @@
+2011-01-06  Abhishek Arya  <inferno at chromium.org>
+
+        Reviewed by Simon Fraser.
+
+        Null out the parent stylesheet pointer when a css rule is removed.
+        https://bugs.webkit.org/show_bug.cgi?id=51993
+
+        Tests: fast/dom/StyleSheet/removed-media-rule-deleted-parent-crash.html
+               fast/dom/StyleSheet/removed-stylesheet-rule-deleted-parent-crash.html
+
+        * css/CSSRuleList.cpp:
+        (WebCore::CSSRuleList::deleteRule):
+        * css/CSSStyleSheet.cpp:
+        (WebCore::CSSStyleSheet::deleteRule):
+
 2011-01-04  Adrienne Walker  <enne at google.com>
 
         Reviewed by Kenneth Russell.
diff --git a/WebCore/css/CSSRuleList.cpp b/WebCore/css/CSSRuleList.cpp
index 7367ab2..0a312af 100644
--- a/WebCore/css/CSSRuleList.cpp
+++ b/WebCore/css/CSSRuleList.cpp
@@ -76,6 +76,7 @@ void CSSRuleList::deleteRule(unsigned index)
         return;
     }
 
+    m_lstCSSRules[index]->setParent(0);
     m_lstCSSRules.remove(index);
 }
 
diff --git a/WebCore/css/CSSStyleSheet.cpp b/WebCore/css/CSSStyleSheet.cpp
index 04df693..d5487a1 100644
--- a/WebCore/css/CSSStyleSheet.cpp
+++ b/WebCore/css/CSSStyleSheet.cpp
@@ -164,6 +164,7 @@ void CSSStyleSheet::deleteRule(unsigned index, ExceptionCode& ec)
     }
 
     ec = 0;
+    item(index)->setParent(0);
     remove(index);
     styleSheetChanged();
 }

-- 
WebKit Debian packaging

