[webkit-changes] [255340] trunk

[commit-queue]

Title: [255340] trunk

Revision

255340

Author

commit-qu...@webkit.org

Date

2020-01-29 00:04:56 -0800 (Wed, 29 Jan 2020)

Log Message

Nullptr crash when setting custom properties on detached style
https://bugs.webkit.org/show_bug.cgi?id=206724

Patch by Sunny He <sunny...@apple.com> on 2020-01-29
Reviewed by Darin Adler.

Source/WebCore:

Test: fast/dom/StyleSheet/detached-style-set-custom-property.html

* css/PropertySetCSSStyleDeclaration.cpp:
(WebCore::PropertySetCSSStyleDeclaration::setProperty):
(WebCore::StyleRuleCSSStyleDeclaration::clearParentRule):
(WebCore::InlineCSSStyleDeclaration::clearParentElement):

LayoutTests:

* fast/dom/StyleSheet/detached-style-set-custom-property-expected.txt: Added.
* fast/dom/StyleSheet/detached-style-set-custom-property.html: Added.

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/css/PropertySetCSSStyleDeclaration.cpp

Added Paths

• trunk/LayoutTests/fast/dom/StyleSheet/detached-style-set-custom-property-expected.txt
• trunk/LayoutTests/fast/dom/StyleSheet/detached-style-set-custom-property.html

Diff

Modified: trunk/LayoutTests/ChangeLog (255339 => 255340)

--- trunk/LayoutTests/ChangeLog	2020-01-29 07:18:55 UTC (rev 255339)
+++ trunk/LayoutTests/ChangeLog	2020-01-29 08:04:56 UTC (rev 255340)
@@ -1,3 +1,13 @@
+2020-01-29  Sunny He  <sunny...@apple.com>
+
+        Nullptr crash when setting custom properties on detached style
+        https://bugs.webkit.org/show_bug.cgi?id=206724
+
+        Reviewed by Darin Adler.
+
+        * fast/dom/StyleSheet/detached-style-set-custom-property-expected.txt: Added.
+        * fast/dom/StyleSheet/detached-style-set-custom-property.html: Added.
+
 2020-01-28  Pinki Gyanchandani  <pgyanchand...@apple.com>
 
         Null deref crash in DOMWindow::scrollBy after evoking updateLayoutIgnorePendingStylesheets()

Added: trunk/LayoutTests/fast/dom/StyleSheet/detached-style-set-custom-property-expected.txt (0 => 255340)

--- trunk/LayoutTests/fast/dom/StyleSheet/detached-style-set-custom-property-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/StyleSheet/detached-style-set-custom-property-expected.txt	2020-01-29 08:04:56 UTC (rev 255340)
@@ -0,0 +1,11 @@
+Test setting custom properties on detached styles
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS element.attributes[0].name is "style"
+PASS inlineStyle.getPropertyValue("--cssvarc") is "inherit"
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/fast/dom/StyleSheet/detached-style-set-custom-property.html (0 => 255340)

--- trunk/LayoutTests/fast/dom/StyleSheet/detached-style-set-custom-property.html	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/StyleSheet/detached-style-set-custom-property.html	2020-01-29 08:04:56 UTC (rev 255340)
@@ -0,0 +1,19 @@
+<html>
+<head>
+    <script src=""
+</head>
+<body>
+    <script>
+        description("Test setting custom properties on detached styles");
+        var element = document.createElementNS("http://www.w3.org/2000/svg", "style");
+        var inlineStyle = element.style;
+        inlineStyle.setProperty("word-break", "inherit");
+
+        shouldBeEqualToString("element.attributes[0].name", "style");
+        element.removeAttribute("style");
+        
+        inlineStyle.setProperty("--cssvarc", "inherit");
+        shouldBeEqualToString('inlineStyle.getPropertyValue("--cssvarc")', "inherit");
+    </script>
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (255339 => 255340)

--- trunk/Source/WebCore/ChangeLog	2020-01-29 07:18:55 UTC (rev 255339)
+++ trunk/Source/WebCore/ChangeLog	2020-01-29 08:04:56 UTC (rev 255340)
@@ -1,3 +1,17 @@
+2020-01-29  Sunny He  <sunny...@apple.com>
+
+        Nullptr crash when setting custom properties on detached style
+        https://bugs.webkit.org/show_bug.cgi?id=206724
+
+        Reviewed by Darin Adler.
+
+        Test: fast/dom/StyleSheet/detached-style-set-custom-property.html
+
+        * css/PropertySetCSSStyleDeclaration.cpp:
+        (WebCore::PropertySetCSSStyleDeclaration::setProperty):
+        (WebCore::StyleRuleCSSStyleDeclaration::clearParentRule):
+        (WebCore::InlineCSSStyleDeclaration::clearParentElement):
+
 2020-01-28  Said Abou-Hallawa  <s...@apple.com>
 
         REGRESSION (r255158): http/tests/frame-throttling/raf-throttle-in-cross-origin-subframe.html is a flaky failure

Modified: trunk/Source/WebCore/css/PropertySetCSSStyleDeclaration.cpp (255339 => 255340)

--- trunk/Source/WebCore/css/PropertySetCSSStyleDeclaration.cpp	2020-01-29 07:18:55 UTC (rev 255339)
+++ trunk/Source/WebCore/css/PropertySetCSSStyleDeclaration.cpp	2020-01-29 08:04:56 UTC (rev 255340)
@@ -252,7 +252,7 @@
 
         if (parentElement())
             document = &parentElement()->document();
-        else
+        else if (parentStyleSheet())
             document = parentStyleSheet()->ownerDocument();
 
         changed = m_propertySet->setCustomProperty(document, propertyName, value, important, cssParserContext());

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes