[webkit-changes] [99649] trunk

Tue, 08 Nov 2011 20:18:14 -0800

Title: [99649] trunk
Revision
99649
Author
cev...@google.com
Date
2011-11-08 20:17:42 -0800 (Tue, 08 Nov 2011)

Log Message

Crash accessing font fact rule parent
https://bugs.webkit.org/show_bug.cgi?id=71860

Reviewed by Adam Barth.

Source/WebCore:

Test: fast/css/css-fontface-rule-crash.html

* css/CSSFontFaceRule.cpp:
(WebCore::CSSFontFaceRule::~CSSFontFaceRule): tell our child rule when we are going away.

LayoutTests:

* fast/css/css-fontface-rule-crash-expected.txt: Added.
* fast/css/css-fontface-rule-crash.html: Added.
* resources/gc.js: Added. Add a re-usable best-of-breed gc().

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (99648 => 99649)


--- trunk/LayoutTests/ChangeLog	2011-11-09 04:03:39 UTC (rev 99648)
+++ trunk/LayoutTests/ChangeLog	2011-11-09 04:17:42 UTC (rev 99649)
@@ -1,3 +1,14 @@
+2011-11-08  Chris Evans  <cev...@google.com>
+
+        Crash accessing font fact rule parent
+        https://bugs.webkit.org/show_bug.cgi?id=71860
+
+        Reviewed by Adam Barth.
+
+        * fast/css/css-fontface-rule-crash-expected.txt: Added.
+        * fast/css/css-fontface-rule-crash.html: Added.
+        * resources/gc.js: Added. Add a re-usable best-of-breed gc().
+
 2011-11-08  Brent Fulgham  <bfulg...@webkit.org>
 
         [WinCairo] Unreviewed skiplist update to match main Windows

Added: trunk/LayoutTests/fast/css/css-fontface-rule-crash-expected.txt (0 => 99649)


--- trunk/LayoutTests/fast/css/css-fontface-rule-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/css/css-fontface-rule-crash-expected.txt	2011-11-09 04:17:42 UTC (rev 99649)
@@ -0,0 +1 @@
+PASS

Added: trunk/LayoutTests/fast/css/css-fontface-rule-crash.html (0 => 99649)


--- trunk/LayoutTests/fast/css/css-fontface-rule-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/css/css-fontface-rule-crash.html	2011-11-09 04:17:42 UTC (rev 99649)
@@ -0,0 +1,37 @@
+<html>
+<head>
+<script src=""
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+
+function load()
+{
+    style = document.createElement('style');
+    style.textContent = '@font-face { font-family: "A"; }';
+    document.head.appendChild(style);
+    rulestyle = document.styleSheets[0].cssRules[0].style;
+    document.head.removeChild(style);
+    style = null;
+    setTimeout(crash, 0);
+}
+
+function crash()
+{
+    gc();
+    obj = rulestyle.parentRule;
+    // If the gc() actually successfully reaps everything it can, then obj
+    // will end up null (post-fix). gc() is not guaranteed to reap the font-face
+    // rule, however, particularly in the browser context.
+    if (obj)
+        obj = obj.foo;
+    document.body.innerText = 'PASS';
+    if (window.layoutTestController)
+        layoutTestController.notifyDone()
+}
+</script>
+</head>
+<body _onload_="load()"></body>
+</html>

Added: trunk/LayoutTests/resources/gc.js (0 => 99649)


--- trunk/LayoutTests/resources/gc.js	                        (rev 0)
+++ trunk/LayoutTests/resources/gc.js	2011-11-09 04:17:42 UTC (rev 99649)
@@ -0,0 +1,20 @@
+// If there is no window.gc() already defined, define one using the best
+// method we can find.
+// The slow fallback should not hit in the actual test environment.
+if (!window.gc)
+{
+    window.gc = function()
+    {
+        if (window.GCController)
+            return GCController.collect();
+        function gcRec(n) {
+            if (n < 1)
+                return {};
+            var temp = {i: "ab" + i + (i / 100000)};
+            temp += "foo";
+            gcRec(n-1);
+        }
+        for (var i = 0; i < 10000; i++)
+            gcRec(10);
+    }
+}

Modified: trunk/Source/WebCore/ChangeLog (99648 => 99649)


--- trunk/Source/WebCore/ChangeLog	2011-11-09 04:03:39 UTC (rev 99648)
+++ trunk/Source/WebCore/ChangeLog	2011-11-09 04:17:42 UTC (rev 99649)
@@ -1,3 +1,15 @@
+2011-11-08  Chris Evans  <cev...@google.com>
+
+        Crash accessing font fact rule parent
+        https://bugs.webkit.org/show_bug.cgi?id=71860
+
+        Reviewed by Adam Barth.
+
+        Test: fast/css/css-fontface-rule-crash.html
+
+        * css/CSSFontFaceRule.cpp:
+        (WebCore::CSSFontFaceRule::~CSSFontFaceRule): tell our child rule when we are going away.
+
 2011-11-08  Adam Klein  <ad...@chromium.org>
 
         Use a typedef for ExceptionCode in all header files instead of including ExceptionCode.h

Modified: trunk/Source/WebCore/css/CSSFontFaceRule.cpp (99648 => 99649)


--- trunk/Source/WebCore/css/CSSFontFaceRule.cpp	2011-11-09 04:03:39 UTC (rev 99648)
+++ trunk/Source/WebCore/css/CSSFontFaceRule.cpp	2011-11-09 04:17:42 UTC (rev 99649)
@@ -33,6 +33,8 @@
 
 CSSFontFaceRule::~CSSFontFaceRule()
 {
+    if (m_style)
+        m_style->setParentRule(0);
 }
 
 String CSSFontFaceRule::cssText() const

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to