Diff
Modified: branches/safari-534.54-branch/LayoutTests/ChangeLog (103414 => 103415)
--- branches/safari-534.54-branch/LayoutTests/ChangeLog 2011-12-21 18:43:48 UTC (rev 103414)
+++ branches/safari-534.54-branch/LayoutTests/ChangeLog 2011-12-21 18:49:12 UTC (rev 103415)
@@ -1,3 +1,19 @@
+2011-12-21 Lucas Forschler <lforsch...@apple.com>
+
+ Merge 93227
+
+ 2011-08-17 Abhishek Arya <infe...@chromium.org>
+
+ Tests that we do not crash when iterating through stylesheet
+ candidate list hashset.
+ https://bugs.webkit.org/show_bug.cgi?id=66335
+
+ Reviewed by Simon Fraser.
+
+ * svg/dom/resources/stylesheet-candidate-node-crash.svg: Added.
+ * svg/dom/stylesheet-candidate-node-crash-main-expected.txt: Added.
+ * svg/dom/stylesheet-candidate-node-crash-main.html: Added.
+
2011-12-20 Lucas Forschler <lforsch...@apple.com>
Merge 93032
Copied: branches/safari-534.54-branch/LayoutTests/svg/dom/resources/stylesheet-candidate-node-crash.svg (from rev 93227, trunk/LayoutTests/svg/dom/resources/stylesheet-candidate-node-crash.svg) (0 => 103415)
--- branches/safari-534.54-branch/LayoutTests/svg/dom/resources/stylesheet-candidate-node-crash.svg (rev 0)
+++ branches/safari-534.54-branch/LayoutTests/svg/dom/resources/stylesheet-candidate-node-crash.svg 2011-12-21 18:49:12 UTC (rev 103415)
@@ -0,0 +1,8 @@
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+<g id="test">
+<text id="test1">PASS</text>
+</g>
+<use id="test2" xlink:href=""
+<use xlink:href=""
+<set attributeName="font-style" to="italic"/>
+</svg>
Copied: branches/safari-534.54-branch/LayoutTests/svg/dom/stylesheet-candidate-node-crash-main-expected.txt (from rev 93227, trunk/LayoutTests/svg/dom/stylesheet-candidate-node-crash-main-expected.txt) (0 => 103415)
--- branches/safari-534.54-branch/LayoutTests/svg/dom/stylesheet-candidate-node-crash-main-expected.txt (rev 0)
+++ branches/safari-534.54-branch/LayoutTests/svg/dom/stylesheet-candidate-node-crash-main-expected.txt 2011-12-21 18:49:12 UTC (rev 103415)
@@ -0,0 +1 @@
+Test passes if it does not crash.
Copied: branches/safari-534.54-branch/LayoutTests/svg/dom/stylesheet-candidate-node-crash-main.html (from rev 93227, trunk/LayoutTests/svg/dom/stylesheet-candidate-node-crash-main.html) (0 => 103415)
--- branches/safari-534.54-branch/LayoutTests/svg/dom/stylesheet-candidate-node-crash-main.html (rev 0)
+++ branches/safari-534.54-branch/LayoutTests/svg/dom/stylesheet-candidate-node-crash-main.html 2011-12-21 18:49:12 UTC (rev 103415)
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+Test passes if it does not crash.
+<script>
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+function runTest() {
+ svgdoc = document.getElementById('root').contentDocument;
+ var style = document.createElement('style');
+ var test1 = svgdoc.getElementById('test1');
+ test1.appendChild(style);
+ svgdoc.getElementById('test2').setAttribute('xlink:href', 0);
+ svgdoc.getElementById('test').setAttribute('stroke', 0);
+}
+</script>
+<object data="" id="root" _onload_="runTest();" type="image/svg+xml"></object>
+</html>
+
Modified: branches/safari-534.54-branch/Source/WebCore/ChangeLog (103414 => 103415)
--- branches/safari-534.54-branch/Source/WebCore/ChangeLog 2011-12-21 18:43:48 UTC (rev 103414)
+++ branches/safari-534.54-branch/Source/WebCore/ChangeLog 2011-12-21 18:49:12 UTC (rev 103415)
@@ -1,3 +1,30 @@
+2011-12-21 Lucas Forschler <lforsch...@apple.com>
+
+ Merge 93227
+
+ 2011-08-17 Abhishek Arya <infe...@chromium.org>
+
+ Crash in Document::recalcStyleSelector
+ https://bugs.webkit.org/show_bug.cgi?id=66335
+
+ Reviewed by Simon Fraser.
+
+ When node is getting destroyed and its removedFromDocument
+ is not called due to entire document structure torn down(using
+ removeAllChildren), make sure to clear out the stylesheet
+ candidate node from document's structures in its destructor.
+
+ Test: svg/dom/stylesheet-candidate-node-crash-main.html
+
+ * dom/ProcessingInstruction.cpp:
+ (WebCore::ProcessingInstruction::~ProcessingInstruction):
+ * html/HTMLLinkElement.cpp:
+ (WebCore::HTMLLinkElement::~HTMLLinkElement):
+ * html/HTMLStyleElement.cpp:
+ (WebCore::HTMLStyleElement::~HTMLStyleElement):
+ * svg/SVGStyleElement.cpp:
+ (WebCore::SVGStyleElement::~SVGStyleElement):
+
2011-12-20 Lucas Forschler <lforsch...@apple.com>
Merge 93032
Modified: branches/safari-534.54-branch/Source/WebCore/dom/ProcessingInstruction.cpp (103414 => 103415)
--- branches/safari-534.54-branch/Source/WebCore/dom/ProcessingInstruction.cpp 2011-12-21 18:43:48 UTC (rev 103414)
+++ branches/safari-534.54-branch/Source/WebCore/dom/ProcessingInstruction.cpp 2011-12-21 18:49:12 UTC (rev 103415)
@@ -62,6 +62,9 @@
if (m_cachedSheet)
m_cachedSheet->removeClient(this);
+
+ if (inDocument())
+ document()->removeStyleSheetCandidateNode(this);
}
void ProcessingInstruction::setData(const String& data, ExceptionCode&)
Modified: branches/safari-534.54-branch/Source/WebCore/dom/StyleElement.cpp (103414 => 103415)
--- branches/safari-534.54-branch/Source/WebCore/dom/StyleElement.cpp 2011-12-21 18:43:48 UTC (rev 103414)
+++ branches/safari-534.54-branch/Source/WebCore/dom/StyleElement.cpp 2011-12-21 18:49:12 UTC (rev 103415)
@@ -84,6 +84,15 @@
document->styleSelectorChanged(DeferRecalcStyle);
}
+void StyleElement::clearDocumentData(Document* document, Element* element)
+{
+ if (m_sheet)
+ m_sheet->clearOwnerNode();
+
+ if (element->inDocument())
+ document->removeStyleSheetCandidateNode(element);
+}
+
void StyleElement::childrenChanged(Element* element)
{
ASSERT(element);
Modified: branches/safari-534.54-branch/Source/WebCore/dom/StyleElement.h (103414 => 103415)
--- branches/safari-534.54-branch/Source/WebCore/dom/StyleElement.h 2011-12-21 18:43:48 UTC (rev 103414)
+++ branches/safari-534.54-branch/Source/WebCore/dom/StyleElement.h 2011-12-21 18:49:12 UTC (rev 103415)
@@ -44,6 +44,7 @@
void insertedIntoDocument(Document*, Element*);
void removedFromDocument(Document*, Element*);
+ void clearDocumentData(Document*, Element*);
void childrenChanged(Element*);
void finishParsingChildren(Element*);
Modified: branches/safari-534.54-branch/Source/WebCore/html/HTMLLinkElement.cpp (103414 => 103415)
--- branches/safari-534.54-branch/Source/WebCore/html/HTMLLinkElement.cpp 2011-12-21 18:43:48 UTC (rev 103414)
+++ branches/safari-534.54-branch/Source/WebCore/html/HTMLLinkElement.cpp 2011-12-21 18:49:12 UTC (rev 103415)
@@ -79,6 +79,9 @@
removePendingSheet();
}
+ if (inDocument())
+ document()->removeStyleSheetCandidateNode(this);
+
#if ENABLE(LINK_PREFETCH)
if (m_cachedLinkResource)
m_cachedLinkResource->removeClient(this);
Modified: branches/safari-534.54-branch/Source/WebCore/html/HTMLStyleElement.cpp (103414 => 103415)
--- branches/safari-534.54-branch/Source/WebCore/html/HTMLStyleElement.cpp 2011-12-21 18:43:48 UTC (rev 103414)
+++ branches/safari-534.54-branch/Source/WebCore/html/HTMLStyleElement.cpp 2011-12-21 18:49:12 UTC (rev 103415)
@@ -44,8 +44,7 @@
HTMLStyleElement::~HTMLStyleElement()
{
- if (m_sheet)
- m_sheet->clearOwnerNode();
+ StyleElement::clearDocumentData(document(), this);
}
PassRefPtr<HTMLStyleElement> HTMLStyleElement::create(const QualifiedName& tagName, Document* document, bool createdByParser)
Modified: branches/safari-534.54-branch/Source/WebCore/svg/SVGStyleElement.cpp (103414 => 103415)
--- branches/safari-534.54-branch/Source/WebCore/svg/SVGStyleElement.cpp 2011-12-21 18:43:48 UTC (rev 103414)
+++ branches/safari-534.54-branch/Source/WebCore/svg/SVGStyleElement.cpp 2011-12-21 18:49:12 UTC (rev 103415)
@@ -43,8 +43,7 @@
SVGStyleElement::~SVGStyleElement()
{
- if (m_sheet)
- m_sheet->clearOwnerNode();
+ StyleElement::clearDocumentData(document(), this);
}
PassRefPtr<SVGStyleElement> SVGStyleElement::create(const QualifiedName& tagName, Document* document, bool createdByParser)
