Changeset 102639 in webkit

Timestamp:

Dec 12, 2011 4:48:36 PM (12 years ago)

Author:

adamk@chromium.org

Message:

Don't crash in StyleAttributeMutationScope if the style declaration's element has been GCed
​https://bugs.webkit.org/show_bug.cgi?id=74321

Reviewed by Ryosuke Niwa.

Source/WebCore:

In r101101, Rafael Weinstein added code to CSSMutableStyleDeclaration.cpp
which depended on isInlineStyleDeclaration returning true iff the
element it pointed to was non-null (it will be nulled-out if the
element is garbage collected).

Then, in r101172, Andreas Kling changed the semantics so that
isInlineStyleDeclaration only described the type of the declaration,
not the state of the related element.

This change updates Rafael's code with an explicit check that the
element is still alive.

Test: fast/dom/css-inline-style-declaration-crash.html

• css/CSSMutableStyleDeclaration.cpp:

LayoutTests:

• fast/dom/css-inline-style-declaration-crash-expected.txt: Added.
• fast/dom/css-inline-style-declaration-crash.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/dom/css-inline-style-declaration-crash-expected.txt (added)
• LayoutTests/fast/dom/css-inline-style-declaration-crash.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/css/CSSMutableStyleDeclaration.cpp (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2011-12-12  Adam Klein  <adamk@chromium.org>
+
+        Don't crash in StyleAttributeMutationScope if the style declaration's element has been GCed
+        https://bugs.webkit.org/show_bug.cgi?id=74321
+
+        Reviewed by Ryosuke Niwa.
+
+        * fast/dom/css-inline-style-declaration-crash-expected.txt: Added.
+        * fast/dom/css-inline-style-declaration-crash.html: Added.
+
 2011-12-12  Brent Fulgham  <bfulgham@webkit.org>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2011-12-12  Adam Klein  <adamk@chromium.org>
+
+        Don't crash in StyleAttributeMutationScope if the style declaration's element has been GCed
+        https://bugs.webkit.org/show_bug.cgi?id=74321
+
+        Reviewed by Ryosuke Niwa.
+
+        In r101101, Rafael Weinstein added code to CSSMutableStyleDeclaration.cpp
+        which depended on isInlineStyleDeclaration returning true iff the
+        element it pointed to was non-null (it will be nulled-out if the
+        element is garbage collected).
+
+        Then, in r101172, Andreas Kling changed the semantics so that
+        isInlineStyleDeclaration only described the type of the declaration,
+        not the state of the related element.
+
+        This change updates Rafael's code with an explicit check that the
+        element is still alive.
+
+        Test: fast/dom/css-inline-style-declaration-crash.html
+
+        * css/CSSMutableStyleDeclaration.cpp:
+
 2011-12-12  Chris Fleizach  <cfleizach@apple.com>
 

trunk/Source/WebCore/css/CSSMutableStyleDeclaration.cpp

@@ -68 +68 @@
 
         CSSInlineStyleDeclaration* inlineDecl = toCSSInlineStyleDeclaration(s_currentDecl);
+        if (!inlineDecl->element())
+            return;
+
         m_mutationRecipients = MutationObserverInterestGroup::createForAttributesMutation(inlineDecl->element(), HTMLNames::styleAttr);
         if (m_mutationRecipients->isEmpty()) {
@@ -99 +102 @@
         s_currentDecl = 0;
         s_shouldNotifyInspector = false;
-        if (inlineDecl->element()->document())
+        if (inlineDecl->element() && inlineDecl->element()->document())
             InspectorInstrumentation::didInvalidateStyleAttr(inlineDecl->element()->document(), inlineDecl->element());
     }