Changeset 77834 in webkit


Ignore:
Timestamp:
Feb 7, 2011 12:08:47 PM (13 years ago)
Author:
Antti Koivisto
Message:

REGRESSION(r77740): CSSStyleSelector accessing deleted memory for svg/dom/use-transform.svg
https://bugs.webkit.org/show_bug.cgi?id=53900

Reviewed by Andreas Kling.

Ignore link elements in shadow trees.

  • dom/Element.cpp:

(WebCore::StyleSelectorParentPusher::StyleSelectorParentPusher):
(WebCore::StyleSelectorParentPusher::~StyleSelectorParentPusher):

Some asserts to catch cases like this.

(WebCore::Element::attach):
(WebCore::Element::recalcStyle):

  • html/HTMLLinkElement.cpp:

(WebCore::HTMLLinkElement::HTMLLinkElement):
(WebCore::HTMLLinkElement::process):
(WebCore::HTMLLinkElement::insertedIntoDocument):
(WebCore::HTMLLinkElement::removedFromDocument):

  • html/HTMLLinkElement.h:
Location:
trunk/Source/WebCore
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/WebCore/ChangeLog

    r77831 r77834  
     12011-02-07  Antti Koivisto  <antti@apple.com>
     2
     3        Reviewed by Andreas Kling.
     4
     5        REGRESSION(r77740): CSSStyleSelector accessing deleted memory for svg/dom/use-transform.svg
     6        https://bugs.webkit.org/show_bug.cgi?id=53900
     7       
     8        Ignore link elements in shadow trees.
     9
     10        * dom/Element.cpp:
     11        (WebCore::StyleSelectorParentPusher::StyleSelectorParentPusher):
     12        (WebCore::StyleSelectorParentPusher::~StyleSelectorParentPusher):
     13               
     14            Some asserts to catch cases like this.
     15
     16        (WebCore::Element::attach):
     17        (WebCore::Element::recalcStyle):
     18        * html/HTMLLinkElement.cpp:
     19        (WebCore::HTMLLinkElement::HTMLLinkElement):
     20        (WebCore::HTMLLinkElement::process):
     21        (WebCore::HTMLLinkElement::insertedIntoDocument):
     22        (WebCore::HTMLLinkElement::removedFromDocument):
     23        * html/HTMLLinkElement.h:
     24
    1252011-02-07  Darin Adler  <darin@apple.com>
    226
  • trunk/Source/WebCore/dom/Element.cpp

    r77740 r77834  
    7171class StyleSelectorParentPusher {
    7272public:
    73     StyleSelectorParentPusher(CSSStyleSelector* styleSelector, Element* parent)
    74         : m_styleSelector(styleSelector)
    75         , m_parent(parent)
    76         , m_didPush(false)
     73    StyleSelectorParentPusher(Element* parent)
     74        : m_parent(parent)
     75        , m_pushedStyleSelector(0)
    7776    {
    7877    }
    7978    void push()
    8079    {
    81         if (m_didPush)
     80        if (m_pushedStyleSelector)
    8281            return;
    83         m_styleSelector->pushParent(m_parent);
    84         m_didPush = true;
     82        m_pushedStyleSelector = m_parent->document()->styleSelector();
     83        m_pushedStyleSelector->pushParent(m_parent);
    8584    }
    8685    ~StyleSelectorParentPusher()
    8786    {
    88         if (m_didPush)
    89             m_styleSelector->popParent(m_parent);
     87
     88        if (!m_pushedStyleSelector)
     89            return;
     90        ASSERT(m_pushedStyleSelector == m_parent->document()->styleSelector());
     91        m_pushedStyleSelector->popParent(m_parent);
    9092    }
    9193
    9294private:
    93     CSSStyleSelector* m_styleSelector;
    9495    Element* m_parent;
    95     bool m_didPush;
     96    CSSStyleSelector* m_pushedStyleSelector;
    9697};
    97    
     98
    9899PassRefPtr<Element> Element::create(const QualifiedName& tagName, Document* document)
    99100{
     
    946947    createRendererIfNeeded();
    947948   
    948     StyleSelectorParentPusher parentPusher(document()->styleSelector(), this);
     949    StyleSelectorParentPusher parentPusher(this);
    949950    if (firstChild())
    950951        parentPusher.push();
     
    10931094        }
    10941095    }
    1095     StyleSelectorParentPusher parentPusher(document()->styleSelector(), this);
     1096    StyleSelectorParentPusher parentPusher(this);
    10961097    // FIXME: This check is good enough for :hover + foo, but it is not good enough for :hover + foo + bar.
    10971098    // For now we will just worry about the common case, since it's a lot trickier to get the second case right
  • trunk/Source/WebCore/html/HTMLLinkElement.cpp

    r77750 r77834  
    5757    , m_loading(false)
    5858    , m_createdByParser(createdByParser)
     59    , m_isInShadowTree(false)
    5960    , m_pendingSheetType(None)
    6061{
     
    195196void HTMLLinkElement::process()
    196197{
    197     if (!inDocument()) {
     198    if (!inDocument() || m_isInShadowTree) {
    198199        ASSERT(!m_sheet);
    199200        return;
     
    281282{
    282283    HTMLElement::insertedIntoDocument();
     284
     285    m_isInShadowTree = isInShadowTree();
     286    if (m_isInShadowTree)
     287        return;
     288
    283289    document()->addStyleSheetCandidateNode(this, m_createdByParser);
    284290
     
    290296    HTMLElement::removedFromDocument();
    291297
     298    if (m_isInShadowTree) {
     299        ASSERT(!m_sheet);
     300        return;
     301    }
    292302    document()->removeStyleSheetCandidateNode(this);
    293303
  • trunk/Source/WebCore/html/HTMLLinkElement.h

    r74476 r77834  
    136136    bool m_loading;
    137137    bool m_createdByParser;
     138    bool m_isInShadowTree;
    138139   
    139140    PendingSheetType m_pendingSheetType;
Note: See TracChangeset for help on using the changeset viewer.