Crash in WebCore::StyleResolver::collectMatchingRulesForList
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 19 Jul 2012 18:41:25 +0000 (18:41 +0000)
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 19 Jul 2012 18:41:25 +0000 (18:41 +0000)
commit1e9bf8c3c1ef945dcbc7aa178a9f06561da962e5
tree8c61be8a60e862889aa3343db0e07804c6317cdf
parent3804211162741c2adc6cb6b7e0bbc56011227e03
Crash in WebCore::StyleResolver::collectMatchingRulesForList
https://bugs.webkit.org/show_bug.cgi?id=90803

Patch by Douglas Stockwell <dstockwell@google.com> on 2012-07-19
Reviewed by Andreas Kling.

Source/WebCore:

When a ProcessingInstruction was removed from the document the owner
was removed, but the style resolver was not guaranteed to be updated.
It was then possible for an inconsistent version of the stylesheet to
remain visible in the DOM. Fixed by removing an invalid condition and
mirroring the logic from StyleElement.

Test: fast/css/xml-stylesheet-removed.xhtml

* dom/ProcessingInstruction.cpp:
(WebCore::ProcessingInstruction::removedFrom): Mirror the logic from
StyleElement -- always update the style resolver.

LayoutTests:

* fast/css/xml-stylesheet-removed-expected.txt: Added.
* fast/css/xml-stylesheet-removed.xhtml: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@123128 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/fast/css/xml-stylesheet-removed-expected.txt [new file with mode: 0644]
LayoutTests/fast/css/xml-stylesheet-removed.xhtml [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/dom/ProcessingInstruction.cpp