2011-06-23 Abhishek Arya <inferno@chromium.org>
authorinferno@chromium.org <inferno@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 23 Jun 2011 18:30:55 +0000 (18:30 +0000)
committerinferno@chromium.org <inferno@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 23 Jun 2011 18:30:55 +0000 (18:30 +0000)
        Reviewed by Adam Barth.

        Tests that we do not crash when doing a media query match.
        https://bugs.webkit.org/show_bug.cgi?id=63264

        * fast/css/media-query-evaluator-crash-expected.txt: Added.
        * fast/css/media-query-evaluator-crash.html: Added.
2011-06-23  Abhishek Arya  <inferno@chromium.org>

        Reviewed by Adam Barth.

        RefPtr m_style in MediaQueryEvaluator in case of callers like
        MediaQueryMatcher::prepareEvaluator that do not retain its reference.
        https://bugs.webkit.org/show_bug.cgi?id=63264

        Test: fast/css/media-query-evaluator-crash.html

        * css/MediaQueryEvaluator.cpp:
        (WebCore::MediaQueryEvaluator::eval):
        * css/MediaQueryEvaluator.h:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@89595 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/css/media-query-evaluator-crash-expected.txt [new file with mode: 0644]
LayoutTests/fast/css/media-query-evaluator-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/css/MediaQueryEvaluator.cpp
Source/WebCore/css/MediaQueryEvaluator.h

index 428e669..a363e52 100644 (file)
@@ -1,3 +1,13 @@
+2011-06-23  Abhishek Arya  <inferno@chromium.org>
+
+        Reviewed by Adam Barth.
+
+        Tests that we do not crash when doing a media query match.
+        https://bugs.webkit.org/show_bug.cgi?id=63264
+
+        * fast/css/media-query-evaluator-crash-expected.txt: Added.
+        * fast/css/media-query-evaluator-crash.html: Added.
+
 2011-06-23  Dan Bernstein  <mitz@apple.com>
 
         Reviewed by Alexey Proskuryakov.
diff --git a/LayoutTests/fast/css/media-query-evaluator-crash-expected.txt b/LayoutTests/fast/css/media-query-evaluator-crash-expected.txt
new file mode 100644 (file)
index 0000000..c6f20fc
--- /dev/null
@@ -0,0 +1 @@
+Test passes if it does not crash. 
diff --git a/LayoutTests/fast/css/media-query-evaluator-crash.html b/LayoutTests/fast/css/media-query-evaluator-crash.html
new file mode 100644 (file)
index 0000000..089b49b
--- /dev/null
@@ -0,0 +1,12 @@
+<html>
+Test passes if it does not crash.
+<iframe id="test"></iframe>
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+var iframe = document.getElementById("test");
+var obj = iframe.contentWindow.matchMedia("(min-width: 0em)");
+</script>
+</html>
+
index 74ece1f..608ff6d 100644 (file)
@@ -1,3 +1,17 @@
+2011-06-23  Abhishek Arya  <inferno@chromium.org>
+
+        Reviewed by Adam Barth.
+
+        RefPtr m_style in MediaQueryEvaluator in case of callers like
+        MediaQueryMatcher::prepareEvaluator that do not retain its reference.
+        https://bugs.webkit.org/show_bug.cgi?id=63264
+
+        Test: fast/css/media-query-evaluator-crash.html
+
+        * css/MediaQueryEvaluator.cpp:
+        (WebCore::MediaQueryEvaluator::eval):
+        * css/MediaQueryEvaluator.h:
+
 2011-06-23  Jungshik Shin  <jshin@chromium.org>
 
         Reviewed by Alexey Proskuryakov.
index 191e427..ccc6f84 100644 (file)
@@ -532,7 +532,7 @@ bool MediaQueryEvaluator::eval(const MediaQueryExp* expr) const
     // used
     EvalFunc func = gFunctionMap->get(expr->mediaFeature().impl());
     if (func)
-        return func(expr->value(), m_style, m_frame, NoPrefix);
+        return func(expr->value(), m_style.get(), m_frame, NoPrefix);
 
     return false;
 }
index 07c4d0d..05c8dc9 100644 (file)
@@ -83,7 +83,7 @@ public:
 private:
     String m_mediaType;
     Frame* m_frame; // not owned
-    RenderStyle* m_style; // not owned
+    RefPtr<RenderStyle> m_style;
     bool m_expResult;
 };