Make sure that clearOwnerNode also clears StyleResolver references (via didMutate).
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 5 Mar 2013 04:37:32 +0000 (04:37 +0000)
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 5 Mar 2013 04:37:32 +0000 (04:37 +0000)
https://bugs.webkit.org/show_bug.cgi?id=109446

Patch by Tim 'mithro' Ansell <mithro@mithis.com> on 2013-03-04
Reviewed by Eric Seidel.

Source/WebCore:

Test: fast/css/stylesheet.innerHTML-calls-didmutate.html

* css/CSSStyleSheet.h:

LayoutTests:

* fast/css/stylesheet.innerHTML-calls-didmutate-expected.txt: Added.
* fast/css/stylesheet.innerHTML-calls-didmutate.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@144713 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/css/stylesheet.innerHTML-calls-didmutate-expected.txt [new file with mode: 0644]
LayoutTests/fast/css/stylesheet.innerHTML-calls-didmutate.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/css/CSSStyleSheet.h

index 0ad8656..6f03e7c 100644 (file)
@@ -1,3 +1,13 @@
+2013-03-04  Tim 'mithro' Ansell  <mithro@mithis.com>
+
+        Make sure that clearOwnerNode also clears StyleResolver references (via didMutate).
+        https://bugs.webkit.org/show_bug.cgi?id=109446
+
+        Reviewed by Eric Seidel.
+
+        * fast/css/stylesheet.innerHTML-calls-didmutate-expected.txt: Added.
+        * fast/css/stylesheet.innerHTML-calls-didmutate.html: Added.
+
 2013-03-04  Christian Biesinger  <cbiesinger@chromium.org>
 
         REGRESSION (r143643): Buttons containing floats render differently
diff --git a/LayoutTests/fast/css/stylesheet.innerHTML-calls-didmutate-expected.txt b/LayoutTests/fast/css/stylesheet.innerHTML-calls-didmutate-expected.txt
new file mode 100644 (file)
index 0000000..c1bc2e4
--- /dev/null
@@ -0,0 +1 @@
+Changing a documents stylesheet's innerHTML should not crash.
diff --git a/LayoutTests/fast/css/stylesheet.innerHTML-calls-didmutate.html b/LayoutTests/fast/css/stylesheet.innerHTML-calls-didmutate.html
new file mode 100644 (file)
index 0000000..8c9fa0d
--- /dev/null
@@ -0,0 +1,23 @@
+<style>
+ h6 { 
+   text-shadow: 0.85714in -110pc -0.216688mm;
+ }
+ p + h6 {
+   left: 180cm;
+ }
+</style>
+<script>
+function main() {
+  var styletag = document.getElementsByTagName("style")[0];
+  styletag.type = "p";
+  styletag.innerHTML = "t";
+  var second_h6 = document.getElementsByTagName("h6")[1];
+  second_h6.align = 'a';
+  document.styleSheets[0].removeRule(0);
+
+  if (window.testRunner)
+    testRunner.dumpAsText();
+}
+</script>
+<body onload=main()><h6><h6>
+Changing a documents stylesheet's innerHTML should not crash.
index 984b7b6..939fabe 100644 (file)
@@ -1,3 +1,14 @@
+2013-03-04  Tim 'mithro' Ansell  <mithro@mithis.com>
+
+        Make sure that clearOwnerNode also clears StyleResolver references (via didMutate).
+        https://bugs.webkit.org/show_bug.cgi?id=109446
+
+        Reviewed by Eric Seidel.
+
+        Test: fast/css/stylesheet.innerHTML-calls-didmutate.html
+
+        * css/CSSStyleSheet.h:
+
 2013-03-04  Kentaro Hara  <haraken@chromium.org>
 
         Unreviewd build fix after r144701.
index 12190e0..b635516 100644 (file)
@@ -74,7 +74,7 @@ public:
     unsigned length() const;
     CSSRule* item(unsigned index);
 
-    virtual void clearOwnerNode() OVERRIDE { m_ownerNode = 0; }
+    virtual void clearOwnerNode() OVERRIDE { didMutate(); m_ownerNode = 0; }
     virtual CSSImportRule* ownerRule() const OVERRIDE { return m_ownerRule; }
     virtual KURL baseURL() const OVERRIDE;
     virtual bool isLoading() const OVERRIDE;