Crash in WebCore::StyleSheetContents::checkLoadCompleted.
authorinferno@chromium.org <inferno@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 30 Aug 2012 00:42:04 +0000 (00:42 +0000)
committerinferno@chromium.org <inferno@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 30 Aug 2012 00:42:04 +0000 (00:42 +0000)
https://bugs.webkit.org/show_bug.cgi?id=95106

Reviewed by Antti Koivisto.

Source/WebCore:

RefPtr StyleSheetContents since it can get blown away in script execution inside
sheetLoaded().

Test: fast/css/style-element-process-crash.html

* css/StyleSheetContents.cpp:
(WebCore::StyleSheetContents::checkLoadCompleted):

LayoutTests:

* fast/css/style-element-process-crash-expected.txt: Added.
* fast/css/style-element-process-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@127071 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/css/style-element-process-crash-expected.txt [new file with mode: 0644]
LayoutTests/fast/css/style-element-process-crash.html [new file with mode: 0755]
Source/WebCore/ChangeLog
Source/WebCore/css/StyleSheetContents.cpp

index b176797..67ce73a 100644 (file)
@@ -1,3 +1,13 @@
+2012-08-29  Abhishek Arya  <inferno@chromium.org>
+
+        Crash in WebCore::StyleSheetContents::checkLoadCompleted.
+        https://bugs.webkit.org/show_bug.cgi?id=95106
+
+        Reviewed by Antti Koivisto.
+
+        * fast/css/style-element-process-crash-expected.txt: Added.
+        * fast/css/style-element-process-crash.html: Added.
+
 2012-08-29  José Dapena Paz  <jdapena@igalia.com>
 
         [Gtk] Process Gtk 3.4 smooth scroll events properly.
diff --git a/LayoutTests/fast/css/style-element-process-crash-expected.txt b/LayoutTests/fast/css/style-element-process-crash-expected.txt
new file mode 100644 (file)
index 0000000..2afa0bf
--- /dev/null
@@ -0,0 +1 @@
+PASS. WebKit didn't crash.
diff --git a/LayoutTests/fast/css/style-element-process-crash.html b/LayoutTests/fast/css/style-element-process-crash.html
new file mode 100755 (executable)
index 0000000..0c03691
--- /dev/null
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+<script>
+if (window.testRunner)
+       testRunner.dumpAsText();
+
+function crash() {
+       document.body.innerHTML = "PASS. WebKit didn't crash.";
+}
+</script>
+<object>
+<input autofocus onfocus="crash()">
+</object>
+<style>
+.abc::first-child { 
+       font: 2147483647 small-caps 3507521020px sans-serif;
+}
+</style>
+</html>
index 6fec4f9..5da5154 100644 (file)
@@ -1,3 +1,18 @@
+2012-08-29  Abhishek Arya  <inferno@chromium.org>
+
+        Crash in WebCore::StyleSheetContents::checkLoadCompleted.
+        https://bugs.webkit.org/show_bug.cgi?id=95106
+
+        Reviewed by Antti Koivisto.
+
+        RefPtr StyleSheetContents since it can get blown away in script execution inside
+        sheetLoaded().
+
+        Test: fast/css/style-element-process-crash.html
+
+        * css/StyleSheetContents.cpp:
+        (WebCore::StyleSheetContents::checkLoadCompleted):
+
 2012-08-29  José Dapena Paz  <jdapena@igalia.com>
 
         [Gtk] Process Gtk 3.4 smooth scroll events properly.
index f8d6321..86e4d2c 100644 (file)
@@ -349,6 +349,8 @@ void StyleSheetContents::checkLoadCompleted()
     if (!checkImportedSheetLoadCompleted())
         return;
 
+    RefPtr<StyleSheetContents> protect(this);
+
     ASSERT(hasOneClient());
     ASSERT(!m_clients[0]->parentStyleSheet());
     RefPtr<Node> ownerNode = m_clients[0]->ownerNode();