No subject


Mon Jan 28 08:41:14 PST 2013 

8687">r148687</a> by &lt;inferno at chromium.org&gt;.

Source/WebCore:

A cached element pointer in the resolver state was causing confusion beca=
use
in some cases a subsequent call to styleForElement() would use a pointer =
to
a different object that is at the same memory address as the previous one=
.

Test: fast/css/reload-non-styled-element-crash.html

* css/StyleResolver.cpp:
(WebCore::StyleResolver::styleForElement):

LayoutTests:

* fast/css/reload-non-styled-element-crash-expected.txt: Added.
* fast/css/reload-non-styled-element-crash.html: Added.</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href=3D"#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a=
></li>
<li><a href=3D"#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeL=
og</a></li>
<li><a href=3D"#trunkSourceWebCorecssStyleResolvercpp">trunk/Source/WebCo=
re/css/StyleResolver.cpp</a></li>
</ul>

<h3>Added Paths</h3>
<ul>
<li><a href=3D"#trunkLayoutTestsfastcssreloadnonstyledelementcrashexpecte=
dtxt">trunk/LayoutTests/fast/css/reload-non-styled-element-crash-expected=
.txt</a></li>
<li><a href=3D"#trunkLayoutTestsfastcssreloadnonstyledelementcrashhtml">t=
runk/LayoutTests/fast/css/reload-non-styled-element-crash.html</a></li>
</ul>

</div>
<div id=3D"patch">
<h3>Diff</h3>
<a id=3D"trunkLayoutTestsChangeLog"></a>
<div class=3D"modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (148964 =
=3D> 148965)</h4>
<pre class=3D"diff"><span>
<span class=3D"info">--- trunk/LayoutTests/ChangeLog	2013-04-23 14:54:29 =
UTC (rev 148964)
+++ trunk/LayoutTests/ChangeLog	2013-04-23 14:55:17 UTC (rev 148965)
</span><span class=3D"lines">@@ -1,3 +1,15 @@
</span><ins>+2013-04-23  Andreas Kling  &lt;akling at apple.com&gt;
+
+        Clear StyleResolver state before returning from styleForElement(=
).
+        &lt;http://webkit.org/b/115035&gt;
+
+        Reviewed by Antti Koivisto.
+
+        From Blink r148687 by &lt;inferno at chromium.org&gt;.
+
+        * fast/css/reload-non-styled-element-crash-expected.txt: Added.
+        * fast/css/reload-non-styled-element-crash.html: Added.
+
</ins><span class=3D"cx"> 2013-04-23  Allan Sandfeld Jensen  &lt;allan.je=
nsen at digia.com&gt;
</span><span class=3D"cx">=20
</span><span class=3D"cx">         Baselines for fast/css/image-rendering=
.html
</span></span></pre></div>
<a id=3D"trunkLayoutTestsfastcssreloadnonstyledelementcrashexpectedtxt"><=
/a>
<div class=3D"addfile"><h4>Added: trunk/LayoutTests/fast/css/reload-non-s=
tyled-element-crash-expected.txt (0 =3D> 148965)</h4>
<pre class=3D"diff"><span>
<span class=3D"info">--- trunk/LayoutTests/fast/css/reload-non-styled-ele=
ment-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/css/reload-non-styled-element-crash-expected.t=
xt	2013-04-23 14:55:17 UTC (rev 148965)
</span><span class=3D"lines">@@ -0,0 +1 @@
</span><ins>+PASS if no crash or assert in debug
</ins></span></pre></div>
<a id=3D"trunkLayoutTestsfastcssreloadnonstyledelementcrashhtml"></a>
<div class=3D"addfile"><h4>Added: trunk/LayoutTests/fast/css/reload-non-s=
tyled-element-crash.html (0 =3D> 148965)</h4>
<pre class=3D"diff"><span>
<span class=3D"info">--- trunk/LayoutTests/fast/css/reload-non-styled-ele=
ment-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/css/reload-non-styled-element-crash.html	2013-=
04-23 14:55:17 UTC (rev 148965)
</span><span class=3D"lines">@@ -0,0 +1,19 @@
</span><ins>+&lt;!DOCTYPE html&gt;
+&lt;html&gt;
+&lt;head&gt;
+&lt;script&gt;
+    function start() {
+        document.body.innerHTML=3D'&lt;p&gt;laserator&lt;p&gt;#f'
+        document.body.innerHTML =3D ''
+        var m =3D document.createElementNS('http://www.w3.org/1998/Math/=
MathML','free');
+        document.body.appendChild(m);
+        location.reload();
+        document.body.offsetTop;
+        document.body.innerHTML=3D'PASS if no crash or assert in debug';
+        if (window.testRunner)
+            testRunner.dumpAsText();
+    }
+&lt;/script&gt;
+&lt;/head&gt;
+&lt;body  onload=3D'start()'&gt;&lt;/body&gt;
+&lt;/html&gt;
</ins></span></pre></div>
<a id=3D"trunkSourceWebCoreChangeLog"></a>
<div class=3D"modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (1489=
64 =3D> 148965)</h4>
<pre class=3D"diff"><span>
<span class=3D"info">--- trunk/Source/WebCore/ChangeLog	2013-04-23 14:54:=
29 UTC (rev 148964)
+++ trunk/Source/WebCore/ChangeLog	2013-04-23 14:55:17 UTC (rev 148965)
</span><span class=3D"lines">@@ -1,5 +1,23 @@
</span><span class=3D"cx"> 2013-04-23  Andreas Kling  &lt;akling at apple.co=
m&gt;
</span><span class=3D"cx">=20
</span><ins>+        Clear StyleResolver state before returning from styl=
eForElement().
+        &lt;http://webkit.org/b/115035&gt;
+
+        Reviewed by Antti Koivisto.
+
+        From Blink r148687 by &lt;inferno at chromium.org&gt;.
+
+        A cached element pointer in the resolver state was causing confu=
sion because
+        in some cases a subsequent call to styleForElement() would use a=
 pointer to
+        a different object that is at the same memory address as the pre=
vious one.
+
+        Test: fast/css/reload-non-styled-element-crash.html
+
+        * css/StyleResolver.cpp:
+        (WebCore::StyleResolver::styleForElement):
+
+2013-04-23  Andreas Kling  &lt;akling at apple.com&gt;
+
</ins><span class=3D"cx">         XSSAuditor performance regression due t=
o threaded parser changes.
</span><span class=3D"cx">         &lt;http://webkit.org/b/115037&gt;
</span><span class=3D"cx">         &lt;rdar://problem/13716069&gt;
</span></span></pre></div>
<a id=3D"trunkSourceWebCorecssStyleResolvercpp"></a>
<div class=3D"modfile"><h4>Modified: trunk/Source/WebCore/css/StyleResolv=
er.cpp (148964 =3D> 148965)</h4>
<pre class=3D"diff"><span>
<span class=3D"info">--- trunk/Source/WebCore/css/StyleResolver.cpp	2013-=
04-23 14:54:29 UTC (rev 148964)
+++ trunk/Source/WebCore/css/StyleResolver.cpp	2013-04-23 14:55:17 UTC (r=
ev 148965)
</span><span class=3D"lines">@@ -971,8 +971,10 @@
</span><span class=3D"cx">     state.initForStyleResolve(document(), elem=
ent, defaultParent, regionForStyling);
</span><span class=3D"cx">     if (sharingBehavior =3D=3D AllowStyleShari=
ng &amp;&amp; !state.distributedToInsertionPoint()) {
</span><span class=3D"cx">         RenderStyle* sharedStyle =3D locateSha=
redStyle();
</span><del>-        if (sharedStyle)
</del><ins>+        if (sharedStyle) {
+            state.clear();
</ins><span class=3D"cx">             return sharedStyle;
</span><ins>+        }
</ins><span class=3D"cx">     }
</span><span class=3D"cx">=20
</span><span class=3D"cx">     if (state.parentStyle()) {
</span></span></pre>
</div>
</div>

</body>
</html>

More information about the webkit-changes mailing list