<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[195606] trunk/Source/WebCore</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/195606">195606</a></dd>
<dt>Author</dt> <dd>hyatt@apple.com</dd>
<dt>Date</dt> <dd>2016-01-26 12:07:07 -0800 (Tue, 26 Jan 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>Speculative fixes for crashing in viewportChangeAffectedPicture
https://bugs.webkit.org/show_bug.cgi?id=153450
Reviewed by Dean Jackson.
Don't attach any conditions to the removal of a picture element from
the document's HashSet. This ensures that if the condition is ever
wrong for any reason, we'll still remove the picture element on
destruction.
Fix the media query evaluation to match the other evaluations (used by
the preload scanner and HTMLImageElement). This includes using the
document element's computed style instead of our own and also null
checking the document element first. This is the likely cause of the
crashes.
* html/HTMLPictureElement.cpp:
(WebCore::HTMLPictureElement::~HTMLPictureElement):
(WebCore::HTMLPictureElement::didMoveToNewDocument):
(WebCore::HTMLPictureElement::viewportChangeAffectedPicture):</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCorehtmlHTMLPictureElementcpp">trunk/Source/WebCore/html/HTMLPictureElement.cpp</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (195605 => 195606)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2016-01-26 19:57:49 UTC (rev 195605)
+++ trunk/Source/WebCore/ChangeLog 2016-01-26 20:07:07 UTC (rev 195606)
</span><span class="lines">@@ -1,3 +1,26 @@
</span><ins>+2016-01-25 Dave Hyatt <hyatt@apple.com>
+
+ Speculative fixes for crashing in viewportChangeAffectedPicture
+ https://bugs.webkit.org/show_bug.cgi?id=153450
+
+ Reviewed by Dean Jackson.
+
+ Don't attach any conditions to the removal of a picture element from
+ the document's HashSet. This ensures that if the condition is ever
+ wrong for any reason, we'll still remove the picture element on
+ destruction.
+
+ Fix the media query evaluation to match the other evaluations (used by
+ the preload scanner and HTMLImageElement). This includes using the
+ document element's computed style instead of our own and also null
+ checking the document element first. This is the likely cause of the
+ crashes.
+
+ * html/HTMLPictureElement.cpp:
+ (WebCore::HTMLPictureElement::~HTMLPictureElement):
+ (WebCore::HTMLPictureElement::didMoveToNewDocument):
+ (WebCore::HTMLPictureElement::viewportChangeAffectedPicture):
+
</ins><span class="cx"> 2016-01-26 Chris Dumez <cdumez@apple.com>
</span><span class="cx">
</span><span class="cx"> Make sure a page is still PageCache-able after firing the 'pagehide' events
</span></span></pre></div>
<a id="trunkSourceWebCorehtmlHTMLPictureElementcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/html/HTMLPictureElement.cpp (195605 => 195606)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/html/HTMLPictureElement.cpp 2016-01-26 19:57:49 UTC (rev 195605)
+++ trunk/Source/WebCore/html/HTMLPictureElement.cpp 2016-01-26 20:07:07 UTC (rev 195606)
</span><span class="lines">@@ -39,13 +39,12 @@
</span><span class="cx">
</span><span class="cx"> HTMLPictureElement::~HTMLPictureElement()
</span><span class="cx"> {
</span><del>- if (hasViewportDependentResults())
- document().removeViewportDependentPicture(*this);
</del><ins>+ document().removeViewportDependentPicture(*this);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void HTMLPictureElement::didMoveToNewDocument(Document* oldDocument)
</span><span class="cx"> {
</span><del>- if (hasViewportDependentResults() && oldDocument)
</del><ins>+ if (oldDocument)
</ins><span class="cx"> oldDocument->removeViewportDependentPicture(*this);
</span><span class="cx"> HTMLElement::didMoveToNewDocument(oldDocument);
</span><span class="cx"> sourcesChanged();
</span><span class="lines">@@ -64,7 +63,7 @@
</span><span class="cx">
</span><span class="cx"> bool HTMLPictureElement::viewportChangeAffectedPicture()
</span><span class="cx"> {
</span><del>- MediaQueryEvaluator evaluator(document().printing() ? "print" : "screen", document().frame(), computedStyle());
</del><ins>+ MediaQueryEvaluator evaluator(document().printing() ? "print" : "screen", document().frame(), document().documentElement() ? document().documentElement()->computedStyle() : nullptr);
</ins><span class="cx"> unsigned numResults = m_viewportDependentMediaQueryResults.size();
</span><span class="cx"> for (unsigned i = 0; i < numResults; i++) {
</span><span class="cx"> if (evaluator.eval(&m_viewportDependentMediaQueryResults[i]->m_expression) != m_viewportDependentMediaQueryResults[i]->m_result)
</span></span></pre>
</div>
</div>
</body>
</html>