Diff
Copied: branches/chromium/782/LayoutTests/fast/dom/body-link-decl-parent-crash-expected.txt (from rev 88601, trunk/LayoutTests/fast/dom/body-link-decl-parent-crash-expected.txt) (0 => 88865)
--- branches/chromium/782/LayoutTests/fast/dom/body-link-decl-parent-crash-expected.txt (rev 0)
+++ branches/chromium/782/LayoutTests/fast/dom/body-link-decl-parent-crash-expected.txt 2011-06-14 23:05:38 UTC (rev 88865)
@@ -0,0 +1,5 @@
+Test passes if it does not crash.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Copied: branches/chromium/782/LayoutTests/fast/dom/body-link-decl-parent-crash.html (from rev 88601, trunk/LayoutTests/fast/dom/body-link-decl-parent-crash.html) (0 => 88865)
--- branches/chromium/782/LayoutTests/fast/dom/body-link-decl-parent-crash.html (rev 0)
+++ branches/chromium/782/LayoutTests/fast/dom/body-link-decl-parent-crash.html 2011-06-14 23:05:38 UTC (rev 88865)
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+</head>
+<body>
+Test passes if it does not crash.
+<div id="console"></div>
+<script>
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+iframe1 = document.createElement('iframe');
+document.body.appendChild(iframe1);
+document1 = iframe1.contentDocument.implementation.createHTMLDocument("document");
+var body1 = document1.body;
+document1.alinkColor = "blue";
+document1.body = document1.createElement('body');
+delete document1;
+gc();
+body1.vLink = 1;
+
+var successfullyParsed = true;
+</script>
+<script src=""
+</body>
+</html>
Copied: branches/chromium/782/LayoutTests/fast/dom/styled-inline-style-decl-parent-crash-expected.txt (from rev 88601, trunk/LayoutTests/fast/dom/styled-inline-style-decl-parent-crash-expected.txt) (0 => 88865)
--- branches/chromium/782/LayoutTests/fast/dom/styled-inline-style-decl-parent-crash-expected.txt (rev 0)
+++ branches/chromium/782/LayoutTests/fast/dom/styled-inline-style-decl-parent-crash-expected.txt 2011-06-14 23:05:38 UTC (rev 88865)
@@ -0,0 +1,5 @@
+Test passes if it does not crash.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Copied: branches/chromium/782/LayoutTests/fast/dom/styled-inline-style-decl-parent-crash.html (from rev 88601, trunk/LayoutTests/fast/dom/styled-inline-style-decl-parent-crash.html) (0 => 88865)
--- branches/chromium/782/LayoutTests/fast/dom/styled-inline-style-decl-parent-crash.html (rev 0)
+++ branches/chromium/782/LayoutTests/fast/dom/styled-inline-style-decl-parent-crash.html 2011-06-14 23:05:38 UTC (rev 88865)
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+</head>
+<body>
+Test passes if it does not crash.
+<div id="console"></div>
+<script>
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+iframe1 = document.createElement('iframe');
+document.body.appendChild(iframe1);
+document1 = iframe1.contentDocument.implementation.createHTMLDocument("document");
+var div1 = document1.createElement('div');
+document1.body.appendChild(div1);
+div1.style.color = "blue";
+document1.body.removeChild(div1);
+delete document1;
+gc();
+div1.style.color = "red";
+
+var successfullyParsed = true;
+</script>
+<script src=""
+</body>
+</html>
Modified: branches/chromium/782/Source/WebCore/dom/StyledElement.cpp (88864 => 88865)
--- branches/chromium/782/Source/WebCore/dom/StyledElement.cpp 2011-06-14 23:05:32 UTC (rev 88864)
+++ branches/chromium/782/Source/WebCore/dom/StyledElement.cpp 2011-06-14 23:05:38 UTC (rev 88865)
@@ -439,7 +439,22 @@
style->addSubresourceStyleURLs(urls);
}
+void StyledElement::insertedIntoDocument()
+{
+ Element::insertedIntoDocument();
+ if (m_inlineStyleDecl)
+ m_inlineStyleDecl->setParent(document()->elementSheet());
+}
+
+void StyledElement::removedFromDocument()
+{
+ if (m_inlineStyleDecl)
+ m_inlineStyleDecl->setParent(0);
+
+ Element::removedFromDocument();
+}
+
void StyledElement::didMoveToNewOwnerDocument()
{
if (m_inlineStyleDecl)
Modified: branches/chromium/782/Source/WebCore/dom/StyledElement.h (88864 => 88865)
--- branches/chromium/782/Source/WebCore/dom/StyledElement.h 2011-06-14 23:05:32 UTC (rev 88864)
+++ branches/chromium/782/Source/WebCore/dom/StyledElement.h 2011-06-14 23:05:38 UTC (rev 88865)
@@ -84,6 +84,8 @@
// svgAttributeChanged (called when element.className.baseValue is set)
void classAttributeChanged(const AtomicString& newClassString);
+ virtual void insertedIntoDocument();
+ virtual void removedFromDocument();
virtual void didMoveToNewOwnerDocument();
private:
Modified: branches/chromium/782/Source/WebCore/html/HTMLBodyElement.cpp (88864 => 88865)
--- branches/chromium/782/Source/WebCore/html/HTMLBodyElement.cpp 2011-06-14 23:05:32 UTC (rev 88864)
+++ branches/chromium/782/Source/WebCore/html/HTMLBodyElement.cpp 2011-06-14 23:05:38 UTC (rev 88865)
@@ -116,6 +116,13 @@
} else if (attr->name() == vlinkAttr ||
attr->name() == alinkAttr ||
attr->name() == linkAttr) {
+ // This tells us that we are removed from document. If our document is later destroyed
+ // (not deleted since we hold a guardRef), our stylesheet list will be null causing a crash
+ // later in document()->styleSelector(). So, we bail out early because we shouldn't be
+ // modifying anything in that document. See webkit bug 62230.
+ if (m_linkDecl && !m_linkDecl->parent())
+ return;
+
if (attr->isNull()) {
if (attr->name() == linkAttr)
document()->resetLinkColor();
@@ -202,8 +209,27 @@
if (document() && document()->page())
document()->page()->updateViewportArguments();
+
+ if (m_linkDecl)
+ m_linkDecl->setParent(document()->elementSheet());
}
+void HTMLBodyElement::removedFromDocument()
+{
+ if (m_linkDecl)
+ m_linkDecl->setParent(0);
+
+ HTMLElement::removedFromDocument();
+}
+
+void HTMLBodyElement::didMoveToNewOwnerDocument()
+{
+ if (m_linkDecl)
+ m_linkDecl->setParent(document()->elementSheet());
+
+ HTMLElement::didMoveToNewOwnerDocument();
+}
+
bool HTMLBodyElement::isURLAttribute(Attribute *attr) const
{
return attr->name() == backgroundAttr;
@@ -345,16 +371,4 @@
addSubresourceURL(urls, document()->completeURL(getAttribute(backgroundAttr)));
}
-void HTMLBodyElement::didMoveToNewOwnerDocument()
-{
- // When moving body elements between documents, we should have to reset the parent sheet for any
- // link style declarations. If we don't we might crash later.
- // In practice I can't reproduce this theoretical problem.
- // webarchive/adopt-attribute-styled-body-webarchive.html tries to make sure this crash won't surface.
- if (m_linkDecl)
- m_linkDecl->setParent(document()->elementSheet());
-
- HTMLElement::didMoveToNewOwnerDocument();
-}
-
} // namespace WebCore
Modified: branches/chromium/782/Source/WebCore/html/HTMLBodyElement.h (88864 => 88865)
--- branches/chromium/782/Source/WebCore/html/HTMLBodyElement.h 2011-06-14 23:05:32 UTC (rev 88864)
+++ branches/chromium/782/Source/WebCore/html/HTMLBodyElement.h 2011-06-14 23:05:38 UTC (rev 88865)
@@ -74,6 +74,8 @@
virtual void parseMappedAttribute(Attribute*);
virtual void insertedIntoDocument();
+ virtual void removedFromDocument();
+ virtual void didMoveToNewOwnerDocument();
void createLinkDecl();
@@ -91,8 +93,6 @@
virtual int scrollWidth() const;
virtual void addSubresourceAttributeURLs(ListHashSet<KURL>&) const;
-
- virtual void didMoveToNewOwnerDocument();
RefPtr<CSSMutableStyleDeclaration> m_linkDecl;
};
