Fix memory error during selector matching due to getMatchedCSSRules.

Source/core/css/CSSStyleSheet.cpp

 /*
  * (C) 1999-2003 Lars Knoll (knoll@kde.org)
  * Copyright (C) 2004, 2006, 2007, 2012 Apple Inc. All rights reserved.
  *
  * This library is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Library General Public
  * License as published by the Free Software Foundation; either
  * version 2 of the License, or (at your option) any later version.
  *
  * This library is distributed in the hope that it will be useful,
@@ skipping 10 matching lines @@
 #include "config.h"
 #include "core/css/CSSStyleSheet.h"
 
 #include "HTMLNames.h"
 #include "SVGNames.h"
 #include "bindings/v8/ExceptionState.h"
 #include "core/css/CSSCharsetRule.h"
 #include "core/css/CSSImportRule.h"
 #include "core/css/CSSParser.h"
 #include "core/css/CSSRuleList.h"
+#include "core/css/CSSStyleRule.h"
 #include "core/css/MediaList.h"
 #include "core/css/StyleRule.h"
 #include "core/css/StyleSheetContents.h"
 #include "core/dom/Document.h"
 #include "core/dom/ExceptionCode.h"
 #include "core/dom/Node.h"
 #include "weborigin/SecurityOrigin.h"
 #include "wtf/text/StringBuilder.h"
 
 namespace WebCore {
@@ skipping 69 matching lines @@
 
 CSSStyleSheet::~CSSStyleSheet()
 {
     // For style rules outside the document, .parentStyleSheet can become null even if the style rule
     // is still observable from JavaScript. This matches the behavior of .parentNode for nodes, but
     // it's not ideal because it makes the CSSOM's behavior depend on the timing of garbage collection.
     for (unsigned i = 0; i < m_childRuleCSSOMWrappers.size(); ++i) {
         if (m_childRuleCSSOMWrappers[i])
             m_childRuleCSSOMWrappers[i]->setParentStyleSheet(0);
     }
+    for (unsigned i = 0; i < m_extraChildRuleCSSOMWrappers.size(); ++i) {
+        m_extraChildRuleCSSOMWrappers[i]->setParentStyleSheet(0);

[esprehn, 2013/10/29 20:08:44]

braces are not needed.

[ojan, 2013/10/29 20:35:15]

Done.

+    }
     if (m_mediaCSSOMWrapper)
         m_mediaCSSOMWrapper->clearParentStyleSheet();
 
     m_contents->unregisterClient(this);
 }
 
+void CSSStyleSheet::extraCSSOMWrapperIndices(Vector<unsigned>& indices)
+{
+    indices.grow(m_extraChildRuleCSSOMWrappers.size());

[esprehn, 2013/10/29 20:08:44]

Instead you can make this function return a const Vector<unsigned>& and just
return indicies at the end.

[ojan, 2013/10/29 20:35:15]

As discussed offline, this doesn't work.

+
+    for (unsigned i = 0; i < m_extraChildRuleCSSOMWrappers.size(); ++i) {
+        CSSRule* cssRule = m_extraChildRuleCSSOMWrappers[i].get();
+        ASSERT(cssRule->type() == CSSRule::STYLE_RULE);
+        StyleRule* styleRule = toCSSStyleRule(cssRule)->styleRule();
+
+        bool didFindIndex = false;
+        for (unsigned j = 0; j < m_contents->ruleCount(); ++j) {
+            if (m_contents->ruleAt(j) == styleRule) {
+                didFindIndex = true;
+                indices[i] = j;
+                break;
+            }
+        }
+        ASSERT(didFindIndex);
+        if (!didFindIndex)
+            indices[i] = 0;
+    }
+}
+
 void CSSStyleSheet::willMutateRules()
 {
     // If we are the only client it is safe to mutate.
     if (m_contents->hasOneClient() && !m_contents->isInMemoryCache()) {
         m_contents->setMutable();
         return;
     }
     // Only cacheable stylesheets should have multiple clients.
     ASSERT(m_contents->isCacheable());
 
+    Vector<unsigned> indices;
+    extraCSSOMWrapperIndices(indices);

[esprehn, 2013/10/29 20:08:44]

const Vector<unsigned>& indexes = cssomWrapperIndexes();

+
     // Copy-on-write.
     m_contents->unregisterClient(this);
     m_contents = m_contents->copy();
     m_contents->registerClient(this);
 
     m_contents->setMutable();
 
     // Any existing CSSOM wrappers need to be connected to the copied child rules.
-    reattachChildRuleCSSOMWrappers();
+    reattachChildRuleCSSOMWrappers(indices);
 }
 
 void CSSStyleSheet::didMutateRules()
 {
     ASSERT(m_contents->isMutable());
     ASSERT(m_contents->hasOneClient());
 
     didMutate(PartialRuleUpdate);
 }
 
 void CSSStyleSheet::didMutate(StyleSheetUpdateType updateType)
 {
     Document* owner = ownerDocument();
     if (!owner)
         return;
 
     // Need FullStyleUpdate when insertRule or deleteRule,
     // because StyleSheetCollection::analyzeStyleSheetChange cannot detect partial rule update.
     StyleResolverUpdateMode updateMode = updateType != PartialRuleUpdate ? AnalyzedStyleUpdate : FullStyleUpdate;
     owner->modifiedStyleSheet(this, RecalcStyleDeferred, updateMode);
 }
 
-void CSSStyleSheet::reattachChildRuleCSSOMWrappers()
+void CSSStyleSheet::registerExtraChildRuleCSSOMWrapper(PassRefPtr<CSSRule> rule)
 {
+    m_extraChildRuleCSSOMWrappers.append(rule);
+}
+
+void CSSStyleSheet::reattachChildRuleCSSOMWrappers(const Vector<unsigned>& extraCSSOMWrapperIndices)
+{
+    ASSERT(extraCSSOMWrapperIndices.size() == m_extraChildRuleCSSOMWrappers.size());
+    for (unsigned i = 0; i < extraCSSOMWrapperIndices.size(); ++i) {
+        m_extraChildRuleCSSOMWrappers[i]->reattach(m_contents->ruleAt(extraCSSOMWrapperIndices[i]));

[esprehn, 2013/10/29 20:08:44]

extra braces

[ojan, 2013/10/29 20:35:15]

Done.

+    }
+
     for (unsigned i = 0; i < m_childRuleCSSOMWrappers.size(); ++i) {
         if (!m_childRuleCSSOMWrappers[i])
             continue;
         m_childRuleCSSOMWrappers[i]->reattach(m_contents->ruleAt(i));
     }
 }
 
 void CSSStyleSheet::setDisabled(bool disabled)
 {
     if (disabled == m_isDisabled)
@@ skipping 184 matching lines @@
         root = root->parentStyleSheet();
     return root->ownerNode() ? &root->ownerNode()->document() : 0;
 }
 
 void CSSStyleSheet::clearChildRuleCSSOMWrappers()
 {
     m_childRuleCSSOMWrappers.clear();
 }
 
 }