Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(238)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 809343002: ScopedStyleResolver should be cleared when ShadowRoot is removed from document. (Closed)

Created:
6 years ago by tasak
Modified:
6 years ago
Reviewers:
haraken, kochi
CC:
blink-reviews, webcomponents-bugzilla_chromium.org, sof, eae+blinkwatch, blink-reviews-dom_chromium.org, dglazkov+blink, rwlbuis
Base URL:
https://chromium.googlesource.com/chromium/blink.git@master
Target Ref:
refs/heads/master
Project:
blink
Visibility:
Public.

Description

ScopedStyleResolver should be cleared when ShadowRoot is removed from document. If a shadow root (=treescope), which has a style element, is moved from a document to another document, a new ShadowStyleSheetCollection is created for the shadow root. The ShadowStyleSheetCollection has no active stylesheets, but the treescope's scopedStyleResolver has an active stylesheet. The active stylesheet has been already cleared (i.e. clearOwnerNode is invoked) while moving. However, StyleEngine cannot clear the treescope's resolver, because the ShadowStyleSheetCollection has no information. This causes heap-use-after-free. BUG=443017 TEST=fast/html/marquee-clone-crash.html Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=187602

Patch Set 1 #

Patch Set 2 : Fixed treeboundary-crossing-rules regression #

Patch Set 3 : Imported test from https://codereview.chromium.org/808333002/ #

Unified diffs Side-by-side diffs Delta from patch set Stats (+86 lines, -8 lines) Patch
A LayoutTests/fast/html/marquee-clone-crash.html View 1 2 1 chunk +61 lines, -0 lines 0 comments Download
A + LayoutTests/fast/html/marquee-clone-crash-expected.txt View 1 2 0 chunks +-1 lines, --1 lines 0 comments Download
A LayoutTests/fast/html/resources/marquee-crash.svg View 1 2 1 chunk +13 lines, -0 lines 0 comments Download
M Source/core/css/resolver/StyleResolver.cpp View 1 1 chunk +3 lines, -2 lines 0 comments Download
M Source/core/dom/shadow/ShadowRoot.cpp View 1 chunk +10 lines, -7 lines 0 comments Download

Messages

Total messages: 12 (4 generated)
tasak
6 years ago (2014-12-18 08:44:36 UTC) #2
kochi
Could you add more detail about what this CL intends to in the description? "When ...
6 years ago (2014-12-18 09:26:36 UTC) #3
tasak
On 2014/12/18 09:26:36, Takayoshi Kochi wrote: > Could you add more detail about what this ...
6 years ago (2014-12-18 10:56:28 UTC) #5
kochi
lgtm
6 years ago (2014-12-19 07:08:11 UTC) #6
tasak
haraken@, would you review this CL?
6 years ago (2014-12-19 13:10:58 UTC) #8
haraken
LGTM, based on kochi-san's LG.
6 years ago (2014-12-19 13:18:00 UTC) #9
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/809343002/60001
6 years ago (2014-12-22 05:16:08 UTC) #11
commit-bot: I haz the power
6 years ago (2014-12-22 05:19:26 UTC) #12
Message was sent while issue was closed. 
Committed patchset #3 (id:60001) as
https://src.chromium.org/viewvc/blink?view=rev&revision=187602

Powered by Google App Engine
This is Rietveld 408576698