Issue 821093008: Merge 187602 "ScopedStyleResolver should be cleared when ShadowR..."

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Issue 821093008: Merge 187602 "ScopedStyleResolver should be cleared when ShadowR..." (Closed)

Created:
6 years ago by kochi

Modified:
6 years ago

Reviewers:
tasak

CC:
blink-reviews, webcomponents-bugzilla_chromium.org, blink-reviews-css, sof, eae+blinkwatch, ed+blinkwatch_opera.com, blink-reviews-dom_chromium.org, dglazkov+blink, apavlov+blink_chromium.org, darktears, rwlbuis

Base URL:
svn://svn.chromium.org/blink/branches/chromium/2214/

Project:
blink

Visibility:
Public.

More Reviews

Description

Merge 187602 "ScopedStyleResolver should be cleared when ShadowR..." > ScopedStyleResolver should be cleared when ShadowRoot is removed from document. > > If a shadow root (=treescope), which has a style element, is moved from a document to another document, a new ShadowStyleSheetCollection is created for the shadow root. > > The ShadowStyleSheetCollection has no active stylesheets, but the treescope's scopedStyleResolver has an active stylesheet. > > The active stylesheet has been already cleared (i.e. clearOwnerNode is invoked) while moving. > However, StyleEngine cannot clear the treescope's resolver, because the ShadowStyleSheetCollection has no information. This causes heap-use-after-free. > > BUG=443017 > TEST=fast/html/marquee-clone-crash.html > > Review URL: https://codereview.chromium.org/809343002 TBR=tasak@google.com Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=187669

Patch Set 1 #

Created: 6 years ago

Download [raw] [tar.bz2]

	Unified diffs	Side-by-side diffs	Stats (+10 lines, -6 lines)			Patch
A +	LayoutTests/fast/html/marquee-clone-crash.html	View	0 chunks	+-1 lines, --1 lines	0 comments	Download
A +	LayoutTests/fast/html/marquee-clone-crash-expected.txt	View	0 chunks	+-1 lines, --1 lines	0 comments	Download
A +	LayoutTests/fast/html/resources/marquee-crash.svg	View	0 chunks	+-1 lines, --1 lines	0 comments	Download
M	Source/core/css/resolver/StyleResolver.cpp	View	1 chunk	+3 lines, -2 lines	0 comments	Download
M	Source/core/dom/shadow/ShadowRoot.cpp	View	1 chunk	+10 lines, -7 lines	0 comments	Download

Messages

Total messages: 2 (0 generated)

Expand Messages | Collapse Messages

Message was sent while issue was closed.

Committed patchset #1 (id:1) manually as r187669 (tree was closed).

Expand Messages | Collapse Messages