91 lines
3.4 KiB
Text
91 lines
3.4 KiB
Text
commit 3ddaaf254633
|
|
Author: Boris Zbarsky <bzbarsky@mit.edu>
|
|
Date: Thu Sep 28 22:04:34 2017 -0400
|
|
|
|
Bug 1402218 - Make sure to clone our CSSDeclaration as needed when removing properties. r=emilio, a=sledru
|
|
|
|
MozReview-Commit-ID: 6LRjLU3QQok
|
|
|
|
--HG--
|
|
extra : source : 76b6ae2fc6eb389810cb2a745f976be11516eb44
|
|
extra : amend_source : 849900fa9c4e12b62cf73175666a672ca6ab3914
|
|
---
|
|
layout/style/DeclarationBlockInlines.h | 9 +++++++++
|
|
layout/style/crashtests/1402218-1.html | 15 +++++++++++++++
|
|
layout/style/crashtests/crashtests.list | 3 ++-
|
|
layout/style/nsDOMCSSDeclaration.cpp | 12 +-----------
|
|
4 files changed, 27 insertions(+), 12 deletions(-)
|
|
|
|
diff --git layout/style/DeclarationBlockInlines.h layout/style/DeclarationBlockInlines.h
|
|
index 5438bd1957c2..c9e0d4f82e31 100644
|
|
--- layout/style/DeclarationBlockInlines.h
|
|
+++ layout/style/DeclarationBlockInlines.h
|
|
@@ -46,6 +46,15 @@ DeclarationBlock::EnsureMutable()
|
|
AsGecko()->AssertNotExpanded();
|
|
}
|
|
#endif
|
|
+ if (IsServo() && !IsDirty()) {
|
|
+ // In stylo, the old DeclarationBlock is stored in element's rule node tree
|
|
+ // directly, to avoid new values replacing the DeclarationBlock in the tree
|
|
+ // directly, we need to copy the old one here if we haven't yet copied.
|
|
+ // As a result the new value does not replace rule node tree until traversal
|
|
+ // happens.
|
|
+ return Clone();
|
|
+ }
|
|
+
|
|
if (!IsMutable()) {
|
|
return Clone();
|
|
}
|
|
diff --git layout/style/crashtests/1402218-1.html layout/style/crashtests/1402218-1.html
|
|
new file mode 100644
|
|
index 000000000000..597c1c4d5e53
|
|
--- /dev/null
|
|
+++ layout/style/crashtests/1402218-1.html
|
|
@@ -0,0 +1,15 @@
|
|
+<!DOCTYPE html>
|
|
+<style>
|
|
+#wrapper::first-line {}
|
|
+</style>
|
|
+<body>
|
|
+<div id="wrapper">
|
|
+ <div id="test"></div>
|
|
+</div>
|
|
+<script>
|
|
+ document.querySelector('#test').style.position = 'absolute';
|
|
+ document.body.offsetHeight;
|
|
+ document.querySelector('#wrapper').style.color = 'green';
|
|
+ document.querySelector('#test').style.position = '';
|
|
+</script>
|
|
+</body>
|
|
diff --git layout/style/crashtests/crashtests.list layout/style/crashtests/crashtests.list
|
|
index e0a7fe4a20c5..ab9b5a7a9a4e 100644
|
|
--- layout/style/crashtests/crashtests.list
|
|
+++ layout/style/crashtests/crashtests.list
|
|
@@ -202,3 +202,4 @@ load 1387481-1.html
|
|
load 1387499.html
|
|
load 1391577.html
|
|
load 1398581.html
|
|
+load 1402218-1.html
|
|
diff --git layout/style/nsDOMCSSDeclaration.cpp layout/style/nsDOMCSSDeclaration.cpp
|
|
index a828f0e7b3dd..12e03c314fe9 100644
|
|
--- layout/style/nsDOMCSSDeclaration.cpp
|
|
+++ layout/style/nsDOMCSSDeclaration.cpp
|
|
@@ -305,17 +305,7 @@ nsDOMCSSDeclaration::ModifyDeclaration(GeckoFunc aGeckoFunc,
|
|
// between when we mutate the declaration and when we set the new
|
|
// rule (see stack in bug 209575).
|
|
mozAutoDocConditionalContentUpdateBatch autoUpdate(DocToUpdate(), true);
|
|
- RefPtr<DeclarationBlock> decl;
|
|
- if (olddecl->IsServo() && !olddecl->IsDirty()) {
|
|
- // In stylo, the old DeclarationBlock is stored in element's rule node tree
|
|
- // directly, to avoid new values replacing the DeclarationBlock in the tree
|
|
- // directly, we need to copy the old one here if we haven't yet copied.
|
|
- // As a result the new value does not replace rule node tree until traversal
|
|
- // happens.
|
|
- decl = olddecl->Clone();
|
|
- } else {
|
|
- decl = olddecl->EnsureMutable();
|
|
- }
|
|
+ RefPtr<DeclarationBlock> decl = olddecl->EnsureMutable();
|
|
|
|
bool changed;
|
|
if (decl->IsGecko()) {
|