BUG = 1357667

Redo the fix of issue 1357667. Previous fix does not address all cases (HTMLLinkElement.sheet). It works by create a hidden reference from JS wrapper of StyleSheet object to its owner node. This is down when creating the JS wrapper object. Add a test for HTMLLinkElement that crashes both Chrome and Safari 3.1.2. Review URL: http://codereview.chromium.org/1678 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@1990 0039d316-1c4b-4281-b951-d872f2087c98
author: fqian@google.com <fqian@google.com@0039d316-1c4b-4281-b951-d872f2087c98> 2008-09-10 16:42:41 +0000
committer: fqian@google.com <fqian@google.com@0039d316-1c4b-4281-b951-d872f2087c98> 2008-09-10 16:42:41 +0000
commit: 6501779376fc890a5613519050756a9d6cf48ee8 (patch)
tree: d14bf31d29d2bfbcd4515feeb9902e65e3e67ff2 /webkit
parent: fca43faacfed770dd87246fdd2367df955b3df86 (diff)
download: chromium_src-6501779376fc890a5613519050756a9d6cf48ee8.zip
chromium_src-6501779376fc890a5613519050756a9d6cf48ee8.tar.gz
chromium_src-6501779376fc890a5613519050756a9d6cf48ee8.tar.bz2
5 files changed, 63 insertions, 38 deletions
diff --git a/webkit/data/layout_tests/pending/fast/dom/StyleSheet/ownerNode-lifetime-expected-2-expected.txt b/webkit/data/layout_tests/pending/fast/dom/StyleSheet/ownerNode-lifetime-expected-2-expected.txt
new file mode 100644
index 0000000..5e51726
--- /dev/null
+++ b/webkit/data/layout_tests/pending/fast/dom/StyleSheet/ownerNode-lifetime-expected-2-expected.txt
@@ -0,0 +1,3 @@
+This test verifies that style sheet do not outlive their elements. Since you can get back to the element with the ownerNode attribute, it's important to keep the element alive.
+
+Test passed.
diff --git a/webkit/data/layout_tests/pending/fast/dom/StyleSheet/ownerNode-lifetime-expected-2.html b/webkit/data/layout_tests/pending/fast/dom/StyleSheet/ownerNode-lifetime-expected-2.html
new file mode 100644
index 0000000..bf6d252
--- /dev/null
+++ b/webkit/data/layout_tests/pending/fast/dom/StyleSheet/ownerNode-lifetime-expected-2.html
@@ -0,0 +1,35 @@
+<html>
+<link rel="stylesheet" type="text/css" src="theme.css"/>
+
+<script>
+function runTest() {
+  if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+  var linkElement = document.getElementsByTagName('link')[0];
+  var styleSheet = linkElement.sheet;
+
+  // delete link element
+  linkElement.parentNode.removeChild(linkElement);
+  linkElement = null;
+  
+  if (window.gc) {
+    window.gc();
+  } else {
+    for (var i = 0; i < 5000; i++)
+      new Object();
+  } 
+  styleSheet.ownerNode.cloneNode();
+
+  document.getElementById("result").innerHTML = "Test passed.";
+}
+</script>
+<body onload="runTest()">
+<p>
+This test verifies that style sheet do not outlive their elements.
+Since you can get back to the element with the ownerNode attribute,
+it's important to keep the element alive.
+</p>
+<p id="result">TEST HAS NOT RUN YET.</p>
+</body>
+</html>
diff --git a/webkit/port/bindings/v8/v8_custom.h b/webkit/port/bindings/v8/v8_custom.h
index d501362..dae13ab 100644
--- a/webkit/port/bindings/v8/v8_custom.h
+++ b/webkit/port/bindings/v8/v8_custom.h
@@ -48,6 +48,11 @@ class V8Custom {
   static const int kDOMWindowInternalFieldCount =
                       kDefaultWrapperInternalFieldCount + 2;
 
+  static const int kStyleSheetOwnerNodeIndex =
+                      kDefaultWrapperInternalFieldCount + 0;
+  static const int kStyleSheetInternalFieldCount =
+                      kDefaultWrapperInternalFieldCount + 1;
+
 #define DECLARE_PROPERTY_ACCESSOR_GETTER(NAME) \
 static v8::Handle<v8::Value> v8##NAME##AccessorGetter(\
     v8::Local<v8::String> name, const v8::AccessorInfo& info);
diff --git a/webkit/port/bindings/v8/v8_proxy.cpp b/webkit/port/bindings/v8/v8_proxy.cpp
index 184063e..9b595c1 100644
--- a/webkit/port/bindings/v8/v8_proxy.cpp
+++ b/webkit/port/bindings/v8/v8_proxy.cpp
@@ -1188,6 +1188,18 @@ v8::Persistent<v8::FunctionTemplate> V8Proxy::GetTemplate(
           CollectionIndexedPropertyEnumerator<HTMLFormElement>,
           v8::External::New(reinterpret_cast<void*>(V8ClassIndex::NODE)));
       break;
+    case V8ClassIndex::STYLESHEET:  // fall through
+    case V8ClassIndex::CSSSTYLESHEET: {
+      // We add an extra internal field to hold a reference to
+      // the owner node. 
+      v8::Local<v8::ObjectTemplate> instance_template =
+        desc->InstanceTemplate();
+      ASSERT(instance_template->InternalFieldCount() ==
+             V8Custom::kDefaultWrapperInternalFieldCount);
+      instance_template->SetInternalFieldCount(
+          V8Custom::kStyleSheetInternalFieldCount);
+      break;
+    }
     case V8ClassIndex::MEDIALIST:
       SetCollectionStringOrNullIndexedGetter<MediaList>(desc);
       break;
@@ -2521,6 +2533,14 @@ v8::Handle<v8::Object> V8Proxy::StyleSheetToV8Object(StyleSheet* sheet) {
     // Only update the DOM object map if the result is non-empty.
     dom_object_map().set(sheet, v8::Persistent<v8::Object>::New(result));
   }
+
+  // Add a hidden reference from stylesheet object to its owner node.
+  Node* owner_node = sheet->ownerNode();
+  if (owner_node) {
+    v8::Handle<v8::Object> owner = NodeToV8Object(owner_node);
+    result->SetInternalField(V8Custom::kStyleSheetOwnerNodeIndex, owner);
+  }
+
   return result;
 }
 
diff --git a/webkit/port/html/HTMLStyleElement.idl b/webkit/port/html/HTMLStyleElement.idl
deleted file mode 100644
index e6238b7..0000000
--- a/webkit/port/html/HTMLStyleElement.idl
+++ /dev/null
@@ -1,38 +0,0 @@
-/*
- * Copyright (C) 2006 Apple Computer, Inc.
- * Copyright (C) 2006 Samuel Weinig <sam.weinig@gmail.com>
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Library General Public
- * License as published by the Free Software Foundation; either
- * version 2 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Library General Public License for more details.
- *
- * You should have received a copy of the GNU Library General Public License
- * along with this library; see the file COPYING.LIB.  If not, write to
- * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
- * Boston, MA 02110-1301, USA.
- */
-
-module html {
-
-    interface [
-        GenerateConstructor,
-        InterfaceUUID=3aaa334c-9660-48cf-b8e2-6d2b4ac0a1da,
-        ImplementationUUID=73024a55-b8a1-461b-ad85-befa4089f80d
-    ] HTMLStyleElement : HTMLElement {
-        attribute  boolean              disabled;
-        attribute  [ConvertNullToNullString] DOMString            media;
-        attribute  [ConvertNullToNullString] DOMString            type;
-
-#if !defined(LANGUAGE_COM)
-        // DOM Level 2 Style
-        readonly attribute StyleSheet sheet;
-#endif
-    };
-
-}
author	fqian@google.com <fqian@google.com@0039d316-1c4b-4281-b951-d872f2087c98>	2008-09-10 16:42:41 +0000
committer	fqian@google.com <fqian@google.com@0039d316-1c4b-4281-b951-d872f2087c98>	2008-09-10 16:42:41 +0000
commit	6501779376fc890a5613519050756a9d6cf48ee8 (patch)
tree	d14bf31d29d2bfbcd4515feeb9902e65e3e67ff2 /webkit
parent	fca43faacfed770dd87246fdd2367df955b3df86 (diff)
download	chromium_src-6501779376fc890a5613519050756a9d6cf48ee8.zip chromium_src-6501779376fc890a5613519050756a9d6cf48ee8.tar.gz chromium_src-6501779376fc890a5613519050756a9d6cf48ee8.tar.bz2