2009-03-12 Simon Fraser <simon.fraser@apple.com> Reviewed by Mark Rowe <rdar://problem/6622300>: Reproducible crash on <http://www.editgrid.com/explore/tnc/dave/FusionChart%3A_Candlestick> Prevent CSSStyleSheet::checkLoaded() writing to freed memory when it gets deleted from under itself. The sheetLoaded() notification can allow scripts to run via HTMLTokenizer::executeScriptsWaitingForStylesheets(), which can cause the last ref to the CSSStyleSheet to be released. * css/CSSStyleSheet.cpp: (WebCore::CSSStyleSheet::checkLoaded): git-svn-id: http://svn.webkit.org/repository/webkit/trunk@41662 268f45cc-cd09-0410-ab3c-d52691b4dbfc

commit: 63514e9362f6d32eecb37781c4a694a37f83c9cc [log] [tgz]
author: simon.fraser@apple.com <simon.fraser@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Fri Mar 13 06:07:10 2009 +0000
committer: simon.fraser@apple.com <simon.fraser@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Fri Mar 13 06:07:10 2009 +0000
tree: 0d214738b8f3bf90ce98b05af6e7e26e4b8d2f59
parent: 3eb5bfe37fc5f3d6ac5a3ba33cb5afdcf63b644a [diff] [blame]
diff --git a/WebCore/css/CSSStyleSheet.cpp b/WebCore/css/CSSStyleSheet.cpp
index 47b2c81..801fe1b 100644
--- a/WebCore/css/CSSStyleSheet.cpp
+++ b/WebCore/css/CSSStyleSheet.cpp

@@ -182,6 +182,10 @@
         return;
     if (parent())
         parent()->checkLoaded();
+
+    // Avoid |this| being deleted by scripts that run via HTMLTokenizer::executeScriptsWaitingForStylesheets().
+    // See <rdar://problem/6622300>.
+    RefPtr<CSSStyleSheet> protector(this);
     m_loadCompleted = ownerNode() ? ownerNode()->sheetLoaded() : true;
 }
commit	63514e9362f6d32eecb37781c4a694a37f83c9cc	[log] [tgz]
author	simon.fraser@apple.com <simon.fraser@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>	Fri Mar 13 06:07:10 2009 +0000
committer	simon.fraser@apple.com <simon.fraser@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>	Fri Mar 13 06:07:10 2009 +0000
tree	0d214738b8f3bf90ce98b05af6e7e26e4b8d2f59
parent	3eb5bfe37fc5f3d6ac5a3ba33cb5afdcf63b644a [diff] [blame]