Cherry-pick 267815.506@safari-7617-branch (4009863). https://bugs.web…

…kit.org/show_bug.cgi?id=263950

    jsc_fuz/wktr: ASSERT_WITH_SECURITY_IMPLICATION(position <= size()); in CSSStyleSheet::insertRule(...) CSSStyleSheet.cpp:365
    https://bugs.webkit.org/show_bug.cgi?id=263950
    rdar://117469266

    Reviewed by Antti Koivisto and Darin Adler.

    Based on specification, we should return early and throw InvalidStateError exception when attempting to delete @namespace rule, and list contains anything other than @import or @namespace rules.

    * LayoutTests/fast/css/delete-namespace-rule-when-child-rule-exists-expected.txt: Added.
    * LayoutTests/fast/css/delete-namespace-rule-when-child-rule-exists.html: Added.
    * LayoutTests/imported/w3c/web-platform-tests/css/cssom/delete-namespace-rule-when-child-rule-exists-expected.txt: Added.
    * LayoutTests/imported/w3c/web-platform-tests/css/cssom/delete-namespace-rule-when-child-rule-exists.html: Added.
    * Source/WebCore/css/CSSStyleSheet.cpp:
    (WebCore::CSSStyleSheet::deleteRule):
    * Source/WebCore/css/StyleSheetContents.cpp:
    (WebCore::StyleSheetContents::wrapperDeleteRule):
    * Source/WebCore/css/StyleSheetContents.h:

    Canonical link: https://commits.webkit.org/267815.506@safari-7617-branch

Canonical link: https://commits.webkit.org/266719.156@webkitglib/2.42

LayoutTests/fast/css/delete-namespace-rule-when-child-rule-exists-expected.txt

@@ -0,0 +1,9 @@
+Tests that deleting a @namespace rule when list contains anything other than @import or @namespace rules should throw InvalidStateError.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS styleSheet.deleteRule(0) threw exception InvalidStateError: The object is in an invalid state..
+PASS successfullyParsed is true
+
+TEST COMPLETE

LayoutTests/fast/css/delete-namespace-rule-when-child-rule-exists.html

@@ -0,0 +1,12 @@
+<style>
+  @namespace a url();
+</style>
+<script src="../../resources/js-test.js"></script>
+<script>
+  description("Tests that deleting a @namespace rule when list contains anything other than @import or @namespace rules should throw InvalidStateError.");
+
+  let styleSheet = document.styleSheets[0];
+  styleSheet.cssRules[0];
+  styleSheet.insertRule(`b {}`, 1);
+  shouldThrowErrorName("styleSheet.deleteRule(0)", "InvalidStateError");
+</script>

LayoutTests/imported/w3c/web-platform-tests/css/cssom/delete-namespace-rule-when-child-rule-exists-expected.txt

@@ -0,0 +1,2 @@
+
+PASS Deleting a @namespace rule when list contains anything other than @import or @namespace rules should throw InvalidStateError.

LayoutTests/imported/w3c/web-platform-tests/css/cssom/delete-namespace-rule-when-child-rule-exists.html

@@ -0,0 +1,15 @@
+<link rel="help" href="https://drafts.csswg.org/cssom-1/#remove-a-css-rule">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<style>
+  @namespace a url();
+</style>
+<script>
+  test(function () {
+    let styleSheet = document.styleSheets[0];
+    styleSheet.cssRules[0];
+    styleSheet.insertRule(`b {}`, 1);
+    assert_throws_dom("InvalidStateError", () => styleSheet.deleteRule(0));
+  }, "Deleting a @namespace rule when list contains anything other than @import or @namespace rules should throw InvalidStateError.");
+
+</script>

Source/WebCore/css/CSSStyleSheet.cpp

@@ -375,8 +375,9 @@ ExceptionOr<void> CSSStyleSheet::deleteRule(unsigned index)
         return Exception { IndexSizeError };
     RuleMutationScope mutationScope(this);
 
-    m_contents->wrapperDeleteRule(index);
-
+    bool success = m_contents->wrapperDeleteRule(index);
+    if (!success)
+        return Exception { InvalidStateError };
     if (!m_childRuleCSSOMWrappers.isEmpty()) {
         if (m_childRuleCSSOMWrappers[index])
             m_childRuleCSSOMWrappers[index]->setParentStyleSheet(nullptr);

Source/WebCore/css/StyleSheetContents.cpp

@@ -327,35 +327,37 @@ bool StyleSheetContents::wrapperInsertRule(Ref<StyleRuleBase>&& rule, unsigned i
     return true;
 }
 
-void StyleSheetContents::wrapperDeleteRule(unsigned index)
+bool StyleSheetContents::wrapperDeleteRule(unsigned index)
 {
     ASSERT(m_isMutable);
     ASSERT_WITH_SECURITY_IMPLICATION(index < ruleCount());
 
     unsigned childVectorIndex = index;
     if (childVectorIndex < m_layerRulesBeforeImportRules.size()) {
         m_layerRulesBeforeImportRules.remove(childVectorIndex);
-        return;
+        return true;
     }
     childVectorIndex -= m_layerRulesBeforeImportRules.size();
 
     if (childVectorIndex < m_importRules.size()) {
         m_importRules[childVectorIndex]->cancelLoad();
         m_importRules[childVectorIndex]->clearParentStyleSheet();
         m_importRules.remove(childVectorIndex);
-        return;
+        return true;
     }
     childVectorIndex -= m_importRules.size();
 
     if (childVectorIndex < m_namespaceRules.size()) {
+        // Deleting @namespace rule when list contains anything other than @import or @namespace rules is not allowed.
         if (!m_childRules.isEmpty())
-            return;
+            return false;
         m_namespaceRules.remove(childVectorIndex);
-        return;
+        return true;
     }
     childVectorIndex -= m_namespaceRules.size();
 
     m_childRules.remove(childVectorIndex);
+    return true;
 }
 
 void StyleSheetContents::parserAddNamespace(const AtomString& prefix, const AtomString& uri)

Source/WebCore/css/StyleSheetContents.h

@@ -128,7 +128,7 @@ class StyleSheetContents final : public RefCounted<StyleSheetContents>, public C
     unsigned estimatedSizeInBytes() const;
 
     bool wrapperInsertRule(Ref<StyleRuleBase>&&, unsigned index);
-    void wrapperDeleteRule(unsigned index);
+    bool wrapperDeleteRule(unsigned index);
 
     Ref<StyleSheetContents> copy() const { return adoptRef(*new StyleSheetContents(*this)); }