[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc

simon.fraser at apple.com simon.fraser at apple.com
Wed Dec 22 12:42:55 UTC 2010 

The following commit has been merged in the debian/experimental branch:
commit 74af6995041fc50c9ac37ae68224587fec66c810
Author: simon.fraser at apple.com <simon.fraser at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Fri Aug 27 18:30:26 2010 +0000

    2010-08-27  Simon Fraser  <simon.fraser at apple.com>
    
            Reviewed by Tony Chang.
    
            Crash in CSSStyleSelector.cpp
            https://bugs.webkit.org/show_bug.cgi?id=44780
    
            Need to null-check the images when replacing pending images, because a later
            rule may have replaced an image with 'none'.
    
            Test: fast/css/pending-images-crash.html
    
            * css/CSSStyleSelector.cpp:
            (WebCore::CSSStyleSelector::loadPendingImages):
            * page/FrameView.cpp:
            (WebCore::FrameView::paintContents): Fix unrelated log message.
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@66240 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 0c29760..ab27ea2 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,15 @@
+2010-08-27  Simon Fraser  <simon.fraser at apple.com>
+
+        Reviewed by Tony Chang.
+
+        Crash in CSSStyleSelector.cpp
+        https://bugs.webkit.org/show_bug.cgi?id=44780
+        
+        Test that replaces an actual image with 'none', and should not crash.
+
+        * fast/css/pending-images-crash-expected.txt: Added.
+        * fast/css/pending-images-crash.html: Added.
+
 2010-08-27  Andrey Kosyakov  <caseq at chromium.org>
 
         Unreviewed. Revert r66218 & r66220 due to GTK test failures.
diff --git a/LayoutTests/fast/css/pending-images-crash-expected.txt b/LayoutTests/fast/css/pending-images-crash-expected.txt
new file mode 100644
index 0000000..0163abc
--- /dev/null
+++ b/LayoutTests/fast/css/pending-images-crash-expected.txt
@@ -0,0 +1,2 @@
+This test passes if it does not crash.
+
diff --git a/LayoutTests/fast/css/pending-images-crash.html b/LayoutTests/fast/css/pending-images-crash.html
new file mode 100644
index 0000000..d337c3c
--- /dev/null
+++ b/LayoutTests/fast/css/pending-images-crash.html
@@ -0,0 +1,44 @@
+<!DOCTYPE html>
+
+<html>
+<head>
+  <style type="text/css" media="screen">
+    ul {
+      list-style-image: url('foopy.png');
+      background-image: url('foopy1.png');
+      -webkit-border-image: url('foopy2.png');
+      -webkit-mask-box-image: url('foopy3.png');
+      -webkit-mask: below url('foopy4.png');
+    }
+    
+    ul {
+      list-style-image: none;
+      background-image: none;
+      -webkit-border-image: none;
+      -webkit-mask-box-image: none;
+      -webkit-mask: below none;
+    }
+    
+    .box {
+      content: url('foopy5.png') url('foopy6.png');
+    }
+    
+    .box {
+      content: none url('');
+    }
+    
+    
+  </style>
+  <script type="text/javascript" charset="utf-8">
+    if (window.layoutTestController)
+      layoutTestController.dumpAsText();
+  </script>
+</head>
+<body>
+  <ul>
+    <li>This test passes if it does not crash.</li>
+  </ul>
+  <div class="box">
+  </div>
+</body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index dac2b9b..c8f9bcf 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,20 @@
+2010-08-27  Simon Fraser  <simon.fraser at apple.com>
+
+        Reviewed by Tony Chang.
+
+        Crash in CSSStyleSelector.cpp
+        https://bugs.webkit.org/show_bug.cgi?id=44780
+        
+        Need to null-check the images when replacing pending images, because a later
+        rule may have replaced an image with 'none'.
+
+        Test: fast/css/pending-images-crash.html
+
+        * css/CSSStyleSelector.cpp:
+        (WebCore::CSSStyleSelector::loadPendingImages):
+        * page/FrameView.cpp:
+        (WebCore::FrameView::paintContents): Fix unrelated log message.
+
 2010-08-27  Andrey Kosyakov  <caseq at chromium.org>
 
         Unreviewed. Revert r66218 & r66220 due to GTK test failures.
diff --git a/WebCore/css/CSSStyleSelector.cpp b/WebCore/css/CSSStyleSelector.cpp
index 26cc9de..70bf1dd 100644
--- a/WebCore/css/CSSStyleSelector.cpp
+++ b/WebCore/css/CSSStyleSelector.cpp
@@ -6745,7 +6745,7 @@ void CSSStyleSelector::loadPendingImages()
                 break;
 
             case CSSPropertyListStyleImage: {
-                if (m_style->listStyleImage()->isPendingImage()) {
+                if (m_style->listStyleImage() && m_style->listStyleImage()->isPendingImage()) {
                     CSSImageValue* imageValue = static_cast<StylePendingImage*>(m_style->listStyleImage())->cssImageValue();
                     m_style->setListStyleImage(imageValue->cachedImage(docLoader));
                 }
@@ -6754,7 +6754,7 @@ void CSSStyleSelector::loadPendingImages()
 
             case CSSPropertyWebkitBorderImage: {
                 const NinePieceImage& borderImage = m_style->borderImage();
-                if (borderImage.image()->isPendingImage()) {
+                if (borderImage.image() && borderImage.image()->isPendingImage()) {
                     CSSImageValue* imageValue = static_cast<StylePendingImage*>(borderImage.image())->cssImageValue();
                     m_style->setBorderImage(NinePieceImage(imageValue->cachedImage(docLoader), borderImage.slices(), borderImage.horizontalRule(), borderImage.verticalRule()));
                 }
@@ -6763,7 +6763,7 @@ void CSSStyleSelector::loadPendingImages()
             
             case CSSPropertyWebkitBoxReflect: {
                 const NinePieceImage& maskImage = m_style->boxReflect()->mask();
-                if (maskImage.image()->isPendingImage()) {
+                if (maskImage.image() && maskImage.image()->isPendingImage()) {
                     CSSImageValue* imageValue = static_cast<StylePendingImage*>(maskImage.image())->cssImageValue();
                     m_style->boxReflect()->setMask(NinePieceImage(imageValue->cachedImage(docLoader), maskImage.slices(), maskImage.horizontalRule(), maskImage.verticalRule()));
                 }
@@ -6772,7 +6772,7 @@ void CSSStyleSelector::loadPendingImages()
 
             case CSSPropertyWebkitMaskBoxImage: {
                 const NinePieceImage& maskBoxImage = m_style->maskBoxImage();
-                if (maskBoxImage.image()->isPendingImage()) {
+                if (maskBoxImage.image() && maskBoxImage.image()->isPendingImage()) {
                     CSSImageValue* imageValue = static_cast<StylePendingImage*>(maskBoxImage.image())->cssImageValue();
                     m_style->setMaskBoxImage(NinePieceImage(imageValue->cachedImage(docLoader), maskBoxImage.slices(), maskBoxImage.horizontalRule(), maskBoxImage.verticalRule()));
                 }
diff --git a/WebCore/page/FrameView.cpp b/WebCore/page/FrameView.cpp
index 5d2c715..51ed056 100644
--- a/WebCore/page/FrameView.cpp
+++ b/WebCore/page/FrameView.cpp
@@ -1927,7 +1927,7 @@ void FrameView::paintContents(GraphicsContext* p, const IntRect& rect)
     
     RenderView* contentRenderer = frame()->contentRenderer();
     if (!contentRenderer) {
-        LOG_ERROR("called Frame::paint with nil renderer");
+        LOG_ERROR("called FrameView::paint with nil renderer");
         return;
     }
 

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list