[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc
commit-queue at webkit.org
commit-queue at webkit.org
Wed Dec 22 13:28:41 UTC 2010
The following commit has been merged in the debian/experimental branch:
commit 53a3dcd7c72148a8967b6e7ff824f6cc9a63b511
Author: commit-queue at webkit.org <commit-queue at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Thu Sep 16 18:06:48 2010 +0000
2010-09-16 Daniel Cheng <dcheng at chromium.org>
Reviewed by Tony Chang.
Fix incorrect usage of dissolveDragImageToFraction().
https://bugs.webkit.org/show_bug.cgi?id=45835
createDragImageForSelection() was ignoring the return value of
dissolveDragImageToFraction(). This didn't happen to crash on most
platforms, since most implementations simply modified the image that was
passed in. However, Chromium Mac's implementation actually creates a new
image and returns that instead. This caused us to crash when copying the
image from the renderer to the browser process, since the memory had
already been freed.
* manual-tests/selection-drag-crash.html: Added.
* platform/DragImage.cpp:
(WebCore::createDragImageForSelection):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@67641 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 6ddb661..d20fba0 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,22 @@
+2010-09-16 Daniel Cheng <dcheng at chromium.org>
+
+ Reviewed by Tony Chang.
+
+ Fix incorrect usage of dissolveDragImageToFraction().
+ https://bugs.webkit.org/show_bug.cgi?id=45835
+
+ createDragImageForSelection() was ignoring the return value of
+ dissolveDragImageToFraction(). This didn't happen to crash on most
+ platforms, since most implementations simply modified the image that was
+ passed in. However, Chromium Mac's implementation actually creates a new
+ image and returns that instead. This caused us to crash when copying the
+ image from the renderer to the browser process, since the memory had
+ already been freed.
+
+ * manual-tests/selection-drag-crash.html: Added.
+ * platform/DragImage.cpp:
+ (WebCore::createDragImageForSelection):
+
2010-09-16 Sheriff Bot <webkit.review.bot at gmail.com>
Unreviewed, rolling out r67628.
diff --git a/WebCore/manual-tests/selection-drag-crash.html b/WebCore/manual-tests/selection-drag-crash.html
new file mode 100644
index 0000000..42fd740
--- /dev/null
+++ b/WebCore/manual-tests/selection-drag-crash.html
@@ -0,0 +1,14 @@
+<html>
+<head>
+<script>
+function selectText() {
+ window.getSelection().selectAllChildren(document.body);
+}
+</script>
+</head>
+<body onload="selectText()">
+<p>
+Drag the selected text. It shouldn't crash, though it used to on Chromium Mac since createDragImageForSelection() didn't properly use the return value from dissolveDragImageToFraction(), which resulted in a race condition for the drag image's refcount. This issue can't be tested in an automated manner, due to the fact that the race condition is hard to trigger deterministically and that test_shell/DRT simply don't use the (potentially invalid) image parameter.
+</p>
+</body>
+</html>
diff --git a/WebCore/platform/DragImage.cpp b/WebCore/platform/DragImage.cpp
index aff4aba..5fcafc1 100644
--- a/WebCore/platform/DragImage.cpp
+++ b/WebCore/platform/DragImage.cpp
@@ -69,7 +69,7 @@ DragImageRef createDragImageForSelection(Frame* frame)
{
DragImageRef image = frame->dragImageForSelection();
if (image)
- dissolveDragImageToFraction(image, DragController::DragImageAlpha);
+ image = dissolveDragImageToFraction(image, DragController::DragImageAlpha);
return image;
}
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list