[SCM] WebKit Debian packaging branch, webkit-1.3, updated. upstream/1.3.7-4207-g178b198

simon.fraser at apple.com simon.fraser at apple.com
Sun Feb 20 22:50:47 UTC 2011 

The following commit has been merged in the webkit-1.3 branch:
commit fc623830295eae4681f7cdc5d7a15824f939f004
Author: simon.fraser at apple.com <simon.fraser at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Wed Jan 12 05:25:00 2011 +0000

    2011-01-11  Simon Fraser  <simon.fraser at apple.com>
    
            Reviewed by Dan Bernstein.
    
            Webkit crashes when a gradient is applied using the first-line pseudo element
            https://bugs.webkit.org/show_bug.cgi?id=52225
    
            When a pseudostyle references images, we fail to register/unregister
            the relevant RenderObjects as clients of the image in the style.
            For gradients, this caused a crash.
    
            This patch fixes the crash by returning a null gradient image in this
            situation.
    
            Test: fast/gradients/gradient-on-pseudoelement-crash.html
    
            * css/CSSGradientValue.cpp:
            (WebCore::CSSGradientValue::image):
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@75585 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 78c5531..6bbfa48 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,15 @@
+2011-01-11  Simon Fraser  <simon.fraser at apple.com>
+
+        Reviewed by Dan Bernstein.
+
+        Webkit crashes when a gradient is applied using the first-line pseudo element
+        https://bugs.webkit.org/show_bug.cgi?id=52225
+        
+        Testcase.
+
+        * fast/gradients/gradient-on-pseudoelement-crash-expected.txt: Added.
+        * fast/gradients/gradient-on-pseudoelement-crash.html: Added.
+
 2011-01-11  Justin Schuh  <jschuh at chromium.org>
 
         Unreviewed chromium expectations update.
diff --git a/LayoutTests/fast/reflections/pending-reflection-mask-crash-expected.txt b/LayoutTests/fast/gradients/gradient-on-pseudoelement-crash-expected.txt
similarity index 100%
copy from LayoutTests/fast/reflections/pending-reflection-mask-crash-expected.txt
copy to LayoutTests/fast/gradients/gradient-on-pseudoelement-crash-expected.txt
diff --git a/LayoutTests/fast/gradients/gradient-on-pseudoelement-crash.html b/LayoutTests/fast/gradients/gradient-on-pseudoelement-crash.html
new file mode 100644
index 0000000..fabf1fa
--- /dev/null
+++ b/LayoutTests/fast/gradients/gradient-on-pseudoelement-crash.html
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<head>
+<style>
+body:first-line {
+    background-image: -webkit-gradient(linear, 0% 0%, 0% 100%, from(blue), to(green));
+}
+</style>
+<script type="text/javascript" charset="utf-8">
+  if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+</script>
+</head>
+<body>
+This test should not crash.
+</body>
+</html>
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index e48b024..16d8bac 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,22 @@
+2011-01-11  Simon Fraser  <simon.fraser at apple.com>
+
+        Reviewed by Dan Bernstein.
+
+        Webkit crashes when a gradient is applied using the first-line pseudo element
+        https://bugs.webkit.org/show_bug.cgi?id=52225
+        
+        When a pseudostyle references images, we fail to register/unregister
+        the relevant RenderObjects as clients of the image in the style.
+        For gradients, this caused a crash.
+        
+        This patch fixes the crash by returning a null gradient image in this
+        situation.
+
+        Test: fast/gradients/gradient-on-pseudoelement-crash.html
+
+        * css/CSSGradientValue.cpp:
+        (WebCore::CSSGradientValue::image):
+
 2011-01-11  Andy Estes  <aestes at apple.com>
 
         Reviewed by Darin Adler.
diff --git a/Source/WebCore/css/CSSGradientValue.cpp b/Source/WebCore/css/CSSGradientValue.cpp
index 8040c6c..fde4a4e 100644
--- a/Source/WebCore/css/CSSGradientValue.cpp
+++ b/Source/WebCore/css/CSSGradientValue.cpp
@@ -43,7 +43,8 @@ namespace WebCore {
 
 Image* CSSGradientValue::image(RenderObject* renderer, const IntSize& size)
 {
-    ASSERT(m_clients.contains(renderer));
+    if (!m_clients.contains(renderer))
+        return 0;
 
     // Need to look up our size.  Create a string of width*height to use as a hash key.
     // FIXME: hashing based only on size is not sufficient. Color stops may use context-sensitive units (like em)

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list