Title: [95235] trunk
- Revision
- 95235
- Author
- jchaffr...@webkit.org
- Date
- 2011-09-15 14:59:10 -0700 (Thu, 15 Sep 2011)
Log Message
Source/WebCore: Crash in RenderBox::paintMaskImages due to a mask without an associated image
https://bugs.webkit.org/show_bug.cgi?id=50151
Reviewed by Simon Fraser.
Test: fast/css/empty-webkit-mask-crash.html
The crash stems from the fact that FillLayer::hasImage would walk over the linked list
of FillLayers and return true if one had an image. This means that hasImage() is true
does not mean that image() is non-NULL on all FillLayers.
* rendering/RenderBox.cpp:
(WebCore::RenderBox::paintMaskImages): Simplify the logic by doing the hasImage() check up-front
and properly check image() for each FillLayers. This has the nice benefit of changing the complexity
from O(n^2) to O(n), which was what the code expected anyway.
LayoutTests: Test for: Crash in RenderBox::paintMaskImages due to a mask without an associated image
https://bugs.webkit.org/show_bug.cgi?id=50151
Reviewed by Simon Fraser.
* fast/css/empty-webkit-mask-crash-expected.png: Added.
* fast/css/empty-webkit-mask-crash-expected.txt: Added.
* fast/css/empty-webkit-mask-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (95234 => 95235)
--- trunk/LayoutTests/ChangeLog 2011-09-15 21:57:23 UTC (rev 95234)
+++ trunk/LayoutTests/ChangeLog 2011-09-15 21:59:10 UTC (rev 95235)
@@ -1,3 +1,14 @@
+2011-09-15 Julien Chaffraix <jchaffr...@webkit.org>
+
+ Test for: Crash in RenderBox::paintMaskImages due to a mask without an associated image
+ https://bugs.webkit.org/show_bug.cgi?id=50151
+
+ Reviewed by Simon Fraser.
+
+ * fast/css/empty-webkit-mask-crash-expected.png: Added.
+ * fast/css/empty-webkit-mask-crash-expected.txt: Added.
+ * fast/css/empty-webkit-mask-crash.html: Added.
+
2011-09-15 Andy Estes <aes...@apple.com>
Having an empty listener to beforeload events changes the behavior of other scripts
Added: trunk/LayoutTests/fast/css/empty-webkit-mask-crash-expected.png (0 => 95235)
--- trunk/LayoutTests/fast/css/empty-webkit-mask-crash-expected.png (rev 0)
+++ trunk/LayoutTests/fast/css/empty-webkit-mask-crash-expected.png 2011-09-15 21:59:10 UTC (rev 95235)
@@ -0,0 +1,6 @@
+\x89PNG
+�
+���
+IHDR��� ���X��������'���)tEXtchecksum�853de00567d121bea0b7bece66a5d61c`7\xFF\xFB��
+\xAAIDATx\x9C\xED\xD6\xC1 � �\xC00u\xFF\x9D\xCF%
+\x82$�\xF4\xD9=3��\x80\xCEy���\xF0�\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��1\x83���3X��\xB1��d�\xAD4\xD1Ӆ����IEND\xAEB`\x82
\ No newline at end of file
Added: trunk/LayoutTests/fast/css/empty-webkit-mask-crash-expected.txt (0 => 95235)
--- trunk/LayoutTests/fast/css/empty-webkit-mask-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/css/empty-webkit-mask-crash-expected.txt 2011-09-15 21:59:10 UTC (rev 95235)
@@ -0,0 +1,2 @@
+https://bugs.webkit.org/show_bug.cgi?id=50151 : Crash in RenderBox::paintMaskImages due to a mask without an associated image
+The test passes if it does not CRASH (normally the output is a white page)
Added: trunk/LayoutTests/fast/css/empty-webkit-mask-crash.html (0 => 95235)
--- trunk/LayoutTests/fast/css/empty-webkit-mask-crash.html (rev 0)
+++ trunk/LayoutTests/fast/css/empty-webkit-mask-crash.html 2011-09-15 21:59:10 UTC (rev 95235)
@@ -0,0 +1,12 @@
+<script>
+ // We need to dump the image to get the crash but we don't care about the layout information.
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText(true);
+</script>
+<style>
+*{
+ -webkit-mask-image:none,none,url(x);
+}
+</style>
+<p style="position:absolute; top: -1000px">https://bugs.webkit.org/show_bug.cgi?id=50151 : Crash in RenderBox::paintMaskImages due to a mask without an associated image<br>
+The test passes if it does not CRASH (normally the output is a white page)</p>
Modified: trunk/Source/WebCore/ChangeLog (95234 => 95235)
--- trunk/Source/WebCore/ChangeLog 2011-09-15 21:57:23 UTC (rev 95234)
+++ trunk/Source/WebCore/ChangeLog 2011-09-15 21:59:10 UTC (rev 95235)
@@ -1,3 +1,21 @@
+2011-09-15 Julien Chaffraix <jchaffr...@webkit.org>
+
+ Crash in RenderBox::paintMaskImages due to a mask without an associated image
+ https://bugs.webkit.org/show_bug.cgi?id=50151
+
+ Reviewed by Simon Fraser.
+
+ Test: fast/css/empty-webkit-mask-crash.html
+
+ The crash stems from the fact that FillLayer::hasImage would walk over the linked list
+ of FillLayers and return true if one had an image. This means that hasImage() is true
+ does not mean that image() is non-NULL on all FillLayers.
+
+ * rendering/RenderBox.cpp:
+ (WebCore::RenderBox::paintMaskImages): Simplify the logic by doing the hasImage() check up-front
+ and properly check image() for each FillLayers. This has the nice benefit of changing the complexity
+ from O(n^2) to O(n), which was what the code expected anyway.
+
2011-09-15 Eric Seidel <e...@webkit.org>
Remove ENABLE(SVG_AS_IMAGE) since all major ports have it on by default
Modified: trunk/Source/WebCore/rendering/RenderBox.cpp (95234 => 95235)
--- trunk/Source/WebCore/rendering/RenderBox.cpp 2011-09-15 21:57:23 UTC (rev 95234)
+++ trunk/Source/WebCore/rendering/RenderBox.cpp 2011-09-15 21:59:10 UTC (rev 95235)
@@ -949,10 +949,11 @@
if (!allMaskImagesLoaded)
pushTransparencyLayer = true;
- if (maskBoxImage && maskLayers->hasImage()) {
+ bool hasMaskLayerWithImage = maskLayers->hasImage();
+ if (maskBoxImage && hasMaskLayerWithImage) {
// We have a mask-box-image and mask-image, so need to composite them together before using the result as a mask.
pushTransparencyLayer = true;
- } else {
+ } else if (hasMaskLayerWithImage) {
// We have to use an extra image buffer to hold the mask. Multiple mask images need
// to composite together using source-over so that they can then combine into a single unified mask that
// can be composited with the content using destination-in. SVG images need to be able to set compositing modes
@@ -961,7 +962,7 @@
// We have to check that the mask images to be rendered contain at least one image that can be actually used in rendering
// before pushing the transparency layer.
for (const FillLayer* fillLayer = maskLayers->next(); fillLayer; fillLayer = fillLayer->next()) {
- if (fillLayer->hasImage() && fillLayer->image()->canRender(style()->effectiveZoom())) {
+ if (fillLayer->image() && fillLayer->image()->canRender(style()->effectiveZoom())) {
pushTransparencyLayer = true;
// We found one image that can be used in rendering, exit the loop
break;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
