Title: [101091] trunk
- Revision
- 101091
- Author
- an...@apple.com
- Date
- 2011-11-23 10:33:59 -0800 (Wed, 23 Nov 2011)
Log Message
https://bugs.webkit.org/show_bug.cgi?id=72354
Image pointer in FillLayer not cleared correctly
Reviewed by Dan Bernstein.
Source/WebCore:
Test: fast/css/fill-layer-crash.html
We should clear the image pointer too, not just the m_imageSet bit.
* rendering/style/FillLayer.h:
(WebCore::FillLayer::clearImage):
LayoutTests:
* fast/css/fill-layer-crash-expected.txt: Added.
* fast/css/fill-layer-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (101090 => 101091)
--- trunk/LayoutTests/ChangeLog 2011-11-23 18:29:05 UTC (rev 101090)
+++ trunk/LayoutTests/ChangeLog 2011-11-23 18:33:59 UTC (rev 101091)
@@ -1,3 +1,13 @@
+2011-11-23 Antti Koivisto <an...@apple.com>
+
+ https://bugs.webkit.org/show_bug.cgi?id=72354
+ Image pointer in FillLayer not cleared correctly
+
+ Reviewed by Dan Bernstein.
+
+ * fast/css/fill-layer-crash-expected.txt: Added.
+ * fast/css/fill-layer-crash.html: Added.
+
2011-11-23 Mike Reed <r...@google.com>
[skia] need rebaselining after skia rev. 2735 lands
Added: trunk/LayoutTests/fast/css/fill-layer-crash-expected.txt (0 => 101091)
--- trunk/LayoutTests/fast/css/fill-layer-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/css/fill-layer-crash-expected.txt 2011-11-23 18:33:59 UTC (rev 101091)
@@ -0,0 +1 @@
+This test works if it doesn't crash.
Added: trunk/LayoutTests/fast/css/fill-layer-crash.html (0 => 101091)
--- trunk/LayoutTests/fast/css/fill-layer-crash.html (rev 0)
+++ trunk/LayoutTests/fast/css/fill-layer-crash.html 2011-11-23 18:33:59 UTC (rev 101091)
@@ -0,0 +1,25 @@
+<html>
+<head id="head">
+<script>
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+</script>
+<style>
+* {background-image:inherit;}
+</style>
+</head>
+<body>
+ <span></span>
+</body>
+<script>
+document.body.style.background=""
+var head = document.getElementById("head");
+style = document.createElement("style");
+style.type = "text/css";
+var rule = document.createTextNode("* {content:counter(mycount_id)}");
+style.appendChild(rule);
+head.appendChild(style);
+document.body.setAttribute("style","line-height:128mm;");
+</script>
+This test works if it doesn't crash.
+</html>
Modified: trunk/Source/WebCore/ChangeLog (101090 => 101091)
--- trunk/Source/WebCore/ChangeLog 2011-11-23 18:29:05 UTC (rev 101090)
+++ trunk/Source/WebCore/ChangeLog 2011-11-23 18:33:59 UTC (rev 101091)
@@ -1,3 +1,17 @@
+2011-11-23 Antti Koivisto <an...@apple.com>
+
+ https://bugs.webkit.org/show_bug.cgi?id=72354
+ Image pointer in FillLayer not cleared correctly
+
+ Reviewed by Dan Bernstein.
+
+ Test: fast/css/fill-layer-crash.html
+
+ We should clear the image pointer too, not just the m_imageSet bit.
+
+ * rendering/style/FillLayer.h:
+ (WebCore::FillLayer::clearImage):
+
2011-11-23 Sheriff Bot <webkit.review....@gmail.com>
Unreviewed, rolling out r101057.
Modified: trunk/Source/WebCore/rendering/style/FillLayer.h (101090 => 101091)
--- trunk/Source/WebCore/rendering/style/FillLayer.h 2011-11-23 18:29:05 UTC (rev 101090)
+++ trunk/Source/WebCore/rendering/style/FillLayer.h 2011-11-23 18:33:59 UTC (rev 101091)
@@ -105,7 +105,7 @@
void setSizeLength(LengthSize l) { m_sizeLength = l; }
void setSize(FillSize f) { m_sizeType = f.type; m_sizeLength = f.size; }
- void clearImage() { m_imageSet = false; }
+ void clearImage() { m_image.clear(); m_imageSet = false; }
void clearXPosition() { m_xPosSet = false; }
void clearYPosition() { m_yPosSet = false; }
void clearAttachment() { m_attachmentSet = false; }
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
