Title: [136558] trunk
- Revision
- 136558
- Author
- infe...@chromium.org
- Date
- 2012-12-04 13:29:22 -0800 (Tue, 04 Dec 2012)
Log Message
Crash in CachedResource::checkNotify due to -webkit-crossfade.
https://bugs.webkit.org/show_bug.cgi?id=98068
Reviewed by Nate Chapin.
Source/WebCore:
Make sure to not re-add the same client again for |m_cachedFromImage|
and |m_cachedToImage|. This would otherwise cause the CSSCrossfadeValue
client to not get removed from its cached image resource (when it is
going away).
Test: fast/images/crossfade-client-not-removed-crash.html
* css/CSSCrossfadeValue.cpp:
(WebCore::CSSCrossfadeValue::loadSubimages):
LayoutTests:
* fast/images/crossfade-client-not-removed-crash-expected.txt: Added.
* fast/images/crossfade-client-not-removed-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (136557 => 136558)
--- trunk/LayoutTests/ChangeLog 2012-12-04 21:19:25 UTC (rev 136557)
+++ trunk/LayoutTests/ChangeLog 2012-12-04 21:29:22 UTC (rev 136558)
@@ -1,3 +1,13 @@
+2012-12-04 Abhishek Arya <infe...@chromium.org>
+
+ Crash in CachedResource::checkNotify due to -webkit-crossfade.
+ https://bugs.webkit.org/show_bug.cgi?id=98068
+
+ Reviewed by Nate Chapin.
+
+ * fast/images/crossfade-client-not-removed-crash-expected.txt: Added.
+ * fast/images/crossfade-client-not-removed-crash.html: Added.
+
2012-12-04 Roger Fong <roger_f...@apple.com>
Unreviewed. Skip flaky "fake mouse move tests" on Windows port.
Added: trunk/LayoutTests/fast/images/crossfade-client-not-removed-crash-expected.txt (0 => 136558)
--- trunk/LayoutTests/fast/images/crossfade-client-not-removed-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/images/crossfade-client-not-removed-crash-expected.txt 2012-12-04 21:29:22 UTC (rev 136558)
@@ -0,0 +1,2 @@
+Blocked access to external URL http://-4294967295/
+PASS. WebKit didn't crash.
Added: trunk/LayoutTests/fast/images/crossfade-client-not-removed-crash.html (0 => 136558)
--- trunk/LayoutTests/fast/images/crossfade-client-not-removed-crash.html (rev 0)
+++ trunk/LayoutTests/fast/images/crossfade-client-not-removed-crash.html 2012-12-04 21:29:22 UTC (rev 136558)
@@ -0,0 +1,34 @@
+<!DOCTYPE html>
+<html>
+<body id=tCF1>
+A
+<style>
+.class1 {
+ background-image: -webkit-cross-fade(url(#does-not-exist), url(http://-4294967295), 157%);
+}
+.class2:first-of-type {
+ -webkit-animation-direction: alternate;
+}
+</style>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+var docElement = document.body;
+docElement.contentEditable = "true";
+
+function crash() {
+ test1 = document.createElementNS("http://www.w3.org/1999/xhtml", "thead");
+ docElement.appendChild(test1);
+ test2 = document.createElementNS("http://www.w3.org/1999/xhtml", "intent");
+ test2.setAttribute("class", "class2");
+ docElement.appendChild(test2);
+ test1.setAttribute("class", "class1");
+ window.getSelection().selectAllChildren(tCF1);
+ document.execCommand("hilitecolor", false, "#FF0000");
+ document.execCommand("InsertText", false, "PASS. WebKit didn't crash.");
+}
+
+document.addEventListener("DOMContentLoaded", crash, false);
+</script>
+</html>
\ No newline at end of file
Property changes on: trunk/LayoutTests/fast/images/crossfade-client-not-removed-crash.html
___________________________________________________________________
Added: svn:executable
Modified: trunk/Source/WebCore/ChangeLog (136557 => 136558)
--- trunk/Source/WebCore/ChangeLog 2012-12-04 21:19:25 UTC (rev 136557)
+++ trunk/Source/WebCore/ChangeLog 2012-12-04 21:29:22 UTC (rev 136558)
@@ -1,3 +1,20 @@
+2012-12-04 Abhishek Arya <infe...@chromium.org>
+
+ Crash in CachedResource::checkNotify due to -webkit-crossfade.
+ https://bugs.webkit.org/show_bug.cgi?id=98068
+
+ Reviewed by Nate Chapin.
+
+ Make sure to not re-add the same client again for |m_cachedFromImage|
+ and |m_cachedToImage|. This would otherwise cause the CSSCrossfadeValue
+ client to not get removed from its cached image resource (when it is
+ going away).
+
+ Test: fast/images/crossfade-client-not-removed-crash.html
+
+ * css/CSSCrossfadeValue.cpp:
+ (WebCore::CSSCrossfadeValue::loadSubimages):
+
2012-12-04 Julien Chaffraix <jchaffr...@webkit.org>
Heap-use-after-free in WebCore::RenderLayer::paintList [MathML]
Modified: trunk/Source/WebCore/css/CSSCrossfadeValue.cpp (136557 => 136558)
--- trunk/Source/WebCore/css/CSSCrossfadeValue.cpp 2012-12-04 21:19:25 UTC (rev 136557)
+++ trunk/Source/WebCore/css/CSSCrossfadeValue.cpp 2012-12-04 21:29:22 UTC (rev 136558)
@@ -146,14 +146,26 @@
void CSSCrossfadeValue::loadSubimages(CachedResourceLoader* cachedResourceLoader)
{
+ CachedResourceHandle<CachedImage> oldCachedFromImage = m_cachedFromImage;
+ CachedResourceHandle<CachedImage> oldCachedToImage = m_cachedToImage;
+
m_cachedFromImage = cachedImageForCSSValue(m_fromValue.get(), cachedResourceLoader);
m_cachedToImage = cachedImageForCSSValue(m_toValue.get(), cachedResourceLoader);
- if (m_cachedFromImage)
- m_cachedFromImage->addClient(&m_crossfadeSubimageObserver);
- if (m_cachedToImage)
- m_cachedToImage->addClient(&m_crossfadeSubimageObserver);
+ if (m_cachedFromImage != oldCachedFromImage) {
+ if (oldCachedFromImage)
+ oldCachedFromImage->removeClient(&m_crossfadeSubimageObserver);
+ if (m_cachedFromImage)
+ m_cachedFromImage->addClient(&m_crossfadeSubimageObserver);
+ }
+ if (m_cachedToImage != oldCachedToImage) {
+ if (oldCachedToImage)
+ oldCachedToImage->removeClient(&m_crossfadeSubimageObserver);
+ if (m_cachedToImage)
+ m_cachedToImage->addClient(&m_crossfadeSubimageObserver);
+ }
+
m_crossfadeSubimageObserver.setReady(true);
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes
