Diff
Modified: branches/safari-537.74-branch/LayoutTests/ChangeLog (161455 => 161456)
--- branches/safari-537.74-branch/LayoutTests/ChangeLog 2014-01-07 22:24:37 UTC (rev 161455)
+++ branches/safari-537.74-branch/LayoutTests/ChangeLog 2014-01-07 22:27:44 UTC (rev 161456)
@@ -1,3 +1,17 @@
+2014-01-07 Lucas Forschler <lforsch...@apple.com>
+
+ Merge r160479
+
+ 2013-12-11 Darin Adler <da...@apple.com>
+
+ StylePendingImage needs to correctly manage the CSSValue pointer lifetime
+ https://bugs.webkit.org/show_bug.cgi?id=125468
+
+ Reviewed by Andreas Kling.
+
+ * fast/css/pending-image-crash-expected.txt: Added.
+ * fast/css/pending-image-crash.xhtml: Added.
+
2013-12-19 Matthew Hanson <matthew_han...@apple.com>
Merge r160826: <rdar://problems/15701133>
Copied: branches/safari-537.74-branch/LayoutTests/fast/css/pending-image-crash-expected.txt (from rev 160479, trunk/LayoutTests/fast/css/pending-image-crash-expected.txt) (0 => 161456)
--- branches/safari-537.74-branch/LayoutTests/fast/css/pending-image-crash-expected.txt (rev 0)
+++ branches/safari-537.74-branch/LayoutTests/fast/css/pending-image-crash-expected.txt 2014-01-07 22:27:44 UTC (rev 161456)
@@ -0,0 +1,5 @@
+PASS test did not crash
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Copied: branches/safari-537.74-branch/LayoutTests/fast/css/pending-image-crash.xhtml (from rev 160479, trunk/LayoutTests/fast/css/pending-image-crash.xhtml) (0 => 161456)
--- branches/safari-537.74-branch/LayoutTests/fast/css/pending-image-crash.xhtml (rev 0)
+++ branches/safari-537.74-branch/LayoutTests/fast/css/pending-image-crash.xhtml 2014-01-07 22:27:44 UTC (rev 161456)
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head id="head">
+<script src=""
+<script>
+window.jsTestIsAsync = true;
+var count = 0;
+for (i = 0; i != 50; i++) {
+ setTimeout(function() {
+ var head = document.getElementsByTagName("head")[0];
+ var style = document.createElement("style");
+ style.innerHTML=":first-of-type {-webkit-border-image:-webkit-cross-fade(url(#head), url(#head), 100%);}";
+ head.appendChild(style);
+ count++;
+ if (count == 50) {
+ testPassed("test did not crash");
+ finishJSTest();
+ }
+ }, 36);
+}
+</script>
+<script src=""
+</head>
+</html>
Modified: branches/safari-537.74-branch/Source/WebCore/ChangeLog (161455 => 161456)
--- branches/safari-537.74-branch/Source/WebCore/ChangeLog 2014-01-07 22:24:37 UTC (rev 161455)
+++ branches/safari-537.74-branch/Source/WebCore/ChangeLog 2014-01-07 22:27:44 UTC (rev 161456)
@@ -1,3 +1,58 @@
+2014-01-07 Lucas Forschler <lforsch...@apple.com>
+
+ Merge r160479
+
+ 2013-12-11 Darin Adler <da...@apple.com>
+
+ StylePendingImage needs to correctly manage the CSSValue pointer lifetime
+ https://bugs.webkit.org/show_bug.cgi?id=125468
+
+ Reviewed by Andreas Kling.
+
+ Test: fast/css/pending-image-crash.xhtml
+
+ Disconnect the reference counted StylePendingImage from the CSSValue that owns
+ it when it's not needed any more, otherwise we could end up using a pointer
+ that might no longer be valid.
+
+ * css/CSSCursorImageValue.cpp:
+ (WebCore::CSSCursorImageValue::detachPendingImage): Added. Calls detachFromCSSValue
+ on the current image if it is a StylePendingImage.
+ (WebCore::CSSCursorImageValue::~CSSCursorImageValue): Call detachPendingImage.
+ (WebCore::CSSCursorImageValue::cachedImage): Call detachPendingImage before changing
+ m_image to a new value.
+ (WebCore::CSSCursorImageValue::clearCachedImage): Ditto.
+ * css/CSSCursorImageValue.h: Added detachPendingImage.
+
+ * css/CSSImageSetValue.cpp:
+ (WebCore::CSSImageSetValue::detachPendingImage): Added. Calls detachFromCSSValue
+ on the current image set if it is a StylePendingImage.
+ (WebCore::CSSImageSetValue::~CSSImageSetValue): Call detachPendingImage.
+ (WebCore::CSSImageSetValue::cachedImageSet): Call detachPendingImage before changing
+ m_imageSet to a new value.
+ * css/CSSImageSetValue.h: Added detachPendingImage.
+
+ * css/CSSImageValue.cpp:
+ (WebCore::CSSImageValue::detachPendingImage): Added. Calls detachFromCSSValue on the
+ current image if it is a StylePendingImage.
+ (WebCore::CSSImageValue::~CSSImageValue): Call detachPendingImage.
+ (WebCore::CSSImageValue::cachedImage): Call detachPendingImage before changing m_image
+ to a new value.
+ * css/CSSImageValue.h: Added detachPendingImage.
+
+ * rendering/style/StylePendingImage.h:
+ (WebCore::StylePendingImage::cssImageValue): Added a null check.
+ (WebCore::StylePendingImage::cssImageGeneratorValue): Added a null check.
+ (WebCore::StylePendingImage::cssCursorImageValue): Added a null check.
+ (WebCore::StylePendingImage::cssImageSetValue): Added a null check.
+ (WebCore::StylePendingImage::detachFromCSSValue): Added. Sets m_value to null since
+ the style is no longer using this StylePendingImage.
+ (WebCore::StylePendingImage::data): Changed to use the "this" pointer since all we
+ need is some arbitrary pointer uniquely identifying the image. Before loading the image,
+ we have no suitable weak identifier, so it suffices to use the unique pointer to each
+ StylePendingImage object. This function is used only in a limited way; it would be nice
+ to find a way to make the code less strange long term.
+
2013-12-23 Matthew Hanson <matthew_han...@apple.com>
Merge 161050: <rdar://problem/15754482>
Modified: branches/safari-537.74-branch/Source/WebCore/css/CSSCursorImageValue.cpp (161455 => 161456)
--- branches/safari-537.74-branch/Source/WebCore/css/CSSCursorImageValue.cpp 2014-01-07 22:24:37 UTC (rev 161455)
+++ branches/safari-537.74-branch/Source/WebCore/css/CSSCursorImageValue.cpp 2014-01-07 22:27:44 UTC (rev 161456)
@@ -67,8 +67,16 @@
{
}
+inline void CSSCursorImageValue::detachPendingImage()
+{
+ if (m_image && m_image->isPendingImage())
+ static_cast<StylePendingImage&>(*m_image).detachFromCSSValue();
+}
+
CSSCursorImageValue::~CSSCursorImageValue()
{
+ detachPendingImage();
+
#if ENABLE(SVG)
if (!isSVGCursor())
return;
@@ -153,6 +161,7 @@
RefPtr<CSSImageValue> imageValue = static_cast<CSSImageValue*>(m_imageValue.get());
// FIXME: This will fail if the <cursor> element is in a shadow DOM (bug 59827)
if (SVGCursorElement* cursorElement = resourceReferencedByCursorElement(imageValue->url(), loader->document())) {
+ detachPendingImage();
RefPtr<CSSImageValue> svgImageValue = CSSImageValue::create(cursorElement->href());
StyleCachedImage* cachedImage = svgImageValue->cachedImage(loader);
m_image = cachedImage;
@@ -161,8 +170,10 @@
}
#endif
- if (m_imageValue->isImageValue())
- m_image = static_cast<CSSImageValue*>(m_imageValue.get())->cachedImage(loader);
+ if (m_imageValue->isImageValue()) {
+ detachPendingImage();
+ m_image = static_cast<CSSImageValue*>(m_imageValue.get())->cachedImage(loader);
+ }
}
if (m_image && m_image->isCachedImage())
@@ -205,7 +216,8 @@
void CSSCursorImageValue::clearCachedImage()
{
- m_image = 0;
+ detachPendingImage();
+ m_image = nullptr;
m_accessedImage = false;
}
Modified: branches/safari-537.74-branch/Source/WebCore/css/CSSCursorImageValue.h (161455 => 161456)
--- branches/safari-537.74-branch/Source/WebCore/css/CSSCursorImageValue.h 2014-01-07 22:24:37 UTC (rev 161455)
+++ branches/safari-537.74-branch/Source/WebCore/css/CSSCursorImageValue.h 2014-01-07 22:27:44 UTC (rev 161456)
@@ -64,6 +64,8 @@
private:
CSSCursorImageValue(PassRefPtr<CSSValue> imageValue, bool hasHotSpot, const IntPoint& hotSpot);
+ void detachPendingImage();
+
#if ENABLE(SVG)
bool isSVGCursor() const;
String cachedImageURL();
Modified: branches/safari-537.74-branch/Source/WebCore/css/CSSImageSetValue.cpp (161455 => 161456)
--- branches/safari-537.74-branch/Source/WebCore/css/CSSImageSetValue.cpp 2014-01-07 22:24:37 UTC (rev 161455)
+++ branches/safari-537.74-branch/Source/WebCore/css/CSSImageSetValue.cpp 2014-01-07 22:27:44 UTC (rev 161456)
@@ -49,8 +49,16 @@
{
}
+inline void CSSImageSetValue::detachPendingImage()
+{
+ if (m_imageSet && m_imageSet->isPendingImage())
+ static_cast<StylePendingImage&>(*m_imageSet).detachFromCSSValue();
+}
+
CSSImageSetValue::~CSSImageSetValue()
{
+ detachPendingImage();
+
if (m_imageSet && m_imageSet->isCachedImageSet())
static_cast<StyleCachedImageSet*>(m_imageSet.get())->clearImageSetValue();
}
@@ -114,6 +122,7 @@
CachedResourceRequest request(ResourceRequest(document->completeURL(image.imageURL)));
request.setInitiator(cachedResourceRequestInitiators().css);
if (CachedResourceHandle<CachedImage> cachedImage = loader->requestImage(request)) {
+ detachPendingImage();
m_imageSet = StyleCachedImageSet::create(cachedImage.get(), image.scaleFactor, this);
m_accessedBestFitImage = true;
}
Modified: branches/safari-537.74-branch/Source/WebCore/css/CSSImageSetValue.h (161455 => 161456)
--- branches/safari-537.74-branch/Source/WebCore/css/CSSImageSetValue.h 2014-01-07 22:24:37 UTC (rev 161455)
+++ branches/safari-537.74-branch/Source/WebCore/css/CSSImageSetValue.h 2014-01-07 22:27:44 UTC (rev 161456)
@@ -71,6 +71,7 @@
CSSImageSetValue();
CSSImageSetValue(const CSSImageSetValue& cloneFrom);
+ void detachPendingImage();
void fillImageSet();
static inline bool compareByScaleFactor(ImageWithScale first, ImageWithScale second) { return first.scaleFactor < second.scaleFactor; }
Modified: branches/safari-537.74-branch/Source/WebCore/css/CSSImageValue.cpp (161455 => 161456)
--- branches/safari-537.74-branch/Source/WebCore/css/CSSImageValue.cpp 2014-01-07 22:24:37 UTC (rev 161455)
+++ branches/safari-537.74-branch/Source/WebCore/css/CSSImageValue.cpp 2014-01-07 22:27:44 UTC (rev 161456)
@@ -51,8 +51,15 @@
{
}
+inline void CSSImageValue::detachPendingImage()
+{
+ if (m_image && m_image->isPendingImage())
+ static_cast<StylePendingImage&>(*m_image).detachFromCSSValue();
+}
+
CSSImageValue::~CSSImageValue()
{
+ detachPendingImage();
}
StyleImage* CSSImageValue::cachedOrPendingImage()
@@ -75,8 +82,10 @@
request.setInitiator(cachedResourceRequestInitiators().css);
else
request.setInitiator(m_initiatorName);
- if (CachedResourceHandle<CachedImage> cachedImage = loader->requestImage(request))
+ if (CachedResourceHandle<CachedImage> cachedImage = loader->requestImage(request)) {
+ detachPendingImage();
m_image = StyleCachedImage::create(cachedImage.get());
+ }
}
return (m_image && m_image->isCachedImage()) ? static_cast<StyleCachedImage*>(m_image.get()) : 0;
Modified: branches/safari-537.74-branch/Source/WebCore/css/CSSImageValue.h (161455 => 161456)
--- branches/safari-537.74-branch/Source/WebCore/css/CSSImageValue.h 2014-01-07 22:24:37 UTC (rev 161455)
+++ branches/safari-537.74-branch/Source/WebCore/css/CSSImageValue.h 2014-01-07 22:27:44 UTC (rev 161456)
@@ -59,6 +59,7 @@
private:
explicit CSSImageValue(const String& url);
CSSImageValue(const String& url, StyleImage*);
+ void detachPendingImage();
String m_url;
RefPtr<StyleImage> m_image;
Modified: branches/safari-537.74-branch/Source/WebCore/rendering/style/StylePendingImage.h (161455 => 161456)
--- branches/safari-537.74-branch/Source/WebCore/rendering/style/StylePendingImage.h 2014-01-07 22:24:37 UTC (rev 161455)
+++ branches/safari-537.74-branch/Source/WebCore/rendering/style/StylePendingImage.h 2014-01-07 22:27:44 UTC (rev 161456)
@@ -32,7 +32,6 @@
#include "CSSImageSetValue.h"
#endif
#include "CSSImageValue.h"
-#include "Image.h"
#include "StyleImage.h"
namespace WebCore {
@@ -48,12 +47,14 @@
virtual WrappedImagePtr data() const { return static_cast<CSSImageValue*>(m_value); }
virtual PassRefPtr<CSSValue> cssValue() const { return m_value; }
- CSSImageValue* cssImageValue() const { return m_value->isImageValue() ? static_cast<CSSImageValue*>(m_value) : 0; }
- CSSImageGeneratorValue* cssImageGeneratorValue() const { return m_value->isImageGeneratorValue() ? static_cast<CSSImageGeneratorValue*>(m_value) : 0; }
- CSSCursorImageValue* cssCursorImageValue() const { return m_value->isCursorImageValue() ? static_cast<CSSCursorImageValue*>(m_value) : 0; }
+ CSSImageValue* cssImageValue() const { return m_value && m_value->isImageValue() ? static_cast<CSSImageValue*>(m_value) : nullptr; }
+ CSSImageGeneratorValue* cssImageGeneratorValue() const { return m_value && m_value->isImageGeneratorValue() ? static_cast<CSSImageGeneratorValue*>(m_value) : nullptr; }
+ CSSCursorImageValue* cssCursorImageValue() const { return m_value && m_value->isCursorImageValue() ? static_cast<CSSCursorImageValue*>(m_value) : nullptr; }
#if ENABLE(CSS_IMAGE_SET)
- CSSImageSetValue* cssImageSetValue() const { return m_value->isImageSetValue() ? static_cast<CSSImageSetValue*>(m_value) : 0; }
+ CSSImageSetValue* cssImageSetValue() const { return m_value && m_value->isImageSetValue() ? static_cast<CSSImageSetValue*>(m_value) : nullptr; }
#endif
+
+ void detachFromCSSValue() { m_value = nullptr; }
virtual LayoutSize imageSize(const RenderObject*, float /*multiplier*/) const OVERRIDE { return LayoutSize(); }
virtual bool imageHasRelativeWidth() const { return false; }
@@ -81,4 +82,5 @@
};
}
+
#endif
