Diff
Modified: releases/WebKitGTK/webkit-1.8/LayoutTests/ChangeLog (116895 => 116896)
--- releases/WebKitGTK/webkit-1.8/LayoutTests/ChangeLog 2012-05-13 13:45:51 UTC (rev 116895)
+++ releases/WebKitGTK/webkit-1.8/LayoutTests/ChangeLog 2012-05-13 13:46:12 UTC (rev 116896)
@@ -1,3 +1,13 @@
+2012-03-13 Stephen Chenney <[email protected]>
+
+ Crash in WebCore::GraphicsContext::paintingDisabled
+ https://bugs.webkit.org/show_bug.cgi?id=80669
+
+ Reviewed by Nikolas Zimmermann.
+
+ * svg/custom/circular-clip-path-references-crash-expected.svg: Added.
+ * svg/custom/circular-clip-path-references-crash.svg: Added.
+
2012-03-09 Ken Buchanan <[email protected]>
Crash due to inserting letter into div with first-letter
Added: releases/WebKitGTK/webkit-1.8/LayoutTests/svg/custom/circular-clip-path-references-crash-expected.svg (0 => 116896)
--- releases/WebKitGTK/webkit-1.8/LayoutTests/svg/custom/circular-clip-path-references-crash-expected.svg (rev 0)
+++ releases/WebKitGTK/webkit-1.8/LayoutTests/svg/custom/circular-clip-path-references-crash-expected.svg 2012-05-13 13:46:12 UTC (rev 116896)
@@ -0,0 +1,5 @@
+<svg xmlns="http://www.w3.org/2000/svg">
+
+<text x="10" y="75">This test passes if it does not crash.</text>
+
+</svg>
Added: releases/WebKitGTK/webkit-1.8/LayoutTests/svg/custom/circular-clip-path-references-crash.svg (0 => 116896)
--- releases/WebKitGTK/webkit-1.8/LayoutTests/svg/custom/circular-clip-path-references-crash.svg (rev 0)
+++ releases/WebKitGTK/webkit-1.8/LayoutTests/svg/custom/circular-clip-path-references-crash.svg 2012-05-13 13:46:12 UTC (rev 116896)
@@ -0,0 +1,25 @@
+<svg xmlns="http://www.w3.org/2000/svg">
+<defs>
+ <clipPath id="clip0">
+ <rect width="1" height="1" clip-path="url(#clip)" />
+
+ </clipPath>
+
+ <clipPath id="clip2">
+ <rect width="100" height="100" clip-path="url(#clip0)"/>
+ </clipPath>
+
+ <clipPath id="clip">
+ <rect width="1" height="1" clip-path="url(#clip2)"/>
+ </clipPath>
+
+ <mask id="mask1" x="0" y="0" width="1" height="1" maskContentUnits="objectBoundingBox">
+ <rect width="1" height="1" clip-path="url(#clip)" />
+ </mask>
+</defs>
+
+<text x="10" y="75">This test passes if it does not crash.</text>
+
+<circle r="50" mask="url(#mask1)"/>
+
+</svg>
Modified: releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog (116895 => 116896)
--- releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog 2012-05-13 13:45:51 UTC (rev 116895)
+++ releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog 2012-05-13 13:46:12 UTC (rev 116896)
@@ -1,3 +1,32 @@
+2012-03-13 Stephen Chenney <[email protected]>
+
+ Crash in WebCore::GraphicsContext::paintingDisabled
+ https://bugs.webkit.org/show_bug.cgi?id=80669
+
+ Reviewed by Nikolas Zimmermann.
+
+ The SVGImageBufferTools::clipToImageBuffer method deletes the clip
+ image when it thinks it is not needed. However, there are cases when
+ it is in fact still needed, particularly when the clip buffer is
+ coming from higher up in the stack where it may be needed again.
+
+ So this patch adds a flag to only allow deletion of the image buffer
+ if it was created at the most recent call site.
+
+ Tests: svg/custom/circular-clip-path-references-crash-expected.svg
+ svg/custom/circular-clip-path-references-crash.svg
+
+ * rendering/svg/RenderSVGResourceClipper.cpp:
+ (WebCore::RenderSVGResourceClipper::applyClippingToContext):
+ * rendering/svg/RenderSVGResourceGradient.cpp:
+ (WebCore::clipToTextMask):
+ * rendering/svg/RenderSVGResourceMasker.cpp:
+ (WebCore::RenderSVGResourceMasker::applyResource):
+ * rendering/svg/SVGImageBufferTools.cpp:
+ (WebCore::SVGImageBufferTools::clipToImageBuffer):
+ * rendering/svg/SVGImageBufferTools.h:
+ (SVGImageBufferTools):
+
2012-03-09 Ken Buchanan <[email protected]>
Crash due to inserting letter into div with first-letter
Modified: releases/WebKitGTK/webkit-1.8/Source/WebCore/rendering/svg/RenderSVGResourceClipper.cpp (116895 => 116896)
--- releases/WebKitGTK/webkit-1.8/Source/WebCore/rendering/svg/RenderSVGResourceClipper.cpp 2012-05-13 13:45:51 UTC (rev 116895)
+++ releases/WebKitGTK/webkit-1.8/Source/WebCore/rendering/svg/RenderSVGResourceClipper.cpp 2012-05-13 13:46:12 UTC (rev 116896)
@@ -155,7 +155,8 @@
bool RenderSVGResourceClipper::applyClippingToContext(RenderObject* object, const FloatRect& objectBoundingBox,
const FloatRect& repaintRect, GraphicsContext* context)
{
- if (!m_clipper.contains(object))
+ bool missingClipperData = !m_clipper.contains(object);
+ if (missingClipperData)
m_clipper.set(object, new ClipperData);
bool shouldCreateClipData = false;
@@ -201,7 +202,7 @@
if (!clipperData->clipMaskImage)
return false;
- SVGImageBufferTools::clipToImageBuffer(context, absoluteTransform, repaintRect, clipperData->clipMaskImage);
+ SVGImageBufferTools::clipToImageBuffer(context, absoluteTransform, repaintRect, clipperData->clipMaskImage, missingClipperData);
return true;
}
Modified: releases/WebKitGTK/webkit-1.8/Source/WebCore/rendering/svg/RenderSVGResourceGradient.cpp (116895 => 116896)
--- releases/WebKitGTK/webkit-1.8/Source/WebCore/rendering/svg/RenderSVGResourceGradient.cpp 2012-05-13 13:45:51 UTC (rev 116895)
+++ releases/WebKitGTK/webkit-1.8/Source/WebCore/rendering/svg/RenderSVGResourceGradient.cpp 2012-05-13 13:46:12 UTC (rev 116896)
@@ -98,7 +98,7 @@
SVGImageBufferTools::calculateTransformationToOutermostSVGCoordinateSystem(textRootBlock, absoluteTransform);
targetRect = textRootBlock->repaintRectInLocalCoordinates();
- SVGImageBufferTools::clipToImageBuffer(context, absoluteTransform, targetRect, imageBuffer);
+ SVGImageBufferTools::clipToImageBuffer(context, absoluteTransform, targetRect, imageBuffer, false);
AffineTransform matrix;
if (boundingBoxMode) {
Modified: releases/WebKitGTK/webkit-1.8/Source/WebCore/rendering/svg/RenderSVGResourceMasker.cpp (116895 => 116896)
--- releases/WebKitGTK/webkit-1.8/Source/WebCore/rendering/svg/RenderSVGResourceMasker.cpp 2012-05-13 13:45:51 UTC (rev 116895)
+++ releases/WebKitGTK/webkit-1.8/Source/WebCore/rendering/svg/RenderSVGResourceMasker.cpp 2012-05-13 13:46:12 UTC (rev 116896)
@@ -86,7 +86,8 @@
ASSERT(context);
ASSERT_UNUSED(resourceMode, resourceMode == ApplyToDefaultMode);
- if (!m_masker.contains(object))
+ bool missingMaskerData = !m_masker.contains(object);
+ if (missingMaskerData)
m_masker.set(object, new MaskerData);
MaskerData* maskerData = m_masker.get(object);
@@ -116,7 +117,7 @@
if (!maskerData->maskImage)
return false;
- SVGImageBufferTools::clipToImageBuffer(context, absoluteTransform, repaintRect, maskerData->maskImage);
+ SVGImageBufferTools::clipToImageBuffer(context, absoluteTransform, repaintRect, maskerData->maskImage, missingMaskerData);
return true;
}
Modified: releases/WebKitGTK/webkit-1.8/Source/WebCore/rendering/svg/SVGImageBufferTools.cpp (116895 => 116896)
--- releases/WebKitGTK/webkit-1.8/Source/WebCore/rendering/svg/SVGImageBufferTools.cpp 2012-05-13 13:45:51 UTC (rev 116895)
+++ releases/WebKitGTK/webkit-1.8/Source/WebCore/rendering/svg/SVGImageBufferTools.cpp 2012-05-13 13:46:12 UTC (rev 116896)
@@ -121,7 +121,7 @@
contentTransformation = savedContentTransformation;
}
-void SVGImageBufferTools::clipToImageBuffer(GraphicsContext* context, const AffineTransform& absoluteTransform, const FloatRect& targetRect, OwnPtr<ImageBuffer>& imageBuffer)
+void SVGImageBufferTools::clipToImageBuffer(GraphicsContext* context, const AffineTransform& absoluteTransform, const FloatRect& targetRect, OwnPtr<ImageBuffer>& imageBuffer, bool safeToClear)
{
ASSERT(context);
ASSERT(imageBuffer);
@@ -136,7 +136,7 @@
// When nesting resources, with objectBoundingBox as content unit types, there's no use in caching the
// resulting image buffer as the parent resource already caches the result.
- if (!currentContentTransformation().isIdentity())
+ if (safeToClear && !currentContentTransformation().isIdentity())
imageBuffer.clear();
}
Modified: releases/WebKitGTK/webkit-1.8/Source/WebCore/rendering/svg/SVGImageBufferTools.h (116895 => 116896)
--- releases/WebKitGTK/webkit-1.8/Source/WebCore/rendering/svg/SVGImageBufferTools.h 2012-05-13 13:45:51 UTC (rev 116895)
+++ releases/WebKitGTK/webkit-1.8/Source/WebCore/rendering/svg/SVGImageBufferTools.h 2012-05-13 13:46:12 UTC (rev 116896)
@@ -42,7 +42,7 @@
static bool createImageBufferForPattern(const FloatRect& absoluteTargetRect, const FloatRect& clampedAbsoluteTargetRect, OwnPtr<ImageBuffer>&, ColorSpace, RenderingMode);
static void renderSubtreeToImageBuffer(ImageBuffer*, RenderObject*, const AffineTransform&);
- static void clipToImageBuffer(GraphicsContext*, const AffineTransform& absoluteTransform, const FloatRect& targetRect, OwnPtr<ImageBuffer>&);
+ static void clipToImageBuffer(GraphicsContext*, const AffineTransform& absoluteTransform, const FloatRect& targetRect, OwnPtr<ImageBuffer>&, bool safeToClear);
static void calculateTransformationToOutermostSVGCoordinateSystem(const RenderObject*, AffineTransform& absoluteTransform);
static IntSize clampedAbsoluteSize(const IntSize&);
