Title: [137668] branches/chromium/1312
- Revision
- 137668
- Author
- [email protected]
- Date
- 2012-12-13 15:33:45 -0800 (Thu, 13 Dec 2012)
Log Message
Merge 136560
BUG=158199
Review URL: https://codereview.chromium.org/11565023
Modified Paths
Added Paths
Diff
Copied: branches/chromium/1312/LayoutTests/fast/css/image-set-value-not-removed-crash-expected.txt (from rev 136560, trunk/LayoutTests/fast/css/image-set-value-not-removed-crash-expected.txt) (0 => 137668)
--- branches/chromium/1312/LayoutTests/fast/css/image-set-value-not-removed-crash-expected.txt (rev 0)
+++ branches/chromium/1312/LayoutTests/fast/css/image-set-value-not-removed-crash-expected.txt 2012-12-13 23:33:45 UTC (rev 137668)
@@ -0,0 +1,2 @@
+PASS. WebKit didn't crash.
+
Copied: branches/chromium/1312/LayoutTests/fast/css/image-set-value-not-removed-crash.html (from rev 136560, trunk/LayoutTests/fast/css/image-set-value-not-removed-crash.html) (0 => 137668)
--- branches/chromium/1312/LayoutTests/fast/css/image-set-value-not-removed-crash.html (rev 0)
+++ branches/chromium/1312/LayoutTests/fast/css/image-set-value-not-removed-crash.html 2012-12-13 23:33:45 UTC (rev 137668)
@@ -0,0 +1,41 @@
+<!DOCTYPE html>
+<html>
+A
+<style>
+@-webkit-keyframes anim1 {
+ 0% {
+ opacity: 0.5772; border-image: 26829%;
+ }
+ 100% {
+ opacity: 0.3167;
+ }
+}
+* {
+ -webkit-animation-name: anim1;
+ -webkit-animation-duration: 1s;
+}
+.class1 {
+ border-image: -webkit-image-set(url(#does-not-exist) 25x, url("does-not-exist.gif") 206x) 2 126 158 166 fill;
+}
+</style>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+var docElement = document.body;
+docElement.contentEditable = "true";
+
+function crash() {
+ test1 = document.createElementNS("http://www.w3.org/1999/xhtml", "td");
+ test1.setAttribute("class", "class1");
+ docElement.appendChild(test1);
+ document.execCommand("SelectAll", false, null)
+ document.execCommand("InsertText", false, "PASS. WebKit didn't crash.")
+ for (i = 0; i != 49; i++)
+ window.getSelection().modify("move", "forward", "character");
+
+ document.execCommand("Italic", false, null);
+}
+document.addEventListener("DOMContentLoaded", crash, false);
+</script>
+</html>
\ No newline at end of file
Modified: branches/chromium/1312/Source/WebCore/css/CSSImageSetValue.cpp (137667 => 137668)
--- branches/chromium/1312/Source/WebCore/css/CSSImageSetValue.cpp 2012-12-13 23:31:55 UTC (rev 137667)
+++ branches/chromium/1312/Source/WebCore/css/CSSImageSetValue.cpp 2012-12-13 23:33:45 UTC (rev 137668)
@@ -51,6 +51,8 @@
CSSImageSetValue::~CSSImageSetValue()
{
+ if (m_imageSet && m_imageSet->isCachedImageSet())
+ static_cast<StyleCachedImageSet*>(m_imageSet.get())->clearImageSetValue();
}
void CSSImageSetValue::fillImageSet()
Modified: branches/chromium/1312/Source/WebCore/rendering/style/StyleCachedImageSet.h (137667 => 137668)
--- branches/chromium/1312/Source/WebCore/rendering/style/StyleCachedImageSet.h 2012-12-13 23:31:55 UTC (rev 137667)
+++ branches/chromium/1312/Source/WebCore/rendering/style/StyleCachedImageSet.h 2012-12-13 23:33:45 UTC (rev 137668)
@@ -58,6 +58,8 @@
CachedImage* cachedImage() const { return m_bestFitImage.get(); }
+ void clearImageSetValue() { m_imageSetValue = 0; }
+
virtual bool canRender(const RenderObject*, float multiplier) const;
virtual bool isLoaded() const;
virtual bool errorOccurred() const;
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
