Title: [179308] trunk
- Revision
- 179308
- Author
- [email protected]
- Date
- 2015-01-28 15:20:36 -0800 (Wed, 28 Jan 2015)
Log Message
Regression(r177494): Bad cast to WebKitCSSResourceValue in StyleBuilderConverter::convertMaskImageOperations()
https://bugs.webkit.org/show_bug.cgi?id=140991
<rdar://problem/19625305>
Reviewed by Antti Koivisto.
Source/WebCore:
convertMaskImageOperations() was assuming that the CSSValueList's values
were always WebKitCSSResourceValue values. However, they can be
CSSInitialValues as well so we should check before casting.
Test: css3/masking/mask-image-initial-value-crash.html
* css/StyleBuilderConverter.h:
(WebCore::maskImageValueFromIterator):
(WebCore::StyleBuilderConverter::convertMaskImageOperations):
LayoutTests:
Add layout test to cover the case where a CSSValue is incorrectly casted to
a WebKitCSSResourceValue in StyleBuilderConverter::convertMaskImageOperations(),
thus hitting an assertion in downcast<>() on debug builds.
* css3/masking/mask-image-initial-value-crash-expected.txt: Added.
* css3/masking/mask-image-initial-value-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (179307 => 179308)
--- trunk/LayoutTests/ChangeLog 2015-01-28 22:52:22 UTC (rev 179307)
+++ trunk/LayoutTests/ChangeLog 2015-01-28 23:20:36 UTC (rev 179308)
@@ -1,3 +1,18 @@
+2015-01-28 Chris Dumez <[email protected]>
+
+ Regression(r177494): Bad cast to WebKitCSSResourceValue in StyleBuilderConverter::convertMaskImageOperations()
+ https://bugs.webkit.org/show_bug.cgi?id=140991
+ <rdar://problem/19625305>
+
+ Reviewed by Antti Koivisto.
+
+ Add layout test to cover the case where a CSSValue is incorrectly casted to
+ a WebKitCSSResourceValue in StyleBuilderConverter::convertMaskImageOperations(),
+ thus hitting an assertion in downcast<>() on debug builds.
+
+ * css3/masking/mask-image-initial-value-crash-expected.txt: Added.
+ * css3/masking/mask-image-initial-value-crash.html: Added.
+
2015-01-28 Brent Fulgham <[email protected]>
[Win] More gardening to get the bot green.
Added: trunk/LayoutTests/css3/masking/mask-image-initial-value-crash-expected.txt (0 => 179308)
--- trunk/LayoutTests/css3/masking/mask-image-initial-value-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/css3/masking/mask-image-initial-value-crash-expected.txt 2015-01-28 23:20:36 UTC (rev 179308)
@@ -0,0 +1,3 @@
+This test passes if it doesn't crash.
+
+
Added: trunk/LayoutTests/css3/masking/mask-image-initial-value-crash.html (0 => 179308)
--- trunk/LayoutTests/css3/masking/mask-image-initial-value-crash.html (rev 0)
+++ trunk/LayoutTests/css3/masking/mask-image-initial-value-crash.html 2015-01-28 23:20:36 UTC (rev 179308)
@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+<body>
+<p>This test passes if it doesn't crash.</p>
+<div id="testDiv"></div>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+testDiv.style.cssText += "-webkit-mask-position: 0px 0px, 1px 1px";
+testDiv.style.cssText += "-webkit-mask-position: 1px 1px;";
+</script>
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (179307 => 179308)
--- trunk/Source/WebCore/ChangeLog 2015-01-28 22:52:22 UTC (rev 179307)
+++ trunk/Source/WebCore/ChangeLog 2015-01-28 23:20:36 UTC (rev 179308)
@@ -1,5 +1,23 @@
2015-01-28 Chris Dumez <[email protected]>
+ Regression(r177494): Bad cast to WebKitCSSResourceValue in StyleBuilderConverter::convertMaskImageOperations()
+ https://bugs.webkit.org/show_bug.cgi?id=140991
+ <rdar://problem/19625305>
+
+ Reviewed by Antti Koivisto.
+
+ convertMaskImageOperations() was assuming that the CSSValueList's values
+ were always WebKitCSSResourceValue values. However, they can be
+ CSSInitialValues as well so we should check before casting.
+
+ Test: css3/masking/mask-image-initial-value-crash.html
+
+ * css/StyleBuilderConverter.h:
+ (WebCore::maskImageValueFromIterator):
+ (WebCore::StyleBuilderConverter::convertMaskImageOperations):
+
+2015-01-28 Chris Dumez <[email protected]>
+
Remove dead code from MemoryCache
https://bugs.webkit.org/show_bug.cgi?id=140964
Modified: trunk/Source/WebCore/css/StyleBuilderConverter.h (179307 => 179308)
--- trunk/Source/WebCore/css/StyleBuilderConverter.h 2015-01-28 22:52:22 UTC (rev 179307)
+++ trunk/Source/WebCore/css/StyleBuilderConverter.h 2015-01-28 23:20:36 UTC (rev 179308)
@@ -1031,6 +1031,14 @@
return Nullopt;
}
+static inline WebKitCSSResourceValue* maskImageValueFromIterator(CSSValueList& maskImagesList, CSSValueList::iterator it)
+{
+ // May also be a CSSInitialValue.
+ if (it == maskImagesList.end() || !is<WebKitCSSResourceValue>(it->get()))
+ return nullptr;
+ return &downcast<WebKitCSSResourceValue>(it->get());
+}
+
inline Vector<RefPtr<MaskImageOperation>> StyleBuilderConverter::convertMaskImageOperations(StyleResolver& styleResolver, CSSValue& value)
{
Vector<RefPtr<MaskImageOperation>> operations;
@@ -1042,8 +1050,7 @@
else if (is<CSSValueList>(value)) {
maskImagesList = &downcast<CSSValueList>(value);
listIterator = maskImagesList->begin();
- if (listIterator != maskImagesList->end())
- maskImageValue = &downcast<WebKitCSSResourceValue>(listIterator->get());
+ maskImageValue = maskImageValueFromIterator(*maskImagesList, listIterator);
}
while (maskImageValue.get()) {
@@ -1074,10 +1081,9 @@
operations.append(newMaskImage);
- if (maskImagesList) {
- ++listIterator;
- maskImageValue = listIterator != maskImagesList->end() ? &downcast<WebKitCSSResourceValue>(listIterator->get()) : nullptr;
- } else
+ if (maskImagesList)
+ maskImageValue = maskImageValueFromIterator(*maskImagesList, ++listIterator);
+ else
maskImageValue = nullptr;
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
