Reviewed by Maciej.
WebCore:
        Fix for rdar://problem/4849948 -- JSCanvasRenderingContext2D::drawImage
        crashes when given invalid arguments.

        JSCanvasRenderingContext2D frequently casts from JSValue* to JSObject*
        and then checks isObject *after* the cast.  JSObject::isObject is unsafe 
        if applied to a JSImmediate value (null, undefined, etc).  This patch 
        corrects the logic in a number of places by performing the isObject check
        before casting to JSObject.

        * bindings/js/JSCanvasRenderingContext2DCustom.cpp:
        (WebCore::JSCanvasRenderingContext2D::drawImage):
        (WebCore::JSCanvasRenderingContext2D::drawImageFromRect):
        (WebCore::JSCanvasRenderingContext2D::createPattern):

LayoutTests:
        Layout tests for rdar://problem/4849948
        Make sure we don't crash when passing invalid args to Canvas::drawImage

        * fast/canvas/drawImage-with-invalid-args-expected.checksum: Added.
        * fast/canvas/drawImage-with-invalid-args-expected.png: Added.
        * fast/canvas/drawImage-with-invalid-args-expected.txt: Added.
        * fast/canvas/drawImage-with-invalid-args.html: Added.



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@20746 268f45cc-cd09-0410-ab3c-d52691b4dbfc