Commit 3b543a32 authored by jchaffraix@webkit.org's avatar jchaffraix@webkit.org

Crash in RenderBox::paintMaskImages when GraphicsContext's painting is disabled

https://bugs.webkit.org/show_bug.cgi?id=68133

Reviewed by Darin Adler.

.:

* Source/autotools/symbols.filter: Added the mangled symbols needed for window.internals

Source/WebCore:

Tests: fast/css/webkit-mask-crash-fieldset-legend.html
       fast/css/webkit-mask-crash-figure.html
       fast/css/webkit-mask-crash-table.html
       fast/css/webkit-mask-crash-td-2.html
       fast/css/webkit-mask-crash-td.html

GraphicsContext::getCTM crashes if called with a GraphicsContext that has painting
disabled. RenderBox::paintMaskImages would thus crash if called in this condition.

This change just modifies the different GraphicsContext::getCTM method to bail early
if painting is disabled on the GraphicsContext. The rest of the change is exposing
paintControlTints that exposes this.

* WebCore.exp.in: Added symbols of the newly export window.internals function.

* page/FrameView.cpp:
(WebCore::FrameView::updateControlTints): Split this function in 2 so that
I can expose the internal paintControlTints.

(WebCore::FrameView::paintControlTints):
This is the one exposed to Internals as we want to be testable regardless of
whether the platform supports control tints.

* page/FrameView.h: Added paintControlTints.

* testing/Internals.cpp:
(WebCore::Internals::paintControlTints):
* testing/Internals.h:
* testing/Internals.idl:
Added a way to force a fake painting so that we can easily reproduce the bugs.

* platform/graphics/cairo/GraphicsContextCairo.cpp:
(WebCore::GraphicsContext::getCTM):
* platform/graphics/cg/GraphicsContextCG.cpp:
(WebCore::GraphicsContext::getCTM):
* platform/graphics/qt/GraphicsContextQt.cpp:
(WebCore::GraphicsContext::getCTM):
* platform/graphics/skia/GraphicsContextSkia.cpp:
(WebCore::GraphicsContext::getCTM):
* platform/graphics/wince/GraphicsContextWinCE.cpp:
(WebCore::GraphicsContext::getCTM):
* platform/graphics/wx/GraphicsContextWx.cpp:
(WebCore::GraphicsContext::getCTM):
Fixed all our back-end to exit early if painting is disabled.

Source/WebKit2:

* win/WebKit2.def:
* win/WebKit2CFLite.def:
Exported the new FrameView::paintControlTints function.

LayoutTests:

Those tests checks that we do not crash when calling internals.paintControlTints.

* platform/mac/Skipped: Skipped 2 tests as they are hitting an ASSERT unrelated to
this change on Mac.

* fast/css/webkit-mask-crash-fieldset-legend-expected.txt: Added.
* fast/css/webkit-mask-crash-fieldset-legend.html: Added.
* fast/css/webkit-mask-crash-figure-expected.txt: Added.
* fast/css/webkit-mask-crash-figure.html: Added.
* fast/css/webkit-mask-crash-table-expected.txt: Added.
* fast/css/webkit-mask-crash-table.html: Added.
* fast/css/webkit-mask-crash-td-2-expected.txt: Added.
* fast/css/webkit-mask-crash-td-2.html: Added.
* fast/css/webkit-mask-crash-td-expected.txt: Added.
* fast/css/webkit-mask-crash-td.html: Added.


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@95685 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 9d8a10cf
2011-09-21 Julien Chaffraix <jchaffraix@webkit.org>
Crash in RenderBox::paintMaskImages when GraphicsContext's painting is disabled
https://bugs.webkit.org/show_bug.cgi?id=68133
Reviewed by Darin Adler.
* Source/autotools/symbols.filter: Added the mangled symbols needed for window.internals
2011-09-21 Joshua Bell <jsbell@chromium.org>
IndexedDB: compare strings without decoding
......
2011-09-21 Julien Chaffraix <jchaffraix@webkit.org>
Crash in RenderBox::paintMaskImages when GraphicsContext's painting is disabled
https://bugs.webkit.org/show_bug.cgi?id=68133
Reviewed by Darin Adler.
Those tests checks that we do not crash when calling internals.paintControlTints.
* platform/mac/Skipped: Skipped 2 tests as they are hitting an ASSERT unrelated to
this change on Mac.
* fast/css/webkit-mask-crash-fieldset-legend-expected.txt: Added.
* fast/css/webkit-mask-crash-fieldset-legend.html: Added.
* fast/css/webkit-mask-crash-figure-expected.txt: Added.
* fast/css/webkit-mask-crash-figure.html: Added.
* fast/css/webkit-mask-crash-table-expected.txt: Added.
* fast/css/webkit-mask-crash-table.html: Added.
* fast/css/webkit-mask-crash-td-2-expected.txt: Added.
* fast/css/webkit-mask-crash-td-2.html: Added.
* fast/css/webkit-mask-crash-td-expected.txt: Added.
* fast/css/webkit-mask-crash-td.html: Added.
2011-09-21 Abhishek Arya <inferno@chromium.org>
Not use anonymousContainer on beforeChild calculation
Test for 68133: Crash in RenderBox::paintMaskImages when GraphicsContext's painting is disabled
This test has PASSED (no crash).
<!DOCTYPE html>
<head>
<style>
* {
-webkit-mask-image:none,none,url(x);
}
</style>
</head>
<body>
<fieldset><legend>
<script>
if (window.internals) {
layoutTestController.dumpAsText();
internals.paintControlTints(document);
}
</script>
Test for <a href="https://bugs.webkit.org/show_bug.cgi?id=68133">68133</a>: Crash in RenderBox::paintMaskImages when GraphicsContext's painting is disabled<br>
This test has PASSED (no crash).
</body>
</html>
Test for 68133: Crash in RenderBox::paintMaskImages when GraphicsContext's painting is disabled
This test has PASSED (no crash).
<!DOCTYPE html>
<head>
<style>
.box {
display: table-footer-group; -webkit-mask-box-image: url("bogus.png");
}
</style>
</head>
<body>
<div class="box"><figure>
<script>
if (window.internals) {
layoutTestController.dumpAsText();
internals.paintControlTints(document);
}
</script>
Test for <a href="https://bugs.webkit.org/show_bug.cgi?id=68133">68133</a>: Crash in RenderBox::paintMaskImages when GraphicsContext's painting is disabled<br>
This test has PASSED (no crash).
</body>
</html>
Test for 68133: Crash in RenderBox::paintMaskImages when GraphicsContext's painting is disabled
This test has PASSED (no crash).
<!DOCTYPE html>
<head>
<style>
*{
-webkit-mask-image:none,none,url(x);
}
</style>
</head>
</body>
<table><tr>
<script>
if (window.internals) {
layoutTestController.dumpAsText();
internals.paintControlTints(document);
}
</script>
Test for <a href="https://bugs.webkit.org/show_bug.cgi?id=68133">68133</a>: Crash in RenderBox::paintMaskImages when GraphicsContext's painting is disabled<br>
This test has PASSED (no crash).
</body>
</html>
AA000A00AAA00
Test for 68133: Crash in RenderBox::paintMaskImages when GraphicsContext's painting is disabled
This test has PASSED (no crash).
<!DOCTYPE html>
<head>
<style>
td { -webkit-mask-image : url(red_transparent.gif); }
</style>
</head>
<body>
AA000A00AAA00<table><tr><td>
<script>
if (window.internals) {
layoutTestController.dumpAsText();
internals.paintControlTints(document);
}
</script>
Test for <a href="https://bugs.webkit.org/show_bug.cgi?id=68133">68133</a>: Crash in RenderBox::paintMaskImages when GraphicsContext's painting is disabled<br>
This test has PASSED (no crash).
</body>
</html>
Test for 68133: Crash in RenderBox::paintMaskImages when GraphicsContext's painting is disabled
This test has PASSED (no crash).
<!DOCTYPE html>
<head>
<style>
.f {
-webkit-mask:-webkit-gradient(linear, left top, left bottom, from(#E7E7E7), to(#CFCFCF));
}
</style>
</head>
<body>
<table>
<tr class="f">
<td>
<script>
if (window.internals) {
layoutTestController.dumpAsText();
internals.paintControlTints(document);
}
</script>
Test for <a href="https://bugs.webkit.org/show_bug.cgi?id=68133">68133</a>: Crash in RenderBox::paintMaskImages when GraphicsContext's painting is disabled<br>
This test has PASSED (no crash).
</body>
</html>
......@@ -420,3 +420,7 @@ media/media-controls-invalid-url.html
# https://bugs.webkit.org/show_bug.cgi?id=68278
http/tests/history/back-with-fragment-change.php
# https://bugs.webkit.org/show_bug.cgi?id=68566
fast/css/webkit-mask-crash-fieldset-legend.html
fast/css/webkit-mask-crash-table.html
2011-09-21 Julien Chaffraix <jchaffraix@webkit.org>
Crash in RenderBox::paintMaskImages when GraphicsContext's painting is disabled
https://bugs.webkit.org/show_bug.cgi?id=68133
Reviewed by Darin Adler.
Tests: fast/css/webkit-mask-crash-fieldset-legend.html
fast/css/webkit-mask-crash-figure.html
fast/css/webkit-mask-crash-table.html
fast/css/webkit-mask-crash-td-2.html
fast/css/webkit-mask-crash-td.html
GraphicsContext::getCTM crashes if called with a GraphicsContext that has painting
disabled. RenderBox::paintMaskImages would thus crash if called in this condition.
This change just modifies the different GraphicsContext::getCTM method to bail early
if painting is disabled on the GraphicsContext. The rest of the change is exposing
paintControlTints that exposes this.
* WebCore.exp.in: Added symbols of the newly export window.internals function.
* page/FrameView.cpp:
(WebCore::FrameView::updateControlTints): Split this function in 2 so that
I can expose the internal paintControlTints.
(WebCore::FrameView::paintControlTints):
This is the one exposed to Internals as we want to be testable regardless of
whether the platform supports control tints.
* page/FrameView.h: Added paintControlTints.
* testing/Internals.cpp:
(WebCore::Internals::paintControlTints):
* testing/Internals.h:
* testing/Internals.idl:
Added a way to force a fake painting so that we can easily reproduce the bugs.
* platform/graphics/cairo/GraphicsContextCairo.cpp:
(WebCore::GraphicsContext::getCTM):
* platform/graphics/cg/GraphicsContextCG.cpp:
(WebCore::GraphicsContext::getCTM):
* platform/graphics/qt/GraphicsContextQt.cpp:
(WebCore::GraphicsContext::getCTM):
* platform/graphics/skia/GraphicsContextSkia.cpp:
(WebCore::GraphicsContext::getCTM):
* platform/graphics/wince/GraphicsContextWinCE.cpp:
(WebCore::GraphicsContext::getCTM):
* platform/graphics/wx/GraphicsContextWx.cpp:
(WebCore::GraphicsContext::getCTM):
Fixed all our back-end to exit early if painting is disabled.
2011-09-19 Jer Noble <jer.noble@apple.com>
Add settings to control the availability of the Web Audio API to WebKit and WebKit2.
......@@ -985,6 +985,7 @@ __ZN7WebCore9FrameView38scrollPositionChangedViaPlatformWidgetEv
__ZN7WebCore9FrameView38syncCompositingStateIncludingSubframesEv
__ZN7WebCore9FrameView6createEPNS_5FrameE
__ZN7WebCore9FrameView6createEPNS_5FrameERKNS_7IntSizeE
__ZN7WebCore9FrameView17paintControlTintsEv
__ZN7WebCore9HTMLNames10listingTagE
__ZN7WebCore9HTMLNames11textareaTagE
__ZN7WebCore9HTMLNames13blockquoteTagE
......
......@@ -2599,17 +2599,21 @@ void FrameView::updateControlTints()
if (!m_frame || m_frame->document()->url().isEmpty())
return;
if ((m_frame->contentRenderer() && m_frame->contentRenderer()->theme()->supportsControlTints()) || hasCustomScrollbars()) {
if (needsLayout())
layout();
PlatformGraphicsContext* const noContext = 0;
GraphicsContext context(noContext);
context.setUpdatingControlTints(true);
if (platformWidget())
paintContents(&context, visibleContentRect());
else
paint(&context, frameRect());
}
if ((m_frame->contentRenderer() && m_frame->contentRenderer()->theme()->supportsControlTints()) || hasCustomScrollbars())
paintControlTints();
}
void FrameView::paintControlTints()
{
if (needsLayout())
layout();
PlatformGraphicsContext* const noContext = 0;
GraphicsContext context(noContext);
context.setUpdatingControlTints(true);
if (platformWidget())
paintContents(&context, visibleContentRect());
else
paint(&context, frameRect());
}
bool FrameView::wasScrolledByUser() const
......
......@@ -54,6 +54,7 @@ typedef unsigned long long DOMTimeStamp;
class FrameView : public ScrollView {
public:
friend class RenderView;
friend class Internals;
static PassRefPtr<FrameView> create(Frame*);
static PassRefPtr<FrameView> create(Frame*, const IntSize& initialSize);
......@@ -318,6 +319,8 @@ private:
void updateOverflowStatus(bool horizontalOverflow, bool verticalOverflow);
void paintControlTints();
void forceLayoutParentViewIfNeeded();
void performPostLayoutTasks();
......
......@@ -196,6 +196,9 @@ void GraphicsContext::platformDestroy()
AffineTransform GraphicsContext::getCTM() const
{
if (paintingDisabled())
return AffineTransform();
cairo_t* cr = platformContext()->cr();
cairo_matrix_t m;
cairo_get_matrix(cr, &m);
......
......@@ -1250,6 +1250,9 @@ void GraphicsContext::setCTM(const AffineTransform& transform)
AffineTransform GraphicsContext::getCTM() const
{
if (paintingDisabled())
return AffineTransform();
CGAffineTransform t = CGContextGetCTM(platformContext());
return AffineTransform(t.a, t.b, t.c, t.d, t.tx, t.ty);
}
......
......@@ -289,6 +289,9 @@ PlatformGraphicsContext* GraphicsContext::platformContext() const
AffineTransform GraphicsContext::getCTM() const
{
if (paintingDisabled())
return AffineTransform();
const QTransform& matrix = platformContext()->combinedTransform();
return AffineTransform(matrix.m11(), matrix.m12(), matrix.m21(),
matrix.m22(), matrix.dx(), matrix.dy());
......
......@@ -849,6 +849,9 @@ void GraphicsContext::fillRoundedRect(const IntRect& rect,
AffineTransform GraphicsContext::getCTM() const
{
if (paintingDisabled())
return AffineTransform();
const SkMatrix& m = platformContext()->canvas()->getTotalMatrix();
return AffineTransform(SkScalarToDouble(m.getScaleX()),
SkScalarToDouble(m.getSkewY()),
......
......@@ -1494,6 +1494,9 @@ void GraphicsContext::fillRect(const FloatRect& r, const Gradient* gradient)
AffineTransform GraphicsContext::getCTM() const
{
if (paintingDisabled())
return AffineTransform();
return m_data->m_transform;
}
......
......@@ -477,6 +477,9 @@ void GraphicsContext::canvasClip(const Path& path)
AffineTransform GraphicsContext::getCTM() const
{
if (paintingDisabled())
return AffineTransform();
#if USE(WXGC)
wxGraphicsContext* gc = m_data->context->GetGraphicsContext();
if (gc) {
......
......@@ -365,4 +365,15 @@ void Internals::setSuggestedValue(Element* element, const String& value, Excepti
inputElement->setSuggestedValue(value);
}
void Internals::paintControlTints(Document* document, ExceptionCode& ec)
{
if (!document || !document->view()) {
ec = INVALID_ACCESS_ERR;
return;
}
FrameView* frameView = document->view();
frameView->paintControlTints();
}
}
......@@ -90,6 +90,8 @@ public:
static const char* internalsId;
void paintControlTints(Document*, ExceptionCode&);
private:
Internals();
......
......@@ -61,6 +61,8 @@ module window {
boolean wasLastChangeUserEdit(in Element textField) raises (DOMException);
DOMString suggestedValue(in Element inputElement) raises (DOMException);
void setSuggestedValue(in Element inputElement, in DOMString value) raises (DOMException);
void paintControlTints(in Document document) raises (DOMException);
};
}
2011-09-21 Julien Chaffraix <jchaffraix@webkit.org>
Crash in RenderBox::paintMaskImages when GraphicsContext's painting is disabled
https://bugs.webkit.org/show_bug.cgi?id=68133
Reviewed by Darin Adler.
* win/WebKit2.def:
* win/WebKit2CFLite.def:
Exported the new FrameView::paintControlTints function.
2011-09-21 Alexey Proskuryakov <ap@apple.com>
[WK2] UIProcess should check that WebProcess isn't sending unexpected file: URLs to it
......
......@@ -161,6 +161,7 @@ EXPORTS
?markersFor@DocumentMarkerController@WebCore@@QAE?AV?$Vector@PAVDocumentMarker@WebCore@@$0A@@WTF@@PAVNode@2@@Z
?memoryCache@WebCore@@YAPAVMemoryCache@1@XZ
?page@Document@WebCore@@QBEPAVPage@2@XZ
?paintControlTints@FrameView@WebCore@@AAEXXZ
?removeShadowRoot@Element@WebCore@@QAEXXZ
?setDisabled@MemoryCache@WebCore@@QAEX_N@Z
?setDOMException@WebCore@@YAXPAVExecState@JSC@@H@Z
......
......@@ -155,6 +155,7 @@ EXPORTS
?markersFor@DocumentMarkerController@WebCore@@QAE?AV?$Vector@PAVDocumentMarker@WebCore@@$0A@@WTF@@PAVNode@2@@Z
?memoryCache@WebCore@@YAPAVMemoryCache@1@XZ
?page@Document@WebCore@@QBEPAVPage@2@XZ
?paintControlTints@FrameView@WebCore@@AAEXXZ
?removeShadowRoot@Element@WebCore@@QAEXXZ
?setDisabled@MemoryCache@WebCore@@QAEX_N@Z
?setDOMException@WebCore@@YAXPAVExecState@JSC@@H@Z
......
......@@ -76,6 +76,7 @@ _ZNK7WebCore8Document4viewEv;
_ZNK7WebCore9TreeScope14getElementByIdERKN3WTF12AtomicStringE;
_ZN7WebCore14ScrollableArea28setScrollOffsetFromInternalsERKNS_8IntPointE;
_ZN7WebCore10ScrollView23setScrollbarsSuppressedEbb;
_ZN7WebCore9FrameView17paintControlTintsEv;
local:
_Z*;
cti*;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment