From 780300f4d9891bdf5c82e5869f917838f884586d Mon Sep 17 00:00:00 2001
From: "mitz@apple.com" <mitz@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Sun, 4 May 2008 22:03:42 +0000
Subject: [PATCH] WebCore:

        Reviewed by Sam Weinig.

        - fix https://bugs.webkit.org/show_bug.cgi?id=18879
          <rdar://problem/5909481> Reproducible crash when removing a gradient

        Test: fast/gradients/crash-on-remove.html

        * css/CSSImageGeneratorValue.cpp:
        (WebCore::CSSImageGeneratorValue::CSSImageGeneratorValue):
        (WebCore::CSSImageGeneratorValue::addClient): Added a call to ref() the
        value.
        (WebCore::CSSImageGeneratorValue::removeClient): Added code to deref()
        the value.

LayoutTests:

        Reviewed by Sam Weinig.

        - test for https://bugs.webkit.org/show_bug.cgi?id=18879
          <rdar://problem/5909481> Reproducible crash when removing a gradient

        * fast/gradients/crash-on-remove-expected.txt: Added.
        * fast/gradients/crash-on-remove.html: Added.



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@32854 268f45cc-cd09-0410-ab3c-d52691b4dbfc
---
 LayoutTests/ChangeLog                            | 10 ++++++++++
 .../fast/gradients/crash-on-remove-expected.txt  |  5 +++++
 LayoutTests/fast/gradients/crash-on-remove.html  | 16 ++++++++++++++++
 WebCore/ChangeLog                                | 16 ++++++++++++++++
 WebCore/css/CSSImageGeneratorValue.cpp           |  3 ++-
 5 files changed, 49 insertions(+), 1 deletion(-)
 create mode 100644 LayoutTests/fast/gradients/crash-on-remove-expected.txt
 create mode 100644 LayoutTests/fast/gradients/crash-on-remove.html

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 38c326b32af..55b9cb01c84 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2008-05-04  Dan Bernstein  <mitz@apple.com>
+
+        Reviewed by Sam Weinig.
+
+        - test for https://bugs.webkit.org/show_bug.cgi?id=18879
+          <rdar://problem/5909481> Reproducible crash when removing a gradient
+
+        * fast/gradients/crash-on-remove-expected.txt: Added.
+        * fast/gradients/crash-on-remove.html: Added.
+
 2008-05-04  Sam Weinig  <sam@webkit.org>
 
         Reviewed by Maciej Stachowiak.
diff --git a/LayoutTests/fast/gradients/crash-on-remove-expected.txt b/LayoutTests/fast/gradients/crash-on-remove-expected.txt
new file mode 100644
index 00000000000..c5e8fda4cb2
--- /dev/null
+++ b/LayoutTests/fast/gradients/crash-on-remove-expected.txt
@@ -0,0 +1,5 @@
+Test for https://bugs.webkit.org/show_bug.cgi?id=18879 Reproducible crash when removing a gradient.
+
+The test should not crash and there should be a green square below.
+
+
diff --git a/LayoutTests/fast/gradients/crash-on-remove.html b/LayoutTests/fast/gradients/crash-on-remove.html
new file mode 100644
index 00000000000..839c24c6e85
--- /dev/null
+++ b/LayoutTests/fast/gradients/crash-on-remove.html
@@ -0,0 +1,16 @@
+<p>
+    Test for <i><a href="https://bugs.webkit.org/show_bug.cgi?id=18879">https://bugs.webkit.org/show_bug.cgi?id=18879</a>
+    Reproducible crash when removing a gradient</i>.
+</p>
+<p>
+    The test should not crash and there should be a green square below.
+</p>
+<div id="target" style="width: 100px; height: 100px; background-color: green; background-image: -webkit-gradient(linear, left top, left bottom, from(red), to(transparent))">
+</div>
+<script>
+    if (window.layoutTestController)
+        layoutTestController.dumpAsText();
+
+    document.body.offsetTop;
+    document.getElementById("target").style.removeProperty("background-image");
+</script>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 99f2872e1bc..7eb37d75a42 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,19 @@
+2008-05-04  Dan Bernstein  <mitz@apple.com>
+
+        Reviewed by Sam Weinig.
+
+        - fix https://bugs.webkit.org/show_bug.cgi?id=18879
+          <rdar://problem/5909481> Reproducible crash when removing a gradient
+
+        Test: fast/gradients/crash-on-remove.html
+
+        * css/CSSImageGeneratorValue.cpp:
+        (WebCore::CSSImageGeneratorValue::CSSImageGeneratorValue):
+        (WebCore::CSSImageGeneratorValue::addClient): Added a call to ref() the
+        value.
+        (WebCore::CSSImageGeneratorValue::removeClient): Added code to deref()
+        the value.
+
 2008-05-03  Sam Weinig  <sam@webkit.org>
 
         Reviewed by Mark Rowe.
diff --git a/WebCore/css/CSSImageGeneratorValue.cpp b/WebCore/css/CSSImageGeneratorValue.cpp
index ad65ebe45cf..eeeb5d30cbb 100644
--- a/WebCore/css/CSSImageGeneratorValue.cpp
+++ b/WebCore/css/CSSImageGeneratorValue.cpp
@@ -37,7 +37,6 @@ namespace WebCore {
 CSSImageGeneratorValue::CSSImageGeneratorValue()
 : m_accessedImage(false)
 {
-
 }
 
 CSSImageGeneratorValue::~CSSImageGeneratorValue()
@@ -47,6 +46,7 @@ CSSImageGeneratorValue::~CSSImageGeneratorValue()
 
 void CSSImageGeneratorValue::addClient(RenderObject* renderer, const IntSize& size)
 {
+    ref();
     if (!size.isEmpty())
         m_sizes.add(size);
     m_clients.add(renderer, size);
@@ -61,6 +61,7 @@ void CSSImageGeneratorValue::removeClient(RenderObject* renderer)
             delete m_images.take(size);
     }
     m_clients.remove(renderer);
+    deref();
 }
 
 Image* CSSImageGeneratorValue::getImage(RenderObject* renderer, const IntSize& size)
-- 
GitLab