Commit 780300f4 authored by mitz@apple.com's avatar mitz@apple.com

WebCore:

        Reviewed by Sam Weinig.

        - fix https://bugs.webkit.org/show_bug.cgi?id=18879
          <rdar://problem/5909481> Reproducible crash when removing a gradient

        Test: fast/gradients/crash-on-remove.html

        * css/CSSImageGeneratorValue.cpp:
        (WebCore::CSSImageGeneratorValue::CSSImageGeneratorValue):
        (WebCore::CSSImageGeneratorValue::addClient): Added a call to ref() the
        value.
        (WebCore::CSSImageGeneratorValue::removeClient): Added code to deref()
        the value.

LayoutTests:

        Reviewed by Sam Weinig.

        - test for https://bugs.webkit.org/show_bug.cgi?id=18879
          <rdar://problem/5909481> Reproducible crash when removing a gradient

        * fast/gradients/crash-on-remove-expected.txt: Added.
        * fast/gradients/crash-on-remove.html: Added.



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@32854 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent eba2b724
2008-05-04 Dan Bernstein <mitz@apple.com>
Reviewed by Sam Weinig.
- test for https://bugs.webkit.org/show_bug.cgi?id=18879
<rdar://problem/5909481> Reproducible crash when removing a gradient
* fast/gradients/crash-on-remove-expected.txt: Added.
* fast/gradients/crash-on-remove.html: Added.
2008-05-04 Sam Weinig <sam@webkit.org> 2008-05-04 Sam Weinig <sam@webkit.org>
Reviewed by Maciej Stachowiak. Reviewed by Maciej Stachowiak.
Test for https://bugs.webkit.org/show_bug.cgi?id=18879 Reproducible crash when removing a gradient.
The test should not crash and there should be a green square below.
<p>
Test for <i><a href="https://bugs.webkit.org/show_bug.cgi?id=18879">https://bugs.webkit.org/show_bug.cgi?id=18879</a>
Reproducible crash when removing a gradient</i>.
</p>
<p>
The test should not crash and there should be a green square below.
</p>
<div id="target" style="width: 100px; height: 100px; background-color: green; background-image: -webkit-gradient(linear, left top, left bottom, from(red), to(transparent))">
</div>
<script>
if (window.layoutTestController)
layoutTestController.dumpAsText();
document.body.offsetTop;
document.getElementById("target").style.removeProperty("background-image");
</script>
2008-05-04 Dan Bernstein <mitz@apple.com>
Reviewed by Sam Weinig.
- fix https://bugs.webkit.org/show_bug.cgi?id=18879
<rdar://problem/5909481> Reproducible crash when removing a gradient
Test: fast/gradients/crash-on-remove.html
* css/CSSImageGeneratorValue.cpp:
(WebCore::CSSImageGeneratorValue::CSSImageGeneratorValue):
(WebCore::CSSImageGeneratorValue::addClient): Added a call to ref() the
value.
(WebCore::CSSImageGeneratorValue::removeClient): Added code to deref()
the value.
2008-05-03 Sam Weinig <sam@webkit.org> 2008-05-03 Sam Weinig <sam@webkit.org>
Reviewed by Mark Rowe. Reviewed by Mark Rowe.
...@@ -37,7 +37,6 @@ namespace WebCore { ...@@ -37,7 +37,6 @@ namespace WebCore {
CSSImageGeneratorValue::CSSImageGeneratorValue() CSSImageGeneratorValue::CSSImageGeneratorValue()
: m_accessedImage(false) : m_accessedImage(false)
{ {
} }
CSSImageGeneratorValue::~CSSImageGeneratorValue() CSSImageGeneratorValue::~CSSImageGeneratorValue()
...@@ -47,6 +46,7 @@ CSSImageGeneratorValue::~CSSImageGeneratorValue() ...@@ -47,6 +46,7 @@ CSSImageGeneratorValue::~CSSImageGeneratorValue()
void CSSImageGeneratorValue::addClient(RenderObject* renderer, const IntSize& size) void CSSImageGeneratorValue::addClient(RenderObject* renderer, const IntSize& size)
{ {
ref();
if (!size.isEmpty()) if (!size.isEmpty())
m_sizes.add(size); m_sizes.add(size);
m_clients.add(renderer, size); m_clients.add(renderer, size);
...@@ -61,6 +61,7 @@ void CSSImageGeneratorValue::removeClient(RenderObject* renderer) ...@@ -61,6 +61,7 @@ void CSSImageGeneratorValue::removeClient(RenderObject* renderer)
delete m_images.take(size); delete m_images.take(size);
} }
m_clients.remove(renderer); m_clients.remove(renderer);
deref();
} }
Image* CSSImageGeneratorValue::getImage(RenderObject* renderer, const IntSize& size) Image* CSSImageGeneratorValue::getImage(RenderObject* renderer, const IntSize& size)
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment