Commit fc623830 authored by simon.fraser@apple.com's avatar simon.fraser@apple.com
Browse files

2011-01-11 Simon Fraser <simon.fraser@apple.com>

        Reviewed by Dan Bernstein.

        Webkit crashes when a gradient is applied using the first-line pseudo element
        https://bugs.webkit.org/show_bug.cgi?id=52225

        When a pseudostyle references images, we fail to register/unregister
        the relevant RenderObjects as clients of the image in the style.
        For gradients, this caused a crash.

        This patch fixes the crash by returning a null gradient image in this
        situation.

        Test: fast/gradients/gradient-on-pseudoelement-crash.html

        * css/CSSGradientValue.cpp:
        (WebCore::CSSGradientValue::image):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@75585 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent b6083c1f
2011-01-11 Simon Fraser <simon.fraser@apple.com>
Reviewed by Dan Bernstein.
Webkit crashes when a gradient is applied using the first-line pseudo element
https://bugs.webkit.org/show_bug.cgi?id=52225
Testcase.
* fast/gradients/gradient-on-pseudoelement-crash-expected.txt: Added.
* fast/gradients/gradient-on-pseudoelement-crash.html: Added.
2011-01-11 Justin Schuh <jschuh@chromium.org>
 
Unreviewed chromium expectations update.
......
<!DOCTYPE html>
<html>
<head>
<style>
body:first-line {
background-image: -webkit-gradient(linear, 0% 0%, 0% 100%, from(blue), to(green));
}
</style>
<script type="text/javascript" charset="utf-8">
if (window.layoutTestController)
layoutTestController.dumpAsText();
</script>
</head>
<body>
This test should not crash.
</body>
</html>
2011-01-11 Simon Fraser <simon.fraser@apple.com>
Reviewed by Dan Bernstein.
Webkit crashes when a gradient is applied using the first-line pseudo element
https://bugs.webkit.org/show_bug.cgi?id=52225
When a pseudostyle references images, we fail to register/unregister
the relevant RenderObjects as clients of the image in the style.
For gradients, this caused a crash.
This patch fixes the crash by returning a null gradient image in this
situation.
Test: fast/gradients/gradient-on-pseudoelement-crash.html
* css/CSSGradientValue.cpp:
(WebCore::CSSGradientValue::image):
2011-01-11 Andy Estes <aestes@apple.com>
 
Reviewed by Darin Adler.
......
......@@ -43,7 +43,8 @@ namespace WebCore {
Image* CSSGradientValue::image(RenderObject* renderer, const IntSize& size)
{
ASSERT(m_clients.contains(renderer));
if (!m_clients.contains(renderer))
return 0;
// Need to look up our size. Create a string of width*height to use as a hash key.
// FIXME: hashing based only on size is not sufficient. Color stops may use context-sensitive units (like em)
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment