1. 31 Jul, 2012 1 commit
    • macpherson@chromium.org's avatar
      Heap-use-after-free in WebCore::StyleResolver::loadPendingImage · 44d5ee57
      macpherson@chromium.org authored
      Reviewed by Abhishek Arya.
      Changes StyleResolver's m_pendingImageProperties set to a map, such that for each property we keep
      a RefPtr to the CSSValue used to set that property. This ensures that CSSValues are not freed before
      they are needed by loadPendingImage.
      Test: fast/css/variables/deferred-image-load-from-variable.html
      * css/StyleResolver.cpp:
      * css/StyleResolver.h:
      Exercises the codepath where an image is loaded using a url specified via a variable.
      * fast/css/variables/deferred-image-load-from-variable-expected.txt: Added.
      * fast/css/variables/deferred-image-load-from-variable.html: Added.
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@124258 268f45cc-cd09-0410-ab3c-d52691b4dbfc