Changeset 27781 in webkit

Timestamp:

Nov 13, 2007 7:48:44 PM (16 years ago)

Author:

oliver@apple.com

Message:

Fix <rdar://problem/5365030> calling dataWithPDFInsideRect on an SVG with a gradient crashes (14780)

Reviewed by Anders.

When drawing directly to PDF CG may delay the use of the gradient function until outside our
standard drawing path, which in turn could let us invalidate the caches before they were used.

To work around this we now store the cached stops in a RefCounted object, so that we can ensure
that cache exists as long as required.

Location:

trunk/WebCore

Files:

• ChangeLog (modified) (1 diff)
• platform/graphics/svg/SVGPaintServerGradient.cpp (modified) (2 diffs)
• platform/graphics/svg/SVGPaintServerGradient.h (modified) (2 diffs)
• platform/graphics/svg/cg/SVGPaintServerGradientCg.cpp (modified) (5 diffs)

trunk/WebCore/ChangeLog

@@ +1 @@
+2007-11-13  Oliver Hunt  <oliver@apple.com>
+
+        Reviewed by Anders.
+
+        <rdar://problem/5365030> calling dataWithPDFInsideRect on an SVG with a gradient crashes (14780)
+
+        When drawing directly to PDF CG may delay the use of the gradient function until outside our
+        standard drawing path, which in turn could let us invalidate the caches before they were used.
+
+        To work around this we now store the cached stops in a RefCounted object, so that we can ensure
+        that cache exists as long as required.
+        
+        * platform/graphics/svg/SVGPaintServerGradient.cpp:
+        (WebCore::SVGPaintServerGradient::SVGPaintServerGradient):
+        * platform/graphics/svg/SVGPaintServerGradient.h:
+        * platform/graphics/svg/cg/SVGPaintServerGradientCg.cpp:
+        (WebCore::cgGradientCallback):
+        (WebCore::CGShadingRefForLinearGradient):
+        (WebCore::CGShadingRefForRadialGradient):
+        (WebCore::SVGPaintServerGradient::updateQuartzGradientStopsCache):
+
 2007-11-13  Anders Carlsson  <andersca@apple.com>
 

trunk/WebCore/platform/graphics/svg/SVGPaintServerGradient.cpp

@@ -67 +67 @@
 #if PLATFORM(CG)
     , m_stopsCache(0)
-    , m_stopsCount(0)
     , m_shadingCache(0)
     , m_savedContext(0)
@@ -79 +78 @@
 {
 #if PLATFORM(CG)
-    delete m_stopsCache;
     CGShadingRelease(m_shadingCache);
 #endif

trunk/WebCore/platform/graphics/svg/SVGPaintServerGradient.h

@@ -32 +32 @@
 #include "Color.h"
 #include "SVGPaintServer.h"
+
+#include <wtf/RefCounted.h>
+#include <wtf/RefPtr.h>
 
 #if PLATFORM(QT)
@@ -111 +114 @@
             CGFloat previousDeltaInverse;
         } QuartzGradientStop;
+        
+        struct SharedStopCache : public RefCounted<SharedStopCache> {
+            Vector<QuartzGradientStop> m_stops;
+        };
 
-        QuartzGradientStop* m_stopsCache;
-        int m_stopsCount;
+        RefPtr<SharedStopCache> m_stopsCache;
 
         CGShadingRef m_shadingCache;

trunk/WebCore/platform/graphics/svg/cg/SVGPaintServerGradientCg.cpp

@@ -41 +41 @@
 namespace WebCore {
 
+static void releaseCachedStops(void* info)
+{
+    reinterpret_cast<SVGPaintServerGradient::SharedStopCache*>(info)->deref();
+}
+
 static void cgGradientCallback(void* info, const CGFloat* inValues, CGFloat* outColor)
 {
-    const SVGPaintServerGradient* server = reinterpret_cast<const SVGPaintServerGradient*>(info);
-    SVGPaintServerGradient::QuartzGradientStop* stops = server->m_stopsCache;
-    int stopsCount = server->m_stopsCount;
+    SVGPaintServerGradient::SharedStopCache* stopsCache = reinterpret_cast<SVGPaintServerGradient::SharedStopCache*>(info);
+    
+    SVGPaintServerGradient::QuartzGradientStop* stops = stopsCache->m_stops.data();
+        
+    int stopsCount = stopsCache->m_stops.size();
 
     CGFloat inValue = inValues[0];
@@ -87 +94 @@
     CGPoint end = CGPoint(server->gradientEnd());
 
-    CGFunctionCallbacks callbacks = {0, cgGradientCallback, NULL};
+    CGFunctionCallbacks callbacks = {0, cgGradientCallback, releaseCachedStops};
     CGFloat domainLimits[2] = {0, 1};
     CGFloat rangeLimits[8] = {0, 1, 0, 1, 0, 1, 0, 1};
-    CGFunctionRef shadingFunction = CGFunctionCreate((void *)server, 1, domainLimits, 4, rangeLimits, &callbacks);
+    server->m_stopsCache->ref();
+    CGFunctionRef shadingFunction = CGFunctionCreate(server->m_stopsCache.get(), 1, domainLimits, 4, rangeLimits, &callbacks);
 
     CGColorSpaceRef colorSpace = CGColorSpaceCreateDeviceRGB();
@@ -116 +124 @@
     }
 
-    CGFunctionCallbacks callbacks = {0, cgGradientCallback, NULL};
+    CGFunctionCallbacks callbacks = {0, cgGradientCallback, releaseCachedStops};
     CGFloat domainLimits[2] = {0, 1};
     CGFloat rangeLimits[8] = {0, 1, 0, 1, 0, 1, 0, 1};
-    CGFunctionRef shadingFunction = CGFunctionCreate((void *)server, 1, domainLimits, 4, rangeLimits, &callbacks);
+    server->m_stopsCache->ref();
+    CGFunctionRef shadingFunction = CGFunctionCreate(server->m_stopsCache.get(), 1, domainLimits, 4, rangeLimits, &callbacks);
 
     CGColorSpaceRef colorSpace = CGColorSpaceCreateDeviceRGB();
@@ -130 +139 @@
 void SVGPaintServerGradient::updateQuartzGradientStopsCache(const Vector<SVGGradientStop>& stops)
 {
-    delete m_stopsCache;
-
-    m_stopsCount = stops.size();
-    m_stopsCache = new SVGPaintServerGradient::QuartzGradientStop[m_stopsCount];
-
+    m_stopsCache = new SharedStopCache;
+    Vector<QuartzGradientStop>& stopsCache = m_stopsCache->m_stops;
+    stopsCache.resize(stops.size());
     CGFloat previousOffset = 0.0f;
     for (unsigned i = 0; i < stops.size(); ++i) {
         CGFloat currOffset = min(max(stops[i].first, previousOffset), static_cast<CGFloat>(1.0));
-        m_stopsCache[i].offset = currOffset;
-        m_stopsCache[i].previousDeltaInverse = 1.0f / (currOffset - previousOffset);
+        stopsCache[i].offset = currOffset;
+        stopsCache[i].previousDeltaInverse = 1.0f / (currOffset - previousOffset);
         previousOffset = currOffset;
-        CGFloat* ca = m_stopsCache[i].colorArray;
+        CGFloat* ca = stopsCache[i].colorArray;
         stops[i].second.getRGBA(ca[0], ca[1], ca[2], ca[3]);
     }
@@ -322 +329 @@
 {
     // Invalidate caches
-    delete m_stopsCache;
     CGShadingRelease(m_shadingCache);