Changeset 95235 in webkit

Timestamp:

Sep 15, 2011 2:59:10 PM (13 years ago)

Author:

jchaffraix@webkit.org

Message:

Source/WebCore: Crash in RenderBox::paintMaskImages due to a mask without an associated image
​https://bugs.webkit.org/show_bug.cgi?id=50151

Reviewed by Simon Fraser.

Test: fast/css/empty-webkit-mask-crash.html

The crash stems from the fact that FillLayer::hasImage would walk over the linked list
of FillLayers and return true if one had an image. This means that hasImage() is true
does not mean that image() is non-NULL on all FillLayers.

• rendering/RenderBox.cpp:

(WebCore::RenderBox::paintMaskImages): Simplify the logic by doing the hasImage() check up-front
and properly check image() for each FillLayers. This has the nice benefit of changing the complexity
from O(n^{2) to O(n), which was what the code expected anyway.}

LayoutTests: Test for: Crash in RenderBox::paintMaskImages due to a mask without an associated image
​https://bugs.webkit.org/show_bug.cgi?id=50151

Reviewed by Simon Fraser.

• fast/css/empty-webkit-mask-crash-expected.png: Added.
• fast/css/empty-webkit-mask-crash-expected.txt: Added.
• fast/css/empty-webkit-mask-crash.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/css/empty-webkit-mask-crash-expected.png (added)
• LayoutTests/fast/css/empty-webkit-mask-crash-expected.txt (added)
• LayoutTests/fast/css/empty-webkit-mask-crash.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/rendering/RenderBox.cpp (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2011-09-15  Julien Chaffraix  <jchaffraix@webkit.org>
+
+        Test for: Crash in RenderBox::paintMaskImages due to a mask without an associated image
+        https://bugs.webkit.org/show_bug.cgi?id=50151
+
+        Reviewed by Simon Fraser.
+
+        * fast/css/empty-webkit-mask-crash-expected.png: Added.
+        * fast/css/empty-webkit-mask-crash-expected.txt: Added.
+        * fast/css/empty-webkit-mask-crash.html: Added.
+
 2011-09-15  Andy Estes  <aestes@apple.com>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2011-09-15  Julien Chaffraix  <jchaffraix@webkit.org>
+
+        Crash in RenderBox::paintMaskImages due to a mask without an associated image
+        https://bugs.webkit.org/show_bug.cgi?id=50151
+
+        Reviewed by Simon Fraser.
+
+        Test: fast/css/empty-webkit-mask-crash.html
+
+        The crash stems from the fact that FillLayer::hasImage would walk over the linked list
+        of FillLayers and return true if one had an image. This means that hasImage() is true
+        does not mean that image() is non-NULL on all FillLayers.
+
+        * rendering/RenderBox.cpp:
+        (WebCore::RenderBox::paintMaskImages): Simplify the logic by doing the hasImage() check up-front
+        and properly check image() for each FillLayers. This has the nice benefit of changing the complexity
+        from O(n^2) to O(n), which was what the code expected anyway.
+
 2011-09-15  Eric Seidel  <eric@webkit.org>
 

trunk/Source/WebCore/rendering/RenderBox.cpp

@@ -950 +950 @@
             pushTransparencyLayer = true;
 
-        if (maskBoxImage && maskLayers->hasImage()) {
+        bool hasMaskLayerWithImage = maskLayers->hasImage();
+        if (maskBoxImage && hasMaskLayerWithImage) {
             // We have a mask-box-image and mask-image, so need to composite them together before using the result as a mask.
             pushTransparencyLayer = true;
-        } else {
+        } else if (hasMaskLayerWithImage) {
             // We have to use an extra image buffer to hold the mask. Multiple mask images need
             // to composite together using source-over so that they can then combine into a single unified mask that
@@ -962 +963 @@
             // before pushing the transparency layer.
             for (const FillLayer* fillLayer = maskLayers->next(); fillLayer; fillLayer = fillLayer->next()) {
-                if (fillLayer->hasImage() && fillLayer->image()->canRender(style()->effectiveZoom())) {
+                if (fillLayer->image() && fillLayer->image()->canRender(style()->effectiveZoom())) {
                     pushTransparencyLayer = true;
                     // We found one image that can be used in rendering, exit the loop