Changeset 95685 in webkit

Timestamp:

Sep 21, 2011 4:50:54 PM (13 years ago)

Author:

jchaffraix@webkit.org

Message:

Crash in RenderBox::paintMaskImages when GraphicsContext's painting is disabled
​https://bugs.webkit.org/show_bug.cgi?id=68133

Reviewed by Darin Adler.

.:

• Source/autotools/symbols.filter: Added the mangled symbols needed for window.internals

Source/WebCore:

Tests: fast/css/webkit-mask-crash-fieldset-legend.html

fast/css/webkit-mask-crash-figure.html
fast/css/webkit-mask-crash-table.html
fast/css/webkit-mask-crash-td-2.html
fast/css/webkit-mask-crash-td.html

GraphicsContext::getCTM crashes if called with a GraphicsContext that has painting
disabled. RenderBox::paintMaskImages would thus crash if called in this condition.

This change just modifies the different GraphicsContext::getCTM method to bail early
if painting is disabled on the GraphicsContext. The rest of the change is exposing
paintControlTints that exposes this.

• WebCore.exp.in: Added symbols of the newly export window.internals function.

• page/FrameView.cpp:

(WebCore::FrameView::updateControlTints): Split this function in 2 so that
I can expose the internal paintControlTints.

(WebCore::FrameView::paintControlTints):
This is the one exposed to Internals as we want to be testable regardless of
whether the platform supports control tints.

• page/FrameView.h: Added paintControlTints.

• testing/Internals.cpp:

(WebCore::Internals::paintControlTints):

• testing/Internals.h:
• testing/Internals.idl:

Added a way to force a fake painting so that we can easily reproduce the bugs.

• platform/graphics/cairo/GraphicsContextCairo.cpp:

(WebCore::GraphicsContext::getCTM):

• platform/graphics/cg/GraphicsContextCG.cpp:

(WebCore::GraphicsContext::getCTM):

• platform/graphics/qt/GraphicsContextQt.cpp:

(WebCore::GraphicsContext::getCTM):

• platform/graphics/skia/GraphicsContextSkia.cpp:

(WebCore::GraphicsContext::getCTM):

• platform/graphics/wince/GraphicsContextWinCE.cpp:

(WebCore::GraphicsContext::getCTM):

• platform/graphics/wx/GraphicsContextWx.cpp:

(WebCore::GraphicsContext::getCTM):
Fixed all our back-end to exit early if painting is disabled.

Source/WebKit2:

• win/WebKit2.def:
• win/WebKit2CFLite.def:

Exported the new FrameView::paintControlTints function.

LayoutTests:

Those tests checks that we do not crash when calling internals.paintControlTints.

• platform/mac/Skipped: Skipped 2 tests as they are hitting an ASSERT unrelated to

this change on Mac.

• fast/css/webkit-mask-crash-fieldset-legend-expected.txt: Added.
• fast/css/webkit-mask-crash-fieldset-legend.html: Added.
• fast/css/webkit-mask-crash-figure-expected.txt: Added.
• fast/css/webkit-mask-crash-figure.html: Added.
• fast/css/webkit-mask-crash-table-expected.txt: Added.
• fast/css/webkit-mask-crash-table.html: Added.
• fast/css/webkit-mask-crash-td-2-expected.txt: Added.
• fast/css/webkit-mask-crash-td-2.html: Added.
• fast/css/webkit-mask-crash-td-expected.txt: Added.
• fast/css/webkit-mask-crash-td.html: Added.

Location:

trunk

Files:

• ChangeLog (modified) (1 diff)
• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/css/webkit-mask-crash-fieldset-legend-expected.txt (added)
• LayoutTests/fast/css/webkit-mask-crash-fieldset-legend.html (added)
• LayoutTests/fast/css/webkit-mask-crash-figure-expected.txt (added)
• LayoutTests/fast/css/webkit-mask-crash-figure.html (added)
• LayoutTests/fast/css/webkit-mask-crash-table-expected.txt (added)
• LayoutTests/fast/css/webkit-mask-crash-table.html (added)
• LayoutTests/fast/css/webkit-mask-crash-td-2-expected.txt (added)
• LayoutTests/fast/css/webkit-mask-crash-td-2.html (added)
• LayoutTests/fast/css/webkit-mask-crash-td-expected.txt (added)
• LayoutTests/fast/css/webkit-mask-crash-td.html (added)
• LayoutTests/platform/mac/Skipped (modified) (1 diff)
• LayoutTests/platform/mac/fast/frames/iframe-scaling-with-scroll-expected.png (modified) (previous)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/WebCore.exp.in (modified) (1 diff)
• Source/WebCore/page/FrameView.cpp (modified) (1 diff)
• Source/WebCore/page/FrameView.h (modified) (2 diffs)
• Source/WebCore/platform/graphics/cairo/GraphicsContextCairo.cpp (modified) (1 diff)
• Source/WebCore/platform/graphics/cg/GraphicsContextCG.cpp (modified) (1 diff)
• Source/WebCore/platform/graphics/qt/GraphicsContextQt.cpp (modified) (1 diff)
• Source/WebCore/platform/graphics/skia/GraphicsContextSkia.cpp (modified) (1 diff)
• Source/WebCore/platform/graphics/wince/GraphicsContextWinCE.cpp (modified) (1 diff)
• Source/WebCore/platform/graphics/wx/GraphicsContextWx.cpp (modified) (1 diff)
• Source/WebCore/testing/Internals.cpp (modified) (1 diff)
• Source/WebCore/testing/Internals.h (modified) (1 diff)
• Source/WebCore/testing/Internals.idl (modified) (1 diff)
• Source/WebKit2/ChangeLog (modified) (1 diff)
• Source/WebKit2/win/WebKit2.def (modified) (1 diff)
• Source/WebKit2/win/WebKit2CFLite.def (modified) (1 diff)
• Source/autotools/symbols.filter (modified) (1 diff)

trunk/ChangeLog

@@ +1 @@
+2011-09-21  Julien Chaffraix  <jchaffraix@webkit.org>
+
+        Crash in RenderBox::paintMaskImages when GraphicsContext's painting is disabled
+        https://bugs.webkit.org/show_bug.cgi?id=68133
+
+        Reviewed by Darin Adler.
+
+        * Source/autotools/symbols.filter: Added the mangled symbols needed for window.internals
+
 2011-09-21  Joshua Bell  <jsbell@chromium.org>
 

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2011-09-21  Julien Chaffraix  <jchaffraix@webkit.org>
+
+        Crash in RenderBox::paintMaskImages when GraphicsContext's painting is disabled
+        https://bugs.webkit.org/show_bug.cgi?id=68133
+
+        Reviewed by Darin Adler.
+
+        Those tests checks that we do not crash when calling internals.paintControlTints.
+
+        * platform/mac/Skipped: Skipped 2 tests as they are hitting an ASSERT unrelated to
+        this change on Mac.
+
+        * fast/css/webkit-mask-crash-fieldset-legend-expected.txt: Added.
+        * fast/css/webkit-mask-crash-fieldset-legend.html: Added.
+        * fast/css/webkit-mask-crash-figure-expected.txt: Added.
+        * fast/css/webkit-mask-crash-figure.html: Added.
+        * fast/css/webkit-mask-crash-table-expected.txt: Added.
+        * fast/css/webkit-mask-crash-table.html: Added.
+        * fast/css/webkit-mask-crash-td-2-expected.txt: Added.
+        * fast/css/webkit-mask-crash-td-2.html: Added.
+        * fast/css/webkit-mask-crash-td-expected.txt: Added.
+        * fast/css/webkit-mask-crash-td.html: Added.
+
 2011-09-21  Abhishek Arya  <inferno@chromium.org>
 

trunk/LayoutTests/platform/mac/Skipped

@@ -421 +421 @@
 # https://bugs.webkit.org/show_bug.cgi?id=68278
 http/tests/history/back-with-fragment-change.php
+
+# https://bugs.webkit.org/show_bug.cgi?id=68566
+fast/css/webkit-mask-crash-fieldset-legend.html
+fast/css/webkit-mask-crash-table.html

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2011-09-21  Julien Chaffraix  <jchaffraix@webkit.org>
+
+        Crash in RenderBox::paintMaskImages when GraphicsContext's painting is disabled
+        https://bugs.webkit.org/show_bug.cgi?id=68133
+
+        Reviewed by Darin Adler.
+
+        Tests: fast/css/webkit-mask-crash-fieldset-legend.html
+               fast/css/webkit-mask-crash-figure.html
+               fast/css/webkit-mask-crash-table.html
+               fast/css/webkit-mask-crash-td-2.html
+               fast/css/webkit-mask-crash-td.html
+
+        GraphicsContext::getCTM crashes if called with a GraphicsContext that has painting
+        disabled. RenderBox::paintMaskImages would thus crash if called in this condition.
+
+        This change just modifies the different GraphicsContext::getCTM method to bail early
+        if painting is disabled on the GraphicsContext. The rest of the change is exposing
+        paintControlTints that exposes this.
+
+        * WebCore.exp.in: Added symbols of the newly export window.internals function.
+
+        * page/FrameView.cpp:
+        (WebCore::FrameView::updateControlTints): Split this function in 2 so that
+        I can expose the internal paintControlTints.
+
+        (WebCore::FrameView::paintControlTints):
+        This is the one exposed to Internals as we want to be testable regardless of
+        whether the platform supports control tints.
+
+        * page/FrameView.h: Added paintControlTints.
+
+        * testing/Internals.cpp:
+        (WebCore::Internals::paintControlTints):
+        * testing/Internals.h:
+        * testing/Internals.idl:
+        Added a way to force a fake painting so that we can easily reproduce the bugs.
+
+        * platform/graphics/cairo/GraphicsContextCairo.cpp:
+        (WebCore::GraphicsContext::getCTM):
+        * platform/graphics/cg/GraphicsContextCG.cpp:
+        (WebCore::GraphicsContext::getCTM):
+        * platform/graphics/qt/GraphicsContextQt.cpp:
+        (WebCore::GraphicsContext::getCTM):
+        * platform/graphics/skia/GraphicsContextSkia.cpp:
+        (WebCore::GraphicsContext::getCTM):
+        * platform/graphics/wince/GraphicsContextWinCE.cpp:
+        (WebCore::GraphicsContext::getCTM):
+        * platform/graphics/wx/GraphicsContextWx.cpp:
+        (WebCore::GraphicsContext::getCTM):
+        Fixed all our back-end to exit early if painting is disabled.
+
 2011-09-19  Jer Noble  <jer.noble@apple.com>
 

trunk/Source/WebCore/WebCore.exp.in

@@ -986 +986 @@
 __ZN7WebCore9FrameView6createEPNS_5FrameE
 __ZN7WebCore9FrameView6createEPNS_5FrameERKNS_7IntSizeE
+__ZN7WebCore9FrameView17paintControlTintsEv
 __ZN7WebCore9HTMLNames10listingTagE
 __ZN7WebCore9HTMLNames11textareaTagE

trunk/Source/WebCore/page/FrameView.cpp

@@ -2600 +2600 @@
         return;
 
-    if ((m_frame->contentRenderer() && m_frame->contentRenderer()->theme()->supportsControlTints()) || hasCustomScrollbars())  {
-        if (needsLayout())
-            layout();
-        PlatformGraphicsContext* const noContext = 0;
-        GraphicsContext context(noContext);
-        context.setUpdatingControlTints(true);
-        if (platformWidget())
-            paintContents(&context, visibleContentRect());
-        else
-            paint(&context, frameRect());
-    }
+    if ((m_frame->contentRenderer() && m_frame->contentRenderer()->theme()->supportsControlTints()) || hasCustomScrollbars())
+        paintControlTints();
+}
+
+void FrameView::paintControlTints()
+{
+    if (needsLayout())
+        layout();
+    PlatformGraphicsContext* const noContext = 0;
+    GraphicsContext context(noContext);
+    context.setUpdatingControlTints(true);
+    if (platformWidget())
+        paintContents(&context, visibleContentRect());
+    else
+        paint(&context, frameRect());
 }
 

trunk/Source/WebCore/page/FrameView.h

@@ -55 +55 @@
 public:
     friend class RenderView;
+    friend class Internals;
 
     static PassRefPtr<FrameView> create(Frame*);
@@ -319 +320 @@
     void updateOverflowStatus(bool horizontalOverflow, bool verticalOverflow);
 
+    void paintControlTints();
+
     void forceLayoutParentViewIfNeeded();
     void performPostLayoutTasks();

trunk/Source/WebCore/platform/graphics/cairo/GraphicsContextCairo.cpp

@@ -197 +197 @@
 AffineTransform GraphicsContext::getCTM() const
 {
+    if (paintingDisabled())
+        return AffineTransform();
+
     cairo_t* cr = platformContext()->cr();
     cairo_matrix_t m;

trunk/Source/WebCore/platform/graphics/cg/GraphicsContextCG.cpp

@@ -1251 +1251 @@
 AffineTransform GraphicsContext::getCTM() const
 {
+    if (paintingDisabled())
+        return AffineTransform();
+
     CGAffineTransform t = CGContextGetCTM(platformContext());
     return AffineTransform(t.a, t.b, t.c, t.d, t.tx, t.ty);

trunk/Source/WebCore/platform/graphics/qt/GraphicsContextQt.cpp

@@ -290 +290 @@
 AffineTransform GraphicsContext::getCTM() const
 {
+    if (paintingDisabled())
+        return AffineTransform();
+
     const QTransform& matrix = platformContext()->combinedTransform();
     return AffineTransform(matrix.m11(), matrix.m12(), matrix.m21(),

trunk/Source/WebCore/platform/graphics/skia/GraphicsContextSkia.cpp

@@ -850 +850 @@
 AffineTransform GraphicsContext::getCTM() const
 {
+    if (paintingDisabled())
+        return AffineTransform();
+
     const SkMatrix& m = platformContext()->canvas()->getTotalMatrix();
     return AffineTransform(SkScalarToDouble(m.getScaleX()),

trunk/Source/WebCore/platform/graphics/wince/GraphicsContextWinCE.cpp

@@ -1495 +1495 @@
 AffineTransform GraphicsContext::getCTM() const
 {
+    if (paintingDisabled())
+        return AffineTransform();
+
     return m_data->m_transform;
 }

trunk/Source/WebCore/platform/graphics/wx/GraphicsContextWx.cpp

@@ -478 +478 @@
 AffineTransform GraphicsContext::getCTM() const
 { 
+    if (paintingDisabled())
+        return AffineTransform();
+
 #if USE(WXGC)
     wxGraphicsContext* gc = m_data->context->GetGraphicsContext();

trunk/Source/WebCore/testing/Internals.cpp

@@ -366 +366 @@
 }
 
-}
+void Internals::paintControlTints(Document* document, ExceptionCode& ec)
+{
+    if (!document || !document->view()) {
+        ec = INVALID_ACCESS_ERR;
+        return;
+    }
+
+    FrameView* frameView = document->view();
+    frameView->paintControlTints();
+}
+
+}

trunk/Source/WebCore/testing/Internals.h

@@ -91 +91 @@
     static const char* internalsId;
 
+    void paintControlTints(Document*, ExceptionCode&);
+
 private:
     Internals();

trunk/Source/WebCore/testing/Internals.idl

@@ -62 +62 @@
         DOMString suggestedValue(in Element inputElement) raises (DOMException);
         void setSuggestedValue(in Element inputElement, in DOMString value) raises (DOMException);
+
+        void paintControlTints(in Document document) raises (DOMException);
     };
 }

trunk/Source/WebKit2/ChangeLog

@@ +1 @@
+2011-09-21  Julien Chaffraix  <jchaffraix@webkit.org>
+
+        Crash in RenderBox::paintMaskImages when GraphicsContext's painting is disabled
+        https://bugs.webkit.org/show_bug.cgi?id=68133
+
+        Reviewed by Darin Adler.
+
+        * win/WebKit2.def:
+        * win/WebKit2CFLite.def:
+        Exported the new FrameView::paintControlTints function.
+
 2011-09-21  Alexey Proskuryakov  <ap@apple.com>
 

trunk/Source/WebKit2/win/WebKit2.def

@@ -162 +162 @@
         ?memoryCache@WebCore@@YAPAVMemoryCache@1@XZ
         ?page@Document@WebCore@@QBEPAVPage@2@XZ
+        ?paintControlTints@FrameView@WebCore@@AAEXXZ
         ?removeShadowRoot@Element@WebCore@@QAEXXZ
         ?setDisabled@MemoryCache@WebCore@@QAEX_N@Z

trunk/Source/WebKit2/win/WebKit2CFLite.def

@@ -156 +156 @@
         ?memoryCache@WebCore@@YAPAVMemoryCache@1@XZ
         ?page@Document@WebCore@@QBEPAVPage@2@XZ
+        ?paintControlTints@FrameView@WebCore@@AAEXXZ
         ?removeShadowRoot@Element@WebCore@@QAEXXZ
         ?setDisabled@MemoryCache@WebCore@@QAEX_N@Z

trunk/Source/autotools/symbols.filter

@@ -77 +77 @@
 _ZN7WebCore14ScrollableArea28setScrollOffsetFromInternalsERKNS_8IntPointE;
 _ZN7WebCore10ScrollView23setScrollbarsSuppressedEbb;
+_ZN7WebCore9FrameView17paintControlTintsEv;
 local:
 _Z*;