Diff
Modified: trunk/LayoutTests/ChangeLog (121387 => 121388)
--- trunk/LayoutTests/ChangeLog 2012-06-28 00:04:32 UTC (rev 121387)
+++ trunk/LayoutTests/ChangeLog 2012-06-28 00:09:03 UTC (rev 121388)
@@ -1,3 +1,13 @@
+2012-06-27 Daniel Cheng <dch...@chromium.org>
+
+ Fix crash in Frame::nodeImage.
+ https://bugs.webkit.org/show_bug.cgi?id=89911
+
+ Reviewed by Abhishek Arya.
+
+ * fast/events/drag-display-none-element-expected.txt: Added.
+ * fast/events/drag-display-none-element.html: Added.
+
2012-06-27 Tony Chang <t...@chromium.org>
Unreviewed, rolling out r121380.
Added: trunk/LayoutTests/fast/events/drag-display-none-element-expected.txt (0 => 121388)
--- trunk/LayoutTests/fast/events/drag-display-none-element-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/events/drag-display-none-element-expected.txt 2012-06-28 00:09:03 UTC (rev 121388)
@@ -0,0 +1,2 @@
+To test, try dragging this div around. It shouldn't crash, and PASS should appear below when you end the drag.
+PASS
Property changes on: trunk/LayoutTests/fast/events/drag-display-none-element-expected.txt
___________________________________________________________________
Added: svn:eol-style
Added: trunk/LayoutTests/fast/events/drag-display-none-element.html (0 => 121388)
--- trunk/LayoutTests/fast/events/drag-display-none-element.html (rev 0)
+++ trunk/LayoutTests/fast/events/drag-display-none-element.html 2012-06-28 00:09:03 UTC (rev 121388)
@@ -0,0 +1,39 @@
+<!DOCTYPE html>
+<html>
+<head>
+<style>
+#dragme:-webkit-drag
+{
+ display: none;
+}
+</style>
+<script>
+function runTest()
+{
+ var dragme = document.getElementById('dragme');
+ dragme.addEventListener('dragend', function () {
+ if (window.testRunner)
+ testRunner.notifyDone();
+ document.getElementById('console').appendChild(document.createTextNode('PASS'));
+ });
+
+ if (!window.testRunner)
+ return;
+
+ testRunner.waitUntilDone();
+ testRunner.dumpAsText();
+
+ eventSender.mouseMoveTo(dragme.offsetLeft + dragme.offsetWidth / 2, dragme.offsetTop + dragme.offsetHeight / 2);
+ eventSender.mouseDown();
+ eventSender.leapForward(100);
+ eventSender.mouseMoveTo(0, 0);
+ eventSender.mouseUp();
+}
+window.addEventListener('load', runTest);
+</script>
+</head>
+<body>
+<div id="dragme" draggable="true">To test, try dragging this div around. It shouldn't crash, and PASS should appear below when you end the drag.</div>
+<div id="console"></div>
+</body>
+</html>
Property changes on: trunk/LayoutTests/fast/events/drag-display-none-element.html
___________________________________________________________________
Added: svn:eol-style
Modified: trunk/Source/WebCore/ChangeLog (121387 => 121388)
--- trunk/Source/WebCore/ChangeLog 2012-06-28 00:04:32 UTC (rev 121387)
+++ trunk/Source/WebCore/ChangeLog 2012-06-28 00:09:03 UTC (rev 121388)
@@ -1,3 +1,21 @@
+2012-06-27 Daniel Cheng <dch...@chromium.org>
+
+ Fix crash in Frame::nodeImage.
+ https://bugs.webkit.org/show_bug.cgi?id=89911
+
+ Reviewed by Abhishek Arya.
+
+ We were caching a pointer to a RenderObject and then calling updateLayout(). Instead, we
+ need to get a pointer to the RenderObject again after updateLayout().
+
+ Test: fast/events/drag-display-none-element.html
+
+ * page/Frame.cpp:
+ (WebCore::Frame::nodeImage):
+ * page/mac/FrameMac.mm:
+ (WebCore::Frame::snapshotDragImage):
+ (WebCore::Frame::nodeImage):
+
2012-06-27 Tony Chang <t...@chromium.org>
Unreviewed, rolling out r121380.
Modified: trunk/Source/WebCore/page/Frame.cpp (121387 => 121388)
--- trunk/Source/WebCore/page/Frame.cpp 2012-06-28 00:04:32 UTC (rev 121387)
+++ trunk/Source/WebCore/page/Frame.cpp 2012-06-28 00:09:03 UTC (rev 121388)
@@ -1047,38 +1047,39 @@
#if !PLATFORM(MAC) && !PLATFORM(WIN)
struct ScopedFramePaintingState {
- ScopedFramePaintingState(Frame* theFrame, RenderObject* theRenderer)
- : frame(theFrame)
- , renderer(theRenderer)
+ ScopedFramePaintingState(Frame* frame, Node* node)
+ : frame(frame)
+ , node(node)
, paintBehavior(frame->view()->paintBehavior())
, backgroundColor(frame->view()->baseBackgroundColor())
{
+ ASSERT(!node || node->renderer());
+ if (node)
+ node->renderer()->updateDragState(true);
}
~ScopedFramePaintingState()
{
- if (renderer)
- renderer->updateDragState(false);
+ if (node && node->renderer())
+ node->renderer()->updateDragState(false);
frame->view()->setPaintBehavior(paintBehavior);
frame->view()->setBaseBackgroundColor(backgroundColor);
frame->view()->setNodeToDraw(0);
}
Frame* frame;
- RenderObject* renderer;
+ Node* node;
PaintBehavior paintBehavior;
Color backgroundColor;
};
DragImageRef Frame::nodeImage(Node* node)
{
- RenderObject* renderer = node->renderer();
- if (!renderer)
+ if (!node->renderer())
return 0;
- const ScopedFramePaintingState state(this, renderer);
+ const ScopedFramePaintingState state(this, node);
- renderer->updateDragState(true);
m_view->setPaintBehavior(state.paintBehavior | PaintBehaviorFlattenCompositingLayers);
// When generating the drag image for an element, ignore the document background.
@@ -1086,6 +1087,11 @@
m_doc->updateLayout();
m_view->setNodeToDraw(node); // Enable special sub-tree drawing mode.
+ // Document::updateLayout may have blown away the original RenderObject.
+ RenderObject* renderer = node->renderer();
+ if (!renderer)
+ return 0;
+
LayoutRect topLevelRect;
IntRect paintingRect = pixelSnappedIntRect(renderer->paintingRootRect(topLevelRect));
Modified: trunk/Source/WebCore/page/mac/FrameMac.mm (121387 => 121388)
--- trunk/Source/WebCore/page/mac/FrameMac.mm 2012-06-28 00:04:32 UTC (rev 121387)
+++ trunk/Source/WebCore/page/mac/FrameMac.mm 2012-06-28 00:09:03 UTC (rev 121388)
@@ -157,6 +157,13 @@
renderer->updateDragState(true); // mark dragged nodes (so they pick up the right CSS)
m_doc->updateLayout(); // forces style recalc - needed since changing the drag state might
// imply new styles, plus JS could have changed other things
+
+
+ // Document::updateLayout may have blown away the original RenderObject.
+ renderer = node->renderer();
+ if (!renderer)
+ return nil;
+
LayoutRect topLevelRect;
NSRect paintingRect = pixelSnappedIntRect(renderer->paintingRootRect(topLevelRect));
@@ -175,12 +182,11 @@
DragImageRef Frame::nodeImage(Node* node)
{
+ m_doc->updateLayout(); // forces style recalc
+
RenderObject* renderer = node->renderer();
if (!renderer)
return nil;
-
- m_doc->updateLayout(); // forces style recalc
-
LayoutRect topLevelRect;
NSRect paintingRect = pixelSnappedIntRect(renderer->paintingRootRect(topLevelRect));
Modified: trunk/Source/WebCore/page/win/FrameCGWin.cpp (121387 => 121388)
--- trunk/Source/WebCore/page/win/FrameCGWin.cpp 2012-06-28 00:04:32 UTC (rev 121387)
+++ trunk/Source/WebCore/page/win/FrameCGWin.cpp 2012-06-28 00:09:03 UTC (rev 121388)
@@ -93,6 +93,8 @@
DragImageRef Frame::nodeImage(Node* node)
{
+ document()->updateLayout();
+
RenderObject* renderer = node->renderer();
if (!renderer)
return 0;
@@ -100,8 +102,6 @@
LayoutRect topLevelRect;
IntRect paintingRect = pixelSnappedIntRect(renderer->paintingRootRect(topLevelRect));
- document()->updateLayout();
-
m_view->setNodeToDraw(node); // invoke special sub-tree drawing mode
HBITMAP result = imageFromRect(this, paintingRect);
m_view->setNodeToDraw(0);
