Title: [125016] trunk
- Revision
- 125016
- Author
- commit-qu...@webkit.org
- Date
- 2012-08-08 03:22:02 -0700 (Wed, 08 Aug 2012)
Log Message
Crash when inspecting an element with border-image
https://bugs.webkit.org/show_bug.cgi?id=93380
Patch by Matt Arsenault <arse...@gmail.com> on 2012-08-08
Reviewed by Tim Horton.
Source/WebCore:
The second value in the CSSPair should be the same as the first if
we are in a shorthand and the next value is not a
border-image-repeat keyword.
Test: fast/css/parse-border-image-repeat-null-crash.html
* css/CSSParser.cpp:
(WebCore::CSSParser::parseBorderImageRepeat):
LayoutTests:
Add a test that ensures css Text on a border image shorthand with
border-image-repeat does not crash.
* fast/css/parse-border-image-repeat-null-crash-expected.txt: Added.
* fast/css/parse-border-image-repeat-null-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (125015 => 125016)
--- trunk/LayoutTests/ChangeLog 2012-08-08 10:20:46 UTC (rev 125015)
+++ trunk/LayoutTests/ChangeLog 2012-08-08 10:22:02 UTC (rev 125016)
@@ -1,3 +1,16 @@
+2012-08-08 Matt Arsenault <arse...@gmail.com>
+
+ Crash when inspecting an element with border-image
+ https://bugs.webkit.org/show_bug.cgi?id=93380
+
+ Reviewed by Tim Horton.
+
+ Add a test that ensures css Text on a border image shorthand with
+ border-image-repeat does not crash.
+
+ * fast/css/parse-border-image-repeat-null-crash-expected.txt: Added.
+ * fast/css/parse-border-image-repeat-null-crash.html: Added.
+
2012-08-08 Pavel Feldman <pfeld...@chromium.org>
Web Inspector: show white space nodes if they are the only tag's children.
Added: trunk/LayoutTests/fast/css/parse-border-image-repeat-null-crash-expected.txt (0 => 125016)
--- trunk/LayoutTests/fast/css/parse-border-image-repeat-null-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/css/parse-border-image-repeat-null-crash-expected.txt 2012-08-08 10:22:02 UTC (rev 125016)
@@ -0,0 +1,2 @@
+CONSOLE MESSAGE: line 4: border-image-source: url(shadow-border.png); border-image-slice: 10; border-image-repeat: stretch;
+This test should not crash
Added: trunk/LayoutTests/fast/css/parse-border-image-repeat-null-crash.html (0 => 125016)
--- trunk/LayoutTests/fast/css/parse-border-image-repeat-null-crash.html (rev 0)
+++ trunk/LayoutTests/fast/css/parse-border-image-repeat-null-crash.html 2012-08-08 10:22:02 UTC (rev 125016)
@@ -0,0 +1,8 @@
+<html>
+ <div id="foo" style="border-image: url(images/shadow-border.png) stretch 10;">This test should not crash</div>
+ <script>
+ console.log(document.getElementById("foo").style.cssText);
+ if (window.testRunner)
+ testRunner.dumpAsText();
+ </script>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (125015 => 125016)
--- trunk/Source/WebCore/ChangeLog 2012-08-08 10:20:46 UTC (rev 125015)
+++ trunk/Source/WebCore/ChangeLog 2012-08-08 10:22:02 UTC (rev 125016)
@@ -1,3 +1,19 @@
+2012-08-08 Matt Arsenault <arse...@gmail.com>
+
+ Crash when inspecting an element with border-image
+ https://bugs.webkit.org/show_bug.cgi?id=93380
+
+ Reviewed by Tim Horton.
+
+ The second value in the CSSPair should be the same as the first if
+ we are in a shorthand and the next value is not a
+ border-image-repeat keyword.
+
+ Test: fast/css/parse-border-image-repeat-null-crash.html
+
+ * css/CSSParser.cpp:
+ (WebCore::CSSParser::parseBorderImageRepeat):
+
2012-08-08 Kentaro Hara <hara...@chromium.org>
[V8] Factor out V8BindingPerIsolateData from V8Binding to a separate file
Modified: trunk/Source/WebCore/css/CSSParser.cpp (125015 => 125016)
--- trunk/Source/WebCore/css/CSSParser.cpp 2012-08-08 10:20:46 UTC (rev 125015)
+++ trunk/Source/WebCore/css/CSSParser.cpp 2012-08-08 10:22:02 UTC (rev 125016)
@@ -6149,6 +6149,7 @@
// We need to rewind the value list, so that when its advanced we'll
// end up back at this value.
m_valueList->previous();
+ secondValue = firstValue;
}
} else
secondValue = firstValue;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes
