- Revision
- 87709
- Author
- commit-qu...@webkit.org
- Date
- 2011-05-30 22:00:51 -0700 (Mon, 30 May 2011)
Log Message
2011-05-30 Andrey Petrov <andrey.pet...@gmail.com>
Reviewed by Hajime Morita.
Using jQuery to show/hide IMG elements crashes WebKit
https://bugs.webkit.org/show_bug.cgi?id=31721
* editing/pasteboard/copy-standalone-image-crash-expected.txt: Added.
* editing/pasteboard/copy-standalone-image-crash.html: Added.
2011-05-30 Andrey Petrov <andrey.pet...@gmail.com>
Reviewed by Hajime Morita.
Using jQuery to show/hide IMG elements crashes WebKit
https://bugs.webkit.org/show_bug.cgi?id=31721
For platform code, do not assert nodes always have renderer at
the time context menu action is invoked.
Renderer can actually be empty for a given node if it was hidden
or removed from domtree by some non-user generated event (e.g timeout)
after the popup menu had been created.
Changing Chromium, Gtk, Mac, Qt, Win and WinCE.
Test: editing/pasteboard/copy-standalone-image-crash.html
* platform/chromium/PasteboardChromium.cpp:
(WebCore::Pasteboard::writeImage):
* platform/gtk/PasteboardGtk.cpp:
(WebCore::Pasteboard::writeImage):
* platform/mac/PasteboardMac.mm:
(WebCore::Pasteboard::writeImage):
* platform/qt/PasteboardQt.cpp:
(WebCore::Pasteboard::writeImage):
* platform/win/PasteboardWin.cpp:
(WebCore::Pasteboard::writeImage):
* platform/wince/PasteboardWinCE.cpp:
(WebCore::Pasteboard::writeImage):
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (87708 => 87709)
--- trunk/LayoutTests/ChangeLog 2011-05-31 04:03:56 UTC (rev 87708)
+++ trunk/LayoutTests/ChangeLog 2011-05-31 05:00:51 UTC (rev 87709)
@@ -1,3 +1,13 @@
+2011-05-30 Andrey Petrov <andrey.pet...@gmail.com>
+
+ Reviewed by Hajime Morita.
+
+ Using jQuery to show/hide IMG elements crashes WebKit
+ https://bugs.webkit.org/show_bug.cgi?id=31721
+
+ * editing/pasteboard/copy-standalone-image-crash-expected.txt: Added.
+ * editing/pasteboard/copy-standalone-image-crash.html: Added.
+
2011-05-30 Kent Tamura <tk...@chromium.org>
[Mac] Skip a flaky test: svg/zoom/page/zoom-svg-through-object-with-text.xhtml
Added: trunk/LayoutTests/editing/pasteboard/copy-standalone-image-crash-expected.txt (0 => 87709)
--- trunk/LayoutTests/editing/pasteboard/copy-standalone-image-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/editing/pasteboard/copy-standalone-image-crash-expected.txt 2011-05-31 05:00:51 UTC (rev 87709)
@@ -0,0 +1 @@
+PASS
Added: trunk/LayoutTests/editing/pasteboard/copy-standalone-image-crash.html (0 => 87709)
--- trunk/LayoutTests/editing/pasteboard/copy-standalone-image-crash.html (rev 0)
+++ trunk/LayoutTests/editing/pasteboard/copy-standalone-image-crash.html 2011-05-31 05:00:51 UTC (rev 87709)
@@ -0,0 +1,71 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+
+var actionitems;
+
+if (window.layoutTestController) {
+ window.layoutTestController.dumpAsText();
+ window.layoutTestController.waitUntilDone();
+}
+
+function doClick() {
+ for (var i = 0; i < actionitems.length; i++)
+ {
+ var title = actionitems[i].title;
+
+ if (!title)
+ break;
+
+ title = title.replace(/_/g,'');
+
+ if (title.match("Copy Image")) {
+ actionitems[i].click();
+ break;
+ }
+ }
+
+ document.body.innerHTML = "PASS";
+
+ window.layoutTestController.notifyDone();
+}
+
+function hideDiv() {
+ document.getElementById("DIV").style.display="none";
+}
+
+// this is for manual testing only
+function delayhide() {
+ setTimeout(hideDiv, 100);
+}
+
+function doTest() {
+ if (!window.layoutTestController)
+ return;
+
+ var image = document.getElementById("IMG");
+
+ x = image.offsetLeft + 10;
+ y = image.offsetTop + 10;
+
+ eventSender.mouseMoveTo(x, y);
+ actionitems = eventSender.contextClick();
+
+ hideDiv();
+
+ setTimeout(doClick, 10);
+}
+
+</script>
+</head>
+<body _onload_="doTest()" _onmousedown_="delayhide()">
+This is an automated test case for bug <a href=""
+If you wish to test manually, mouseover to image, activate context menu, wait for the image to disappear and then click copy image.<br>
+There should be no crash.
+<div ID="DIV">
+ <img id="IMG" src=""
+ </div>
+</body>
+
+</html>
Modified: trunk/Source/WebCore/ChangeLog (87708 => 87709)
--- trunk/Source/WebCore/ChangeLog 2011-05-31 04:03:56 UTC (rev 87708)
+++ trunk/Source/WebCore/ChangeLog 2011-05-31 05:00:51 UTC (rev 87709)
@@ -1,3 +1,33 @@
+2011-05-30 Andrey Petrov <andrey.pet...@gmail.com>
+
+ Reviewed by Hajime Morita.
+
+ Using jQuery to show/hide IMG elements crashes WebKit
+ https://bugs.webkit.org/show_bug.cgi?id=31721
+
+ For platform code, do not assert nodes always have renderer at
+ the time context menu action is invoked.
+ Renderer can actually be empty for a given node if it was hidden
+ or removed from domtree by some non-user generated event (e.g timeout)
+ after the popup menu had been created.
+
+ Changing Chromium, Gtk, Mac, Qt, Win and WinCE.
+
+ Test: editing/pasteboard/copy-standalone-image-crash.html
+
+ * platform/chromium/PasteboardChromium.cpp:
+ (WebCore::Pasteboard::writeImage):
+ * platform/gtk/PasteboardGtk.cpp:
+ (WebCore::Pasteboard::writeImage):
+ * platform/mac/PasteboardMac.mm:
+ (WebCore::Pasteboard::writeImage):
+ * platform/qt/PasteboardQt.cpp:
+ (WebCore::Pasteboard::writeImage):
+ * platform/win/PasteboardWin.cpp:
+ (WebCore::Pasteboard::writeImage):
+ * platform/wince/PasteboardWinCE.cpp:
+ (WebCore::Pasteboard::writeImage):
+
2011-05-30 Daniel Bates <dba...@webkit.org>
Reviewed by Adam Barth.
Modified: trunk/Source/WebCore/platform/chromium/PasteboardChromium.cpp (87708 => 87709)
--- trunk/Source/WebCore/platform/chromium/PasteboardChromium.cpp 2011-05-31 04:03:56 UTC (rev 87708)
+++ trunk/Source/WebCore/platform/chromium/PasteboardChromium.cpp 2011-05-31 05:00:51 UTC (rev 87709)
@@ -122,15 +122,17 @@
void Pasteboard::writeImage(Node* node, const KURL&, const String& title)
{
ASSERT(node);
- ASSERT(node->renderer());
- ASSERT(node->renderer()->isImage());
+
+ if (!(node->renderer() && node->renderer()->isImage()))
+ return;
+
RenderImage* renderer = toRenderImage(node->renderer());
CachedImage* cachedImage = renderer->cachedImage();
if (!cachedImage || cachedImage->errorOccurred())
return;
Image* image = cachedImage->image();
ASSERT(image);
-
+
NativeImagePtr bitmap = image->nativeImageForCurrentFrame();
if (!bitmap)
return;
Modified: trunk/Source/WebCore/platform/gtk/PasteboardGtk.cpp (87708 => 87709)
--- trunk/Source/WebCore/platform/gtk/PasteboardGtk.cpp 2011-05-31 04:03:56 UTC (rev 87708)
+++ trunk/Source/WebCore/platform/gtk/PasteboardGtk.cpp 2011-05-31 05:00:51 UTC (rev 87709)
@@ -118,7 +118,10 @@
void Pasteboard::writeImage(Node* node, const KURL&, const String& title)
{
ASSERT(node);
- ASSERT(node->renderer());
+
+ if (!(node->renderer() && node->renderer()->isImage()))
+ return;
+
RenderImage* renderer = toRenderImage(node->renderer());
CachedImage* cachedImage = renderer->cachedImage();
if (!cachedImage || cachedImage->errorOccurred())
Modified: trunk/Source/WebCore/platform/mac/PasteboardMac.mm (87708 => 87709)
--- trunk/Source/WebCore/platform/mac/PasteboardMac.mm 2011-05-31 04:03:56 UTC (rev 87708)
+++ trunk/Source/WebCore/platform/mac/PasteboardMac.mm 2011-05-31 05:00:51 UTC (rev 87709)
@@ -291,12 +291,15 @@
void Pasteboard::writeImage(Node* node, const KURL& url, const String& title)
{
ASSERT(node);
+
+ if (!(node->renderer() && node->renderer()->isImage()))
+ return;
+
Frame* frame = node->document()->frame();
NSURL *cocoaURL = url;
ASSERT(cocoaURL);
- ASSERT(node->renderer() && node->renderer()->isImage());
RenderImage* renderer = toRenderImage(node->renderer());
CachedImage* cachedImage = renderer->cachedImage();
if (!cachedImage || cachedImage->errorOccurred())
Modified: trunk/Source/WebCore/platform/qt/PasteboardQt.cpp (87708 => 87709)
--- trunk/Source/WebCore/platform/qt/PasteboardQt.cpp 2011-05-31 04:03:56 UTC (rev 87708)
+++ trunk/Source/WebCore/platform/qt/PasteboardQt.cpp 2011-05-31 05:00:51 UTC (rev 87709)
@@ -152,8 +152,11 @@
void Pasteboard::writeImage(Node* node, const KURL&, const String&)
{
- ASSERT(node && node->renderer() && node->renderer()->isImage());
+ ASSERT(node);
+ if (!(node->renderer() && node->renderer()->isImage()))
+ return;
+
#ifndef QT_NO_CLIPBOARD
CachedImage* cachedImage = toRenderImage(node->renderer())->cachedImage();
if (!cachedImage || cachedImage->errorOccurred())
Modified: trunk/Source/WebCore/platform/win/PasteboardWin.cpp (87708 => 87709)
--- trunk/Source/WebCore/platform/win/PasteboardWin.cpp 2011-05-31 04:03:56 UTC (rev 87708)
+++ trunk/Source/WebCore/platform/win/PasteboardWin.cpp 2011-05-31 05:00:51 UTC (rev 87709)
@@ -208,7 +208,11 @@
void Pasteboard::writeImage(Node* node, const KURL&, const String&)
{
- ASSERT(node && node->renderer() && node->renderer()->isImage());
+ ASSERT(node);
+
+ if (!(node->renderer() && node->renderer()->isImage()))
+ return;
+
RenderImage* renderer = toRenderImage(node->renderer());
CachedImage* cachedImage = renderer->cachedImage();
if (!cachedImage || cachedImage->errorOccurred())
Modified: trunk/Source/WebCore/platform/wince/PasteboardWinCE.cpp (87708 => 87709)
--- trunk/Source/WebCore/platform/wince/PasteboardWinCE.cpp 2011-05-31 04:03:56 UTC (rev 87708)
+++ trunk/Source/WebCore/platform/wince/PasteboardWinCE.cpp 2011-05-31 05:00:51 UTC (rev 87709)
@@ -200,7 +200,11 @@
void Pasteboard::writeImage(Node* node, const KURL&, const String&)
{
- ASSERT(node && node->renderer() && node->renderer()->isImage());
+ ASSERT(node);
+
+ if (!(node->renderer() && node->renderer()->isImage()))
+ return;
+
RenderImage* renderer = static_cast<RenderImage*>(node->renderer());
CachedImage* cachedImage = static_cast<CachedImage*>(renderer->cachedImage());
ASSERT(cachedImage);
