Title: [137665] branches/chromium/1312
- Revision
- 137665
- Author
- cev...@google.com
- Date
- 2012-12-13 15:28:12 -0800 (Thu, 13 Dec 2012)
Log Message
Merge 136558
BUG=158060
Review URL: https://codereview.chromium.org/11573024
Modified Paths
Added Paths
Diff
Copied: branches/chromium/1312/LayoutTests/fast/images/crossfade-client-not-removed-crash-expected.txt (from rev 136558, trunk/LayoutTests/fast/images/crossfade-client-not-removed-crash-expected.txt) (0 => 137665)
--- branches/chromium/1312/LayoutTests/fast/images/crossfade-client-not-removed-crash-expected.txt (rev 0)
+++ branches/chromium/1312/LayoutTests/fast/images/crossfade-client-not-removed-crash-expected.txt 2012-12-13 23:28:12 UTC (rev 137665)
@@ -0,0 +1,2 @@
+Blocked access to external URL http://-4294967295/
+PASS. WebKit didn't crash.
Copied: branches/chromium/1312/LayoutTests/fast/images/crossfade-client-not-removed-crash.html (from rev 136558, trunk/LayoutTests/fast/images/crossfade-client-not-removed-crash.html) (0 => 137665)
--- branches/chromium/1312/LayoutTests/fast/images/crossfade-client-not-removed-crash.html (rev 0)
+++ branches/chromium/1312/LayoutTests/fast/images/crossfade-client-not-removed-crash.html 2012-12-13 23:28:12 UTC (rev 137665)
@@ -0,0 +1,34 @@
+<!DOCTYPE html>
+<html>
+<body id=tCF1>
+A
+<style>
+.class1 {
+ background-image: -webkit-cross-fade(url(#does-not-exist), url(http://-4294967295), 157%);
+}
+.class2:first-of-type {
+ -webkit-animation-direction: alternate;
+}
+</style>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+var docElement = document.body;
+docElement.contentEditable = "true";
+
+function crash() {
+ test1 = document.createElementNS("http://www.w3.org/1999/xhtml", "thead");
+ docElement.appendChild(test1);
+ test2 = document.createElementNS("http://www.w3.org/1999/xhtml", "intent");
+ test2.setAttribute("class", "class2");
+ docElement.appendChild(test2);
+ test1.setAttribute("class", "class1");
+ window.getSelection().selectAllChildren(tCF1);
+ document.execCommand("hilitecolor", false, "#FF0000");
+ document.execCommand("InsertText", false, "PASS. WebKit didn't crash.");
+}
+
+document.addEventListener("DOMContentLoaded", crash, false);
+</script>
+</html>
\ No newline at end of file
Modified: branches/chromium/1312/Source/WebCore/css/CSSCrossfadeValue.cpp (137664 => 137665)
--- branches/chromium/1312/Source/WebCore/css/CSSCrossfadeValue.cpp 2012-12-13 23:27:42 UTC (rev 137664)
+++ branches/chromium/1312/Source/WebCore/css/CSSCrossfadeValue.cpp 2012-12-13 23:28:12 UTC (rev 137665)
@@ -128,14 +128,26 @@
void CSSCrossfadeValue::loadSubimages(CachedResourceLoader* cachedResourceLoader)
{
+ CachedResourceHandle<CachedImage> oldCachedFromImage = m_cachedFromImage;
+ CachedResourceHandle<CachedImage> oldCachedToImage = m_cachedToImage;
+
m_cachedFromImage = cachedImageForCSSValue(m_fromValue.get(), cachedResourceLoader);
m_cachedToImage = cachedImageForCSSValue(m_toValue.get(), cachedResourceLoader);
- if (m_cachedFromImage)
- m_cachedFromImage->addClient(&m_crossfadeSubimageObserver);
- if (m_cachedToImage)
- m_cachedToImage->addClient(&m_crossfadeSubimageObserver);
+ if (m_cachedFromImage != oldCachedFromImage) {
+ if (oldCachedFromImage)
+ oldCachedFromImage->removeClient(&m_crossfadeSubimageObserver);
+ if (m_cachedFromImage)
+ m_cachedFromImage->addClient(&m_crossfadeSubimageObserver);
+ }
+ if (m_cachedToImage != oldCachedToImage) {
+ if (oldCachedToImage)
+ oldCachedToImage->removeClient(&m_crossfadeSubimageObserver);
+ if (m_cachedToImage)
+ m_cachedToImage->addClient(&m_crossfadeSubimageObserver);
+ }
+
m_crossfadeSubimageObserver.setReady(true);
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes