RenderImageResourceStyleImage::image() should return the nullImage() if the image...
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sun, 30 Jul 2017 07:38:31 +0000 (07:38 +0000)
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sun, 30 Jul 2017 07:38:31 +0000 (07:38 +0000)
commitedb6c05b7529208dca287e343e19c731fd621065
tree1d7f8ac69d599857f48e3ff667bb9de1d14e4b07
parent591c0c244c893b0afc5278a205c1c21ae954027b
RenderImageResourceStyleImage::image() should return the nullImage() if the image is not available
https://bugs.webkit.org/show_bug.cgi?id=174874
<rdar://problem/33530130>

Patch by Said Abou-Hallawa <sabouhallawa@apple.com> on 2017-07-30
Reviewed by Darin Adler.

Source/WebCore:

If an <img> element has image content data for a none cached image, e.g.
-webkit-named-image, RenderImageResourceStyleImage will be created and
attached to the RenderImage. RenderImageResourceStyleImage::m_cachedImage
will be set to null because the m_styleImage->isCachedImage() is false in
this case. When ImageLoader finishes loading the url of the src attribute,
RenderImageResource::setCachedImage() will be called to set m_cachedImage.

A crash will happen when the RenderImage is destroyed. Destroying the
RenderImage calls RenderImageResourceStyleImage::shutdown() which checks
m_cachedImage and finds it not null, so it calls RenderImageResourceStyleImage::image()
which ends up calling CSSNamedImageValue::image() which returns a null pointer
because the size is empty. RenderImageResourceStyleImage::shutdown() calls
image()->stopAnimation() without checking the return value of image().

Like the base class virtual method RenderImageResource::image(),
RenderImageResourceStyleImage::image() should return the nullImage() if
the image is not available.

Test: fast/images/image-element-image-content-data.html

* css/CSSCrossfadeValue.cpp:
* css/CSSFilterImageValue.cpp:
* page/EventHandler.cpp:
* page/PageSerializer.cpp:
* rendering/RenderElement.cpp:
* rendering/RenderImageResource.cpp:
* rendering/RenderImageResourceStyleImage.cpp:
(WebCore::RenderImageResourceStyleImage::initialize):

(WebCore::RenderImageResourceStyleImage::shutdown): Revert back the changes
of r208511 in this function. Add a call to image()->stopAnimation() without
checking the return of image() since it will return the nullImage() if
the image not available. There is no need to check m_cachedImage before
calling image() because image() does not check or access m_cachedImage.

(WebCore::RenderImageResourceStyleImage::image): The base class method
RenderImageResource::image() returns the nullImage() if the image not
available. This is because CachedImage::imageForRenderer() returns
the nullImage() if the image is not available; see CachedImage.h. We should
do the same for the derived class for consistency.

* rendering/style/ContentData.cpp:
* rendering/style/StyleCachedImage.cpp:
* style/StylePendingResources.cpp:

LayoutTests:

* fast/images/image-element-image-content-data-expected.txt: Added.
* fast/images/image-element-image-content-data.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@220048 268f45cc-cd09-0410-ab3c-d52691b4dbfc
14 files changed:
LayoutTests/ChangeLog
LayoutTests/fast/images/image-element-image-content-data-expected.txt [new file with mode: 0644]
LayoutTests/fast/images/image-element-image-content-data.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/css/CSSCrossfadeValue.cpp
Source/WebCore/css/CSSFilterImageValue.cpp
Source/WebCore/page/EventHandler.cpp
Source/WebCore/page/PageSerializer.cpp
Source/WebCore/rendering/RenderElement.cpp
Source/WebCore/rendering/RenderImageResource.cpp
Source/WebCore/rendering/RenderImageResourceStyleImage.cpp
Source/WebCore/rendering/style/ContentData.cpp
Source/WebCore/rendering/style/StyleCachedImage.cpp
Source/WebCore/style/StylePendingResources.cpp