Assertion failure in WebCore::PseudoElement::didRecalcStyle()
authorjhoneycutt@apple.com <jhoneycutt@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 24 Jan 2014 02:55:15 +0000 (02:55 +0000)
committerjhoneycutt@apple.com <jhoneycutt@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 24 Jan 2014 02:55:15 +0000 (02:55 +0000)
<https://bugs.webkit.org/show_bug.cgi?id=126761>
<rdar://problem/15793540>

Source/WebCore:

Reviewed by Andy Estes.

Test: fast/images/animate-list-item-image-assertion.html

* dom/PseudoElement.cpp:
(WebCore::PseudoElement::didRecalcStyle):
Check isRenderImage() rather than isImage() before casting to
RenderImage.

* editing/ios/EditorIOS.mm:
(WebCore::getImage):
Ditto.

* editing/mac/EditorMac.mm:
(WebCore::getImage):
Ditto.

* html/HTMLImageElement.cpp:
(WebCore::HTMLImageElement::parseAttribute):
(WebCore::HTMLImageElement::didAttachRenderers):
Ditto.

* loader/ImageLoader.cpp:
(WebCore::ImageLoader::renderImageResource):
Ditto.

* page/DragController.cpp:
(WebCore::getCachedImage):
Ditto.

* rendering/RenderLayerBacking.cpp:
(WebCore::RenderLayerBacking::isDirectlyCompositedImage):
(WebCore::RenderLayerBacking::updateImageContents):
Ditto.

Source/WebKit/mac:

Some areas of code were erroneously checking the value of
RenderObject::isImage() rather than RenderObject::isRenderImage()
before casting the object to RenderImage.

This could lead to an assertion failure for RenderListMarkers, which
may return true for isImage(), but are not RenderImages.

Reviewed by Andy Estes.

* Misc/WebNSPasteboardExtras.mm:
(-[NSPasteboard _web_declareAndWriteDragImageForElement:URL:title:archive:source:]):
Check isRenderImage() rather than isImage() before casting to
RenderImage.

Source/WebKit2:

Reviewed by Andy Estes.

* WebProcess/WebPage/ios/WebPageIOS.mm:
(WebKit::WebPage::getPositionInformation):
Check isRenderImage() rather than isImage() before casting to
RenderImage.

LayoutTests:

Reviewed by Andy Estes.

* fast/images/animate-list-item-image-assertion-expected.txt: Added.
* fast/images/animate-list-item-image-assertion.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@162679 268f45cc-cd09-0410-ab3c-d52691b4dbfc

16 files changed:
LayoutTests/ChangeLog
LayoutTests/fast/images/animate-list-item-image-assertion-expected.txt [new file with mode: 0644]
LayoutTests/fast/images/animate-list-item-image-assertion.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/dom/PseudoElement.cpp
Source/WebCore/editing/ios/EditorIOS.mm
Source/WebCore/editing/mac/EditorMac.mm
Source/WebCore/html/HTMLAreaElement.cpp
Source/WebCore/html/HTMLImageElement.cpp
Source/WebCore/loader/ImageLoader.cpp
Source/WebCore/page/DragController.cpp
Source/WebCore/rendering/RenderLayerBacking.cpp
Source/WebKit/mac/ChangeLog
Source/WebKit/mac/Misc/WebNSPasteboardExtras.mm
Source/WebKit2/ChangeLog
Source/WebKit2/WebProcess/WebPage/ios/WebPageIOS.mm

index 387950c..2d3a739 100644 (file)
@@ -1,3 +1,14 @@
+2014-01-23  Jon Honeycutt  <jhoneycutt@apple.com>
+
+        Assertion failure in WebCore::PseudoElement::didRecalcStyle()
+        <https://bugs.webkit.org/show_bug.cgi?id=126761>
+        <rdar://problem/15793540>
+
+        Reviewed by Andy Estes.
+
+        * fast/images/animate-list-item-image-assertion-expected.txt: Added.
+        * fast/images/animate-list-item-image-assertion.html: Added.
+
 2014-01-23  Joseph Pecoraro  <pecoraro@apple.com>
 
         Web Inspector: Remove recompileAllJSFunctions timer in ScriptDebugServer
diff --git a/LayoutTests/fast/images/animate-list-item-image-assertion-expected.txt b/LayoutTests/fast/images/animate-list-item-image-assertion-expected.txt
new file mode 100644 (file)
index 0000000..53cdf1e
--- /dev/null
@@ -0,0 +1 @@
+PASSED
diff --git a/LayoutTests/fast/images/animate-list-item-image-assertion.html b/LayoutTests/fast/images/animate-list-item-image-assertion.html
new file mode 100644 (file)
index 0000000..7d297f1
--- /dev/null
@@ -0,0 +1,38 @@
+<!DOCTYPE html>
+
+<!-- Test passes if it doesn't assert in a debug build. -->
+
+<style>
+    #anchor:after {
+        content: ".";
+        display: block;
+    }
+    span {
+        float: left;
+    }
+    ul {
+        -webkit-animation-name: n;
+        -webkit-animation-duration: .1s;
+    }
+    @-webkit-keyframes n {
+        from { }
+        to { list-style-image: -webkit-repeating-radial-gradient(circle cover, rgb(23,136,16) , rgb(2%,5%,72%) , #373f74); }
+    }
+</style>
+
+<ul id="u">
+    <li>
+        <a id="anchor" href="#"><span id="text">PASSED</span></a>
+    </li>
+</ul>
+
+<script>
+    if (window.testRunner) {
+        window.testRunner.dumpAsText(true);
+        window.testRunner.waitUntilDone();
+
+        document.getElementById("u").addEventListener('webkitAnimationStart', function() {
+            window.testRunner.notifyDone();
+        }, false);
+    }
+</script>
index 4cd6d11..67ea786 100644 (file)
@@ -1,3 +1,44 @@
+2014-01-23  Jon Honeycutt  <jhoneycutt@apple.com>
+
+        Assertion failure in WebCore::PseudoElement::didRecalcStyle()
+        <https://bugs.webkit.org/show_bug.cgi?id=126761>
+        <rdar://problem/15793540>
+
+        Reviewed by Andy Estes.
+
+        Test: fast/images/animate-list-item-image-assertion.html
+
+        * dom/PseudoElement.cpp:
+        (WebCore::PseudoElement::didRecalcStyle):
+        Check isRenderImage() rather than isImage() before casting to
+        RenderImage.
+
+        * editing/ios/EditorIOS.mm:
+        (WebCore::getImage):
+        Ditto.
+
+        * editing/mac/EditorMac.mm:
+        (WebCore::getImage):
+        Ditto.
+
+        * html/HTMLImageElement.cpp:
+        (WebCore::HTMLImageElement::parseAttribute):
+        (WebCore::HTMLImageElement::didAttachRenderers):
+        Ditto.
+
+        * loader/ImageLoader.cpp:
+        (WebCore::ImageLoader::renderImageResource):
+        Ditto.
+
+        * page/DragController.cpp:
+        (WebCore::getCachedImage):
+        Ditto.
+
+        * rendering/RenderLayerBacking.cpp:
+        (WebCore::RenderLayerBacking::isDirectlyCompositedImage):
+        (WebCore::RenderLayerBacking::updateImageContents):
+        Ditto.
+
 2014-01-23  Joseph Pecoraro  <pecoraro@apple.com>
 
         Web Inspector: Remove recompileAllJSFunctions timer in ScriptDebugServer
index e2d720d..7dc629e 100644 (file)
@@ -112,7 +112,7 @@ void PseudoElement::didRecalcStyle(Style::Change)
     RenderObject* renderer = this->renderer();
     for (RenderObject* child = renderer->nextInPreOrder(renderer); child; child = child->nextInPreOrder(renderer)) {
         // We only manage the style for the generated content which must be images or text.
-        if (!child->isImage())
+        if (!child->isRenderImage())
             continue;
         toRenderImage(*child).setStyle(RenderImage::createStyleInheritingFromPseudoStyle(renderer->style()));
     }
index b65dcfc..13798d1 100644 (file)
@@ -345,7 +345,7 @@ void Editor::writeSelectionToPasteboard(Pasteboard& pasteboard)
 static void getImage(Element& imageElement, RefPtr<Image>& image, CachedImage*& cachedImage)
 {
     auto renderer = imageElement.renderer();
-    if (!renderer || !renderer->isImage())
+    if (!renderer || !renderer->isRenderImage())
         return;
 
     CachedImage* tentativeCachedImage = toRenderImage(renderer)->cachedImage();
index 720f7e1..3928a28 100644 (file)
@@ -366,7 +366,7 @@ void Editor::writeSelectionToPasteboard(Pasteboard& pasteboard)
 static void getImage(Element& imageElement, RefPtr<Image>& image, CachedImage*& cachedImage)
 {
     auto renderer = imageElement.renderer();
-    if (!renderer || !renderer->isImage())
+    if (!renderer || !renderer->isRenderImage())
         return;
 
     CachedImage* tentativeCachedImage = toRenderImage(renderer)->cachedImage();
index e0931e6..5eeb31e 100644 (file)
@@ -220,7 +220,7 @@ void HTMLAreaElement::setFocus(bool shouldBeFocused)
         return;
 
     auto renderer = imageElement->renderer();
-    if (!renderer || !renderer->isImage())
+    if (!renderer || !renderer->isRenderImage())
         return;
 
     toRenderImage(renderer)->areaElementFocusChanged(this);
index 3a9675c..31aeb27 100644 (file)
@@ -115,7 +115,7 @@ const AtomicString& HTMLImageElement::imageSourceURL() const
 void HTMLImageElement::parseAttribute(const QualifiedName& name, const AtomicString& value)
 {
     if (name == altAttr) {
-        if (renderer() && renderer()->isImage())
+        if (renderer() && renderer()->isRenderImage())
             toRenderImage(renderer())->updateAltText();
     } else if (name == srcAttr || name == srcsetAttr) {
         m_bestFitImageURL = bestFitSourceForImageAttributes(document().deviceScaleFactor(), fastGetAttribute(srcAttr), fastGetAttribute(srcsetAttr));
@@ -192,7 +192,7 @@ bool HTMLImageElement::canStartSelection() const
 
 void HTMLImageElement::didAttachRenderers()
 {
-    if (!renderer() || !renderer()->isImage())
+    if (!renderer() || !renderer()->isRenderImage())
         return;
     if (m_imageLoader.hasPendingBeforeLoadEvent())
         return;
index c609508..13c32ff 100644 (file)
@@ -325,7 +325,7 @@ RenderImageResource* ImageLoader::renderImageResource()
 
     // We don't return style generated image because it doesn't belong to the ImageLoader.
     // See <https://bugs.webkit.org/show_bug.cgi?id=42840>
-    if (renderer->isImage() && !toRenderImage(*renderer).isGeneratedContent())
+    if (renderer->isRenderImage() && !toRenderImage(*renderer).isGeneratedContent())
         return &toRenderImage(*renderer).imageResource();
 
 #if ENABLE(SVG)
index d1a4899..3d9f4a6 100644 (file)
@@ -655,7 +655,7 @@ Element* DragController::draggableElement(const Frame* sourceFrame, Element* sta
 static CachedImage* getCachedImage(Element& element)
 {
     RenderObject* renderer = element.renderer();
-    if (!renderer || !renderer->isImage())
+    if (!renderer || !renderer->isRenderImage())
         return 0;
     RenderImage* image = toRenderImage(renderer);
     return image->cachedImage();
index 4252b3c..bb9ea64 100644 (file)
@@ -1865,7 +1865,7 @@ bool RenderLayerBacking::containsPaintedContent(bool isSimpleContainer) const
 // that require painting. Direct compositing saves backing store.
 bool RenderLayerBacking::isDirectlyCompositedImage() const
 {
-    if (!renderer().isImage() || m_owningLayer.hasBoxDecorationsOrBackground() || renderer().hasClip())
+    if (!renderer().isRenderImage() || m_owningLayer.hasBoxDecorationsOrBackground() || renderer().hasClip())
         return false;
 
     RenderImage& imageRenderer = toRenderImage(renderer());
@@ -1912,7 +1912,7 @@ void RenderLayerBacking::contentChanged(ContentChangeType changeType)
 
 void RenderLayerBacking::updateImageContents()
 {
-    ASSERT(renderer().isImage());
+    ASSERT(renderer().isRenderImage());
     RenderImage& imageRenderer = toRenderImage(renderer());
 
     CachedImage* cachedImage = imageRenderer.cachedImage();
index 8844d00..665e4ce 100644 (file)
@@ -1,3 +1,23 @@
+2014-01-23  Jon Honeycutt  <jhoneycutt@apple.com>
+
+        Assertion failure in WebCore::PseudoElement::didRecalcStyle()
+        <https://bugs.webkit.org/show_bug.cgi?id=126761>
+        <rdar://problem/15793540>
+
+        Some areas of code were erroneously checking the value of
+        RenderObject::isImage() rather than RenderObject::isRenderImage()
+        before casting the object to RenderImage.
+
+        This could lead to an assertion failure for RenderListMarkers, which
+        may return true for isImage(), but are not RenderImages.
+
+        Reviewed by Andy Estes.
+
+        * Misc/WebNSPasteboardExtras.mm:
+        (-[NSPasteboard _web_declareAndWriteDragImageForElement:URL:title:archive:source:]):
+        Check isRenderImage() rather than isImage() before casting to
+        RenderImage.
+
 2014-01-23  Joseph Pecoraro  <pecoraro@apple.com>
 
         Web Inspector: Remove recompileAllJSFunctions timer in ScriptDebugServer
index 40db6dc..bcc5f19 100644 (file)
@@ -272,7 +272,7 @@ static CachedImage* imageFromElement(DOMElement *domElement)
 
     NSString *extension = @"";
     if (RenderObject* renderer = core(element)->renderer()) {
-        if (renderer->isImage()) {
+        if (renderer->isRenderImage()) {
             if (CachedImage* image = toRenderImage(renderer)->cachedImage()) {
                 extension = image->image()->filenameExtension();
                 if (![extension length])
index f71b044..17a5814 100644 (file)
@@ -1,3 +1,16 @@
+2014-01-23  Jon Honeycutt  <jhoneycutt@apple.com>
+
+        Assertion failure in WebCore::PseudoElement::didRecalcStyle()
+        <https://bugs.webkit.org/show_bug.cgi?id=126761>
+        <rdar://problem/15793540>
+
+        Reviewed by Andy Estes.
+
+        * WebProcess/WebPage/ios/WebPageIOS.mm:
+        (WebKit::WebPage::getPositionInformation):
+        Check isRenderImage() rather than isImage() before casting to
+        RenderImage.
+
 2014-01-23  Anders Carlsson  <andersca@apple.com>
 
         Move policy client into WKPage.cpp and get rid of WebPolicyClient files
index 1cac1d2..6b164aa 100644 (file)
@@ -823,7 +823,7 @@ void WebPage::getPositionInformation(const IntPoint& point, InteractionInformati
         if (!element)
             return;
 
-        if (element->renderer() && element->renderer()->isImage()) {
+        if (element->renderer() && element->renderer()->isRenderImage()) {
             URL url = toRenderImage(element->renderer())->cachedImage()->url();
             if (!url.string().isNull())
                 info.url = url.string();