[chromium] Crash in WebCore::GraphicsLayerChromium::setContentsToImage
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sun, 7 Oct 2012 22:14:01 +0000 (22:14 +0000)
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sun, 7 Oct 2012 22:14:01 +0000 (22:14 +0000)
https://bugs.webkit.org/show_bug.cgi?id=98456

Patch by Nick Carter <nick@chromium.org> on 2012-10-07
Reviewed by James Robinson.

Source/WebCore:

Handle null return of nativeImageForCurrentFrame.

Test: compositing/images/truncated-direct-png-image.html

* platform/graphics/chromium/GraphicsLayerChromium.cpp:
(WebCore::GraphicsLayerChromium::setContentsToImage):

LayoutTests:

New tests exercising a broken image on its own layer.

* compositing/images/truncated-direct-png-image-expected.html: Added.
* compositing/images/truncated-direct-png-image.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@130610 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/compositing/images/truncated-direct-png-image-expected.html [new file with mode: 0644]
LayoutTests/compositing/images/truncated-direct-png-image.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/platform/graphics/chromium/GraphicsLayerChromium.cpp

index 79181ae..1740d73 100644 (file)
@@ -1,3 +1,15 @@
+2012-10-07  Nick Carter  <nick@chromium.org>
+
+        [chromium] Crash in WebCore::GraphicsLayerChromium::setContentsToImage
+        https://bugs.webkit.org/show_bug.cgi?id=98456
+
+        Reviewed by James Robinson.
+
+        New tests exercising a broken image on its own layer.
+
+        * compositing/images/truncated-direct-png-image-expected.html: Added.
+        * compositing/images/truncated-direct-png-image.html: Added.
+
 2012-10-07  Raphael Kubo da Costa  <raphael.kubo.da.costa@intel.com>
 
         [EFL] Mark media/video-controls-rendering.html as flaky.
diff --git a/LayoutTests/compositing/images/truncated-direct-png-image-expected.html b/LayoutTests/compositing/images/truncated-direct-png-image-expected.html
new file mode 100644 (file)
index 0000000..6539057
--- /dev/null
@@ -0,0 +1,17 @@
+<html>
+<head>
+<style type="text/css">
+#image {
+/* no z-transform in the expectation */
+}
+
+body {
+    background-color: yellow;
+}
+</style>
+</head>
+<body>
+<p>This is a broken image on its own layer: a 500x334 PNG image truncated at the 100 byte mark. The test passes if it does not trigger an assertion or crash.</p>
+<img id="image" src="data:application/octet-stream;base64,iVBORw0KGgoAAAANSUhEUgAAAfQAAAFOCAIAAAD%2F5XjOAAAACXBIWXMAAAsTAAALEwEAmpwYAAAgAElEQVR4AbzdCbClyVUY6Hvfve%2B%2B%2B%2FZXr9buql6qF3VLarWWllpSIyShwQ%3D%3D">
+</body>
+</html>
diff --git a/LayoutTests/compositing/images/truncated-direct-png-image.html b/LayoutTests/compositing/images/truncated-direct-png-image.html
new file mode 100644 (file)
index 0000000..cdd38c7
--- /dev/null
@@ -0,0 +1,18 @@
+<html>
+<head>
+<style type="text/css">
+#image {
+    -webkit-transform: translateZ(0);
+    -webkit-transform-origin: 0 0;
+}
+
+body {
+    background-color: yellow;
+}
+</style>
+</head>
+<body>
+<p>This is a broken image on its own layer: a 500x334 PNG image truncated at the 100 byte mark. The test passes if it does not trigger an assertion or crash.</p>
+<img id="image" src="data:application/octet-stream;base64,iVBORw0KGgoAAAANSUhEUgAAAfQAAAFOCAIAAAD%2F5XjOAAAACXBIWXMAAAsTAAALEwEAmpwYAAAgAElEQVR4AbzdCbClyVUY6Hvfve%2B%2B%2B%2FZXr9buql6qF3VLarWWllpSIyShwQ%3D%3D">
+</body>
+</html>
index 7fa45f1..13135db 100644 (file)
@@ -1,3 +1,17 @@
+2012-10-07  Nick Carter  <nick@chromium.org>
+
+        [chromium] Crash in WebCore::GraphicsLayerChromium::setContentsToImage
+        https://bugs.webkit.org/show_bug.cgi?id=98456
+
+        Reviewed by James Robinson.
+
+        Handle null return of nativeImageForCurrentFrame.
+
+        Test: compositing/images/truncated-direct-png-image.html
+
+        * platform/graphics/chromium/GraphicsLayerChromium.cpp:
+        (WebCore::GraphicsLayerChromium::setContentsToImage):
+
 2012-10-07  Benjamin Poulain  <benjamin@webkit.org>
 
         WTFURL: implement URL port removal for HTMLAnchorElement
index a715034..075749e 100644 (file)
@@ -468,7 +468,8 @@ void GraphicsLayerChromium::setContentsRect(const IntRect& rect)
 void GraphicsLayerChromium::setContentsToImage(Image* image)
 {
     bool childrenChanged = false;
-    if (image) {
+    NativeImageSkia* nativeImage = image ? image->nativeImageForCurrentFrame() : 0;
+    if (nativeImage) {
         if (m_contentsLayerPurpose != ContentsLayerForImage) {
             m_imageLayer = adoptPtr(Platform::current()->compositorSupport()->createImageLayer());
             registerContentsLayer(m_imageLayer->layer());
@@ -477,7 +478,6 @@ void GraphicsLayerChromium::setContentsToImage(Image* image)
             m_contentsLayerPurpose = ContentsLayerForImage;
             childrenChanged = true;
         }
-        NativeImageSkia* nativeImage = image->nativeImageForCurrentFrame();
         m_imageLayer->setBitmap(nativeImage->bitmap());
         m_imageLayer->layer()->setOpaque(image->isBitmapImage() && !image->currentFrameHasAlpha());
         updateContentsRect();