WebContent crash under com.apple.WebCore: WebCore::WebKitCSSResourceValue::isCSSValue...
authorantti@apple.com <antti@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 11 May 2015 16:26:16 +0000 (16:26 +0000)
committerantti@apple.com <antti@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 11 May 2015 16:26:16 +0000 (16:26 +0000)
https://bugs.webkit.org/show_bug.cgi?id=144870
rdar://problem/20727702

Reviewed by Simon Fraser.

No repro but we are seeing null pointer crashes like this:

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore   0x00007fff92da5706 WebCore::WebKitCSSResourceValue::isCSSValueNone() const + 6
1   com.apple.WebCore   0x00007fff93382b48 WebCore::MaskImageOperation::isCSSValueNone() const + 24
2   com.apple.WebCore   0x00007fff92e0475e WebCore::FillLayer::hasNonEmptyMaskImage() const + 30

* platform/graphics/MaskImageOperation.cpp:
(WebCore::MaskImageOperation::MaskImageOperation):
(WebCore::MaskImageOperation::isCSSValueNone):

    This would crash like this if both m_styleImage and m_cssMaskImageValue are null.
    There are no obvious guarantees that this doesn't happen. Two of the constructor variants allow it
    and there is setImage which may turn m_styleImage null later too.

    Fix by making null m_cssMaskImageValue always signify CSSValueNone.

(WebCore::MaskImageOperation::cssValue):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@184104 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebCore/ChangeLog
Source/WebCore/platform/graphics/MaskImageOperation.cpp

index cbe9656..c375623 100644 (file)
@@ -1,3 +1,30 @@
+2015-05-11  Antti Koivisto  <antti@apple.com>
+
+        WebContent crash under com.apple.WebCore: WebCore::WebKitCSSResourceValue::isCSSValueNone const + 6
+        https://bugs.webkit.org/show_bug.cgi?id=144870
+        rdar://problem/20727702
+
+        Reviewed by Simon Fraser.
+
+        No repro but we are seeing null pointer crashes like this:
+
+        Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
+        0   com.apple.WebCore   0x00007fff92da5706 WebCore::WebKitCSSResourceValue::isCSSValueNone() const + 6
+        1   com.apple.WebCore   0x00007fff93382b48 WebCore::MaskImageOperation::isCSSValueNone() const + 24
+        2   com.apple.WebCore   0x00007fff92e0475e WebCore::FillLayer::hasNonEmptyMaskImage() const + 30
+
+        * platform/graphics/MaskImageOperation.cpp:
+        (WebCore::MaskImageOperation::MaskImageOperation):
+        (WebCore::MaskImageOperation::isCSSValueNone):
+
+            This would crash like this if both m_styleImage and m_cssMaskImageValue are null.
+            There are no obvious guarantees that this doesn't happen. Two of the constructor variants allow it
+            and there is setImage which may turn m_styleImage null later too.
+
+            Fix by making null m_cssMaskImageValue always signify CSSValueNone.
+
+        (WebCore::MaskImageOperation::cssValue):
+
 2015-05-11  Chris Fleizach  <cfleizach@apple.com>
 
         AX: Crash at WebCore::AccessibilityMenuList::addChildren()
index 4299a40..cce646a 100644 (file)
@@ -27,6 +27,7 @@
 #include "config.h"
 #include "MaskImageOperation.h"
 
+#include "CSSValuePool.h"
 #include "CachedImage.h"
 #include "CachedSVGDocument.h"
 #include "RenderBoxModelObject.h"
@@ -77,7 +78,6 @@ MaskImageOperation::MaskImageOperation()
     : m_isExternalDocument(false)
     , m_renderLayerImageClient(nullptr)
 {
-    m_cssMaskImageValue = WebKitCSSResourceValue::create(CSSPrimitiveValue::createIdentifier(CSSValueNone));
 }
 
 MaskImageOperation::~MaskImageOperation()
@@ -98,8 +98,7 @@ bool MaskImageOperation::isCSSValueNone() const
     if (image())
         return false;
 
-    ASSERT(m_cssMaskImageValue.get());
-    return m_cssMaskImageValue->isCSSValueNone();
+    return !m_cssMaskImageValue || m_cssMaskImageValue->isCSSValueNone();
 }
 
 PassRefPtr<CSSValue> MaskImageOperation::cssValue()
@@ -108,7 +107,7 @@ PassRefPtr<CSSValue> MaskImageOperation::cssValue()
         return image()->cssValue();
     
     if (isCSSValueNone())
-        return m_cssMaskImageValue->innerValue();
+        return cssValuePool().createIdentifierValue(CSSValueNone);
 
     ASSERT(m_cssMaskImageValue.get());
     return m_cssMaskImageValue.get();