Crash in RenderBox::paintMaskImages when GraphicsContext's painting is disabled
https://bugs.webkit.org/show_bug.cgi?id=68133
Reviewed by Darin Adler.
.:
* Source/autotools/symbols.filter: Added the mangled symbols needed for window.internals
Source/WebCore:
Tests: fast/css/webkit-mask-crash-fieldset-legend.html
fast/css/webkit-mask-crash-figure.html
fast/css/webkit-mask-crash-table.html
fast/css/webkit-mask-crash-td-2.html
fast/css/webkit-mask-crash-td.html
GraphicsContext::getCTM crashes if called with a GraphicsContext that has painting
disabled. RenderBox::paintMaskImages would thus crash if called in this condition.
This change just modifies the different GraphicsContext::getCTM method to bail early
if painting is disabled on the GraphicsContext. The rest of the change is exposing
paintControlTints that exposes this.
* WebCore.exp.in: Added symbols of the newly export window.internals function.
* page/FrameView.cpp:
(WebCore::FrameView::updateControlTints): Split this function in 2 so that
I can expose the internal paintControlTints.
(WebCore::FrameView::paintControlTints):
This is the one exposed to Internals as we want to be testable regardless of
whether the platform supports control tints.
* page/FrameView.h: Added paintControlTints.
* testing/Internals.cpp:
(WebCore::Internals::paintControlTints):
* testing/Internals.h:
* testing/Internals.idl:
Added a way to force a fake painting so that we can easily reproduce the bugs.
* platform/graphics/cairo/GraphicsContextCairo.cpp:
(WebCore::GraphicsContext::getCTM):
* platform/graphics/cg/GraphicsContextCG.cpp:
(WebCore::GraphicsContext::getCTM):
* platform/graphics/qt/GraphicsContextQt.cpp:
(WebCore::GraphicsContext::getCTM):
* platform/graphics/skia/GraphicsContextSkia.cpp:
(WebCore::GraphicsContext::getCTM):
* platform/graphics/wince/GraphicsContextWinCE.cpp:
(WebCore::GraphicsContext::getCTM):
* platform/graphics/wx/GraphicsContextWx.cpp:
(WebCore::GraphicsContext::getCTM):
Fixed all our back-end to exit early if painting is disabled.
Source/WebKit2:
* win/WebKit2.def:
* win/WebKit2CFLite.def:
Exported the new FrameView::paintControlTints function.
LayoutTests:
Those tests checks that we do not crash when calling internals.paintControlTints.
* platform/mac/Skipped: Skipped 2 tests as they are hitting an ASSERT unrelated to
this change on Mac.
* fast/css/webkit-mask-crash-fieldset-legend-expected.txt: Added.
* fast/css/webkit-mask-crash-fieldset-legend.html: Added.
* fast/css/webkit-mask-crash-figure-expected.txt: Added.
* fast/css/webkit-mask-crash-figure.html: Added.
* fast/css/webkit-mask-crash-table-expected.txt: Added.
* fast/css/webkit-mask-crash-table.html: Added.
* fast/css/webkit-mask-crash-td-2-expected.txt: Added.
* fast/css/webkit-mask-crash-td-2.html: Added.
* fast/css/webkit-mask-crash-td-expected.txt: Added.
* fast/css/webkit-mask-crash-td.html: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@95685 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/fast/css/webkit-mask-crash-figure.html b/LayoutTests/fast/css/webkit-mask-crash-figure.html
new file mode 100644
index 0000000..dd7fd6d
--- /dev/null
+++ b/LayoutTests/fast/css/webkit-mask-crash-figure.html
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<head>
+<style>
+.box {
+display: table-footer-group; -webkit-mask-box-image: url("bogus.png");
+}
+</style>
+</head>
+<body>
+<div class="box"><figure>
+<script>
+ if (window.internals) {
+ layoutTestController.dumpAsText();
+ internals.paintControlTints(document);
+ }
+</script>
+Test for <a href="https://bugs.webkit.org/show_bug.cgi?id=68133">68133</a>: Crash in RenderBox::paintMaskImages when GraphicsContext's painting is disabled<br>
+This test has PASSED (no crash).
+</body>
+</html>
