<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[160479] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/160479">160479</a></dd>
<dt>Author</dt> <dd>darin@apple.com</dd>
<dt>Date</dt> <dd>2013-12-12 00:58:50 -0800 (Thu, 12 Dec 2013)</dd>
</dl>
<h3>Log Message</h3>
<pre>StylePendingImage needs to correctly manage the CSSValue pointer lifetime
https://bugs.webkit.org/show_bug.cgi?id=125468
Reviewed by Andreas Kling.
Source/WebCore:
Test: fast/css/pending-image-crash.xhtml
Disconnect the reference counted StylePendingImage from the CSSValue that owns
it when it's not needed any more, otherwise we could end up using a pointer
that might no longer be valid.
* css/CSSCursorImageValue.cpp:
(WebCore::CSSCursorImageValue::detachPendingImage): Added. Calls detachFromCSSValue
on the current image if it is a StylePendingImage.
(WebCore::CSSCursorImageValue::~CSSCursorImageValue): Call detachPendingImage.
(WebCore::CSSCursorImageValue::cachedImage): Call detachPendingImage before changing
m_image to a new value.
(WebCore::CSSCursorImageValue::clearCachedImage): Ditto.
* css/CSSCursorImageValue.h: Added detachPendingImage.
* css/CSSImageSetValue.cpp:
(WebCore::CSSImageSetValue::detachPendingImage): Added. Calls detachFromCSSValue
on the current image set if it is a StylePendingImage.
(WebCore::CSSImageSetValue::~CSSImageSetValue): Call detachPendingImage.
(WebCore::CSSImageSetValue::cachedImageSet): Call detachPendingImage before changing
m_imageSet to a new value.
* css/CSSImageSetValue.h: Added detachPendingImage.
* css/CSSImageValue.cpp:
(WebCore::CSSImageValue::detachPendingImage): Added. Calls detachFromCSSValue on the
current image if it is a StylePendingImage.
(WebCore::CSSImageValue::~CSSImageValue): Call detachPendingImage.
(WebCore::CSSImageValue::cachedImage): Call detachPendingImage before changing m_image
to a new value.
* css/CSSImageValue.h: Added detachPendingImage.
* rendering/style/StylePendingImage.h:
(WebCore::StylePendingImage::cssImageValue): Added a null check.
(WebCore::StylePendingImage::cssImageGeneratorValue): Added a null check.
(WebCore::StylePendingImage::cssCursorImageValue): Added a null check.
(WebCore::StylePendingImage::cssImageSetValue): Added a null check.
(WebCore::StylePendingImage::detachFromCSSValue): Added. Sets m_value to null since
the style is no longer using this StylePendingImage.
(WebCore::StylePendingImage::data): Changed to use the "this" pointer since all we
need is some arbitrary pointer uniquely identifying the image. Before loading the image,
we have no suitable weak identifier, so it suffices to use the unique pointer to each
StylePendingImage object. This function is used only in a limited way; it would be nice
to find a way to make the code less strange long term.
LayoutTests:
* fast/css/pending-image-crash-expected.txt: Added.
* fast/css/pending-image-crash.xhtml: Added.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCorecssCSSCursorImageValuecpp">trunk/Source/WebCore/css/CSSCursorImageValue.cpp</a></li>
<li><a href="#trunkSourceWebCorecssCSSCursorImageValueh">trunk/Source/WebCore/css/CSSCursorImageValue.h</a></li>
<li><a href="#trunkSourceWebCorecssCSSImageSetValuecpp">trunk/Source/WebCore/css/CSSImageSetValue.cpp</a></li>
<li><a href="#trunkSourceWebCorecssCSSImageSetValueh">trunk/Source/WebCore/css/CSSImageSetValue.h</a></li>
<li><a href="#trunkSourceWebCorecssCSSImageValuecpp">trunk/Source/WebCore/css/CSSImageValue.cpp</a></li>
<li><a href="#trunkSourceWebCorecssCSSImageValueh">trunk/Source/WebCore/css/CSSImageValue.h</a></li>
<li><a href="#trunkSourceWebCorerenderingstyleStylePendingImageh">trunk/Source/WebCore/rendering/style/StylePendingImage.h</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsfastcsspendingimagecrashexpectedtxt">trunk/LayoutTests/fast/css/pending-image-crash-expected.txt</a></li>
<li><a href="#trunkLayoutTestsfastcsspendingimagecrashxhtml">trunk/LayoutTests/fast/css/pending-image-crash.xhtml</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (160478 => 160479)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2013-12-12 08:44:32 UTC (rev 160478)
+++ trunk/LayoutTests/ChangeLog 2013-12-12 08:58:50 UTC (rev 160479)
</span><span class="lines">@@ -1,3 +1,13 @@
</span><ins>+2013-12-11 Darin Adler <darin@apple.com>
+
+ StylePendingImage needs to correctly manage the CSSValue pointer lifetime
+ https://bugs.webkit.org/show_bug.cgi?id=125468
+
+ Reviewed by Andreas Kling.
+
+ * fast/css/pending-image-crash-expected.txt: Added.
+ * fast/css/pending-image-crash.xhtml: Added.
+
</ins><span class="cx"> 2013-12-11 Alexey Proskuryakov <ap@apple.com>
</span><span class="cx">
</span><span class="cx"> WebCrypto keys should support structured clone
</span></span></pre></div>
<a id="trunkLayoutTestsfastcsspendingimagecrashexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/css/pending-image-crash-expected.txt (0 => 160479)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/css/pending-image-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/css/pending-image-crash-expected.txt 2013-12-12 08:58:50 UTC (rev 160479)
</span><span class="lines">@@ -0,0 +1,5 @@
</span><ins>+PASS test did not crash
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
</ins><span class="cx">Property changes on: trunk/LayoutTests/fast/css/pending-image-crash-expected.txt
</span><span class="cx">___________________________________________________________________
</span></span></pre></div>
<a id="svneolstyle"></a>
<div class="addfile"><h4>Added: svn:eol-style</h4></div>
<a id="trunkLayoutTestsfastcsspendingimagecrashxhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/css/pending-image-crash.xhtml (0 => 160479)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/css/pending-image-crash.xhtml (rev 0)
+++ trunk/LayoutTests/fast/css/pending-image-crash.xhtml 2013-12-12 08:58:50 UTC (rev 160479)
</span><span class="lines">@@ -0,0 +1,24 @@
</span><ins>+<!DOCTYPE html>
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head id="head">
+<script src="../../resources/js-test-pre.js"></script>
+<script>
+window.jsTestIsAsync = true;
+var count = 0;
+for (i = 0; i != 50; i++) {
+ setTimeout(function() {
+ var head = document.getElementsByTagName("head")[0];
+ var style = document.createElement("style");
+ style.innerHTML=":first-of-type {-webkit-border-image:-webkit-cross-fade(url(#head), url(#head), 100%);}";
+ head.appendChild(style);
+ count++;
+ if (count == 50) {
+ testPassed("test did not crash");
+ finishJSTest();
+ }
+ }, 36);
+}
+</script>
+<script src="../../resources/js-test-post.js"></script>
+</head>
+</html>
</ins></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (160478 => 160479)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2013-12-12 08:44:32 UTC (rev 160478)
+++ trunk/Source/WebCore/ChangeLog 2013-12-12 08:58:50 UTC (rev 160479)
</span><span class="lines">@@ -1,5 +1,56 @@
</span><span class="cx"> 2013-12-11 Darin Adler <darin@apple.com>
</span><span class="cx">
</span><ins>+ StylePendingImage needs to correctly manage the CSSValue pointer lifetime
+ https://bugs.webkit.org/show_bug.cgi?id=125468
+
+ Reviewed by Andreas Kling.
+
+ Test: fast/css/pending-image-crash.xhtml
+
+ Disconnect the reference counted StylePendingImage from the CSSValue that owns
+ it when it's not needed any more, otherwise we could end up using a pointer
+ that might no longer be valid.
+
+ * css/CSSCursorImageValue.cpp:
+ (WebCore::CSSCursorImageValue::detachPendingImage): Added. Calls detachFromCSSValue
+ on the current image if it is a StylePendingImage.
+ (WebCore::CSSCursorImageValue::~CSSCursorImageValue): Call detachPendingImage.
+ (WebCore::CSSCursorImageValue::cachedImage): Call detachPendingImage before changing
+ m_image to a new value.
+ (WebCore::CSSCursorImageValue::clearCachedImage): Ditto.
+ * css/CSSCursorImageValue.h: Added detachPendingImage.
+
+ * css/CSSImageSetValue.cpp:
+ (WebCore::CSSImageSetValue::detachPendingImage): Added. Calls detachFromCSSValue
+ on the current image set if it is a StylePendingImage.
+ (WebCore::CSSImageSetValue::~CSSImageSetValue): Call detachPendingImage.
+ (WebCore::CSSImageSetValue::cachedImageSet): Call detachPendingImage before changing
+ m_imageSet to a new value.
+ * css/CSSImageSetValue.h: Added detachPendingImage.
+
+ * css/CSSImageValue.cpp:
+ (WebCore::CSSImageValue::detachPendingImage): Added. Calls detachFromCSSValue on the
+ current image if it is a StylePendingImage.
+ (WebCore::CSSImageValue::~CSSImageValue): Call detachPendingImage.
+ (WebCore::CSSImageValue::cachedImage): Call detachPendingImage before changing m_image
+ to a new value.
+ * css/CSSImageValue.h: Added detachPendingImage.
+
+ * rendering/style/StylePendingImage.h:
+ (WebCore::StylePendingImage::cssImageValue): Added a null check.
+ (WebCore::StylePendingImage::cssImageGeneratorValue): Added a null check.
+ (WebCore::StylePendingImage::cssCursorImageValue): Added a null check.
+ (WebCore::StylePendingImage::cssImageSetValue): Added a null check.
+ (WebCore::StylePendingImage::detachFromCSSValue): Added. Sets m_value to null since
+ the style is no longer using this StylePendingImage.
+ (WebCore::StylePendingImage::data): Changed to use the "this" pointer since all we
+ need is some arbitrary pointer uniquely identifying the image. Before loading the image,
+ we have no suitable weak identifier, so it suffices to use the unique pointer to each
+ StylePendingImage object. This function is used only in a limited way; it would be nice
+ to find a way to make the code less strange long term.
+
+2013-12-11 Darin Adler <darin@apple.com>
+
</ins><span class="cx"> Remove some unneeded code noticed while looking at StylePendingImage
</span><span class="cx"> https://bugs.webkit.org/show_bug.cgi?id=125618
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCorecssCSSCursorImageValuecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/css/CSSCursorImageValue.cpp (160478 => 160479)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/css/CSSCursorImageValue.cpp 2013-12-12 08:44:32 UTC (rev 160478)
+++ trunk/Source/WebCore/css/CSSCursorImageValue.cpp 2013-12-12 08:58:50 UTC (rev 160479)
</span><span class="lines">@@ -67,8 +67,16 @@
</span><span class="cx"> {
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+inline void CSSCursorImageValue::detachPendingImage()
+{
+ if (m_image && m_image->isPendingImage())
+ static_cast<StylePendingImage&>(*m_image).detachFromCSSValue();
+}
+
</ins><span class="cx"> CSSCursorImageValue::~CSSCursorImageValue()
</span><span class="cx"> {
</span><ins>+ detachPendingImage();
+
</ins><span class="cx"> #if ENABLE(SVG)
</span><span class="cx"> if (!isSVGCursor())
</span><span class="cx"> return;
</span><span class="lines">@@ -150,6 +158,7 @@
</span><span class="cx"> if (isSVGCursor() && loader && loader->document()) {
</span><span class="cx"> // FIXME: This will fail if the <cursor> element is in a shadow DOM (bug 59827)
</span><span class="cx"> if (SVGCursorElement* cursorElement = resourceReferencedByCursorElement(toCSSImageValue(m_imageValue.get()).url(), *loader->document())) {
</span><ins>+ detachPendingImage();
</ins><span class="cx"> Ref<CSSImageValue> svgImageValue(CSSImageValue::create(cursorElement->href()));
</span><span class="cx"> StyleCachedImage* cachedImage = svgImageValue->cachedImage(loader);
</span><span class="cx"> m_image = cachedImage;
</span><span class="lines">@@ -158,8 +167,10 @@
</span><span class="cx"> }
</span><span class="cx"> #endif
</span><span class="cx">
</span><del>- if (m_imageValue.get().isImageValue())
</del><ins>+ if (m_imageValue.get().isImageValue()) {
+ detachPendingImage();
</ins><span class="cx"> m_image = toCSSImageValue(m_imageValue.get()).cachedImage(loader);
</span><ins>+ }
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> if (m_image && m_image->isCachedImage())
</span><span class="lines">@@ -203,7 +214,8 @@
</span><span class="cx">
</span><span class="cx"> void CSSCursorImageValue::clearCachedImage()
</span><span class="cx"> {
</span><del>- m_image = 0;
</del><ins>+ detachPendingImage();
+ m_image = nullptr;
</ins><span class="cx"> m_accessedImage = false;
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCorecssCSSCursorImageValueh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/css/CSSCursorImageValue.h (160478 => 160479)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/css/CSSCursorImageValue.h 2013-12-12 08:44:32 UTC (rev 160478)
+++ trunk/Source/WebCore/css/CSSCursorImageValue.h 2013-12-12 08:58:50 UTC (rev 160479)
</span><span class="lines">@@ -64,6 +64,8 @@
</span><span class="cx"> private:
</span><span class="cx"> CSSCursorImageValue(PassRef<CSSValue> imageValue, bool hasHotSpot, const IntPoint& hotSpot);
</span><span class="cx">
</span><ins>+ void detachPendingImage();
+
</ins><span class="cx"> #if ENABLE(SVG)
</span><span class="cx"> bool isSVGCursor() const;
</span><span class="cx"> String cachedImageURL();
</span></span></pre></div>
<a id="trunkSourceWebCorecssCSSImageSetValuecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/css/CSSImageSetValue.cpp (160478 => 160479)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/css/CSSImageSetValue.cpp 2013-12-12 08:44:32 UTC (rev 160478)
+++ trunk/Source/WebCore/css/CSSImageSetValue.cpp 2013-12-12 08:58:50 UTC (rev 160479)
</span><span class="lines">@@ -49,8 +49,16 @@
</span><span class="cx"> {
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+inline void CSSImageSetValue::detachPendingImage()
+{
+ if (m_imageSet && m_imageSet->isPendingImage())
+ static_cast<StylePendingImage&>(*m_imageSet).detachFromCSSValue();
+}
+
</ins><span class="cx"> CSSImageSetValue::~CSSImageSetValue()
</span><span class="cx"> {
</span><ins>+ detachPendingImage();
+
</ins><span class="cx"> if (m_imageSet && m_imageSet->isCachedImageSet())
</span><span class="cx"> static_cast<StyleCachedImageSet*>(m_imageSet.get())->clearImageSetValue();
</span><span class="cx"> }
</span><span class="lines">@@ -113,6 +121,7 @@
</span><span class="cx"> CachedResourceRequest request(ResourceRequest(document->completeURL(image.imageURL)));
</span><span class="cx"> request.setInitiator(cachedResourceRequestInitiators().css);
</span><span class="cx"> if (CachedResourceHandle<CachedImage> cachedImage = loader->requestImage(request)) {
</span><ins>+ detachPendingImage();
</ins><span class="cx"> m_imageSet = StyleCachedImageSet::create(cachedImage.get(), image.scaleFactor, this);
</span><span class="cx"> m_accessedBestFitImage = true;
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceWebCorecssCSSImageSetValueh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/css/CSSImageSetValue.h (160478 => 160479)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/css/CSSImageSetValue.h 2013-12-12 08:44:32 UTC (rev 160478)
+++ trunk/Source/WebCore/css/CSSImageSetValue.h 2013-12-12 08:58:50 UTC (rev 160479)
</span><span class="lines">@@ -71,6 +71,7 @@
</span><span class="cx"> CSSImageSetValue();
</span><span class="cx"> CSSImageSetValue(const CSSImageSetValue& cloneFrom);
</span><span class="cx">
</span><ins>+ void detachPendingImage();
</ins><span class="cx"> void fillImageSet();
</span><span class="cx"> static inline bool compareByScaleFactor(ImageWithScale first, ImageWithScale second) { return first.scaleFactor < second.scaleFactor; }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCorecssCSSImageValuecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/css/CSSImageValue.cpp (160478 => 160479)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/css/CSSImageValue.cpp 2013-12-12 08:44:32 UTC (rev 160478)
+++ trunk/Source/WebCore/css/CSSImageValue.cpp 2013-12-12 08:58:50 UTC (rev 160479)
</span><span class="lines">@@ -52,8 +52,15 @@
</span><span class="cx"> {
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+inline void CSSImageValue::detachPendingImage()
+{
+ if (m_image && m_image->isPendingImage())
+ static_cast<StylePendingImage&>(*m_image).detachFromCSSValue();
+}
+
</ins><span class="cx"> CSSImageValue::~CSSImageValue()
</span><span class="cx"> {
</span><ins>+ detachPendingImage();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> StyleImage* CSSImageValue::cachedOrPendingImage()
</span><span class="lines">@@ -80,8 +87,10 @@
</span><span class="cx"> if (options.requestOriginPolicy == PotentiallyCrossOriginEnabled)
</span><span class="cx"> updateRequestForAccessControl(request.mutableResourceRequest(), loader->document()->securityOrigin(), options.allowCredentials);
</span><span class="cx">
</span><del>- if (CachedResourceHandle<CachedImage> cachedImage = loader->requestImage(request))
</del><ins>+ if (CachedResourceHandle<CachedImage> cachedImage = loader->requestImage(request)) {
+ detachPendingImage();
</ins><span class="cx"> m_image = StyleCachedImage::create(cachedImage.get());
</span><ins>+ }
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> return (m_image && m_image->isCachedImage()) ? static_cast<StyleCachedImage*>(m_image.get()) : 0;
</span></span></pre></div>
<a id="trunkSourceWebCorecssCSSImageValueh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/css/CSSImageValue.h (160478 => 160479)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/css/CSSImageValue.h 2013-12-12 08:44:32 UTC (rev 160478)
+++ trunk/Source/WebCore/css/CSSImageValue.h 2013-12-12 08:58:50 UTC (rev 160479)
</span><span class="lines">@@ -61,6 +61,7 @@
</span><span class="cx"> private:
</span><span class="cx"> explicit CSSImageValue(const String& url);
</span><span class="cx"> CSSImageValue(const String& url, StyleImage*);
</span><ins>+ void detachPendingImage();
</ins><span class="cx">
</span><span class="cx"> String m_url;
</span><span class="cx"> RefPtr<StyleImage> m_image;
</span></span></pre></div>
<a id="trunkSourceWebCorerenderingstyleStylePendingImageh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/rendering/style/StylePendingImage.h (160478 => 160479)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/rendering/style/StylePendingImage.h 2013-12-12 08:44:32 UTC (rev 160478)
+++ trunk/Source/WebCore/rendering/style/StylePendingImage.h 2013-12-12 08:58:50 UTC (rev 160479)
</span><span class="lines">@@ -29,7 +29,6 @@
</span><span class="cx"> #include "CSSCursorImageValue.h"
</span><span class="cx"> #include "CSSImageGeneratorValue.h"
</span><span class="cx"> #include "CSSImageValue.h"
</span><del>-#include "Image.h"
</del><span class="cx"> #include "StyleImage.h"
</span><span class="cx">
</span><span class="cx"> #if ENABLE(CSS_IMAGE_SET)
</span><span class="lines">@@ -46,15 +45,18 @@
</span><span class="cx"> public:
</span><span class="cx"> static PassRefPtr<StylePendingImage> create(CSSValue* value) { return adoptRef(new StylePendingImage(value)); }
</span><span class="cx">
</span><del>- CSSImageValue* cssImageValue() const { return m_value->isImageValue() ? toCSSImageValue(m_value) : nullptr; }
- CSSImageGeneratorValue* cssImageGeneratorValue() const { return m_value->isImageGeneratorValue() ? static_cast<CSSImageGeneratorValue*>(m_value) : nullptr; }
- CSSCursorImageValue* cssCursorImageValue() const { return m_value->isCursorImageValue() ? toCSSCursorImageValue(m_value) : nullptr; }
</del><ins>+ CSSImageValue* cssImageValue() const { return m_value && m_value->isImageValue() ? toCSSImageValue(m_value) : nullptr; }
+ CSSImageGeneratorValue* cssImageGeneratorValue() const { return m_value && m_value->isImageGeneratorValue() ? static_cast<CSSImageGeneratorValue*>(m_value) : nullptr; }
+ CSSCursorImageValue* cssCursorImageValue() const { return m_value && m_value->isCursorImageValue() ? toCSSCursorImageValue(m_value) : nullptr; }
+
</ins><span class="cx"> #if ENABLE(CSS_IMAGE_SET)
</span><del>- CSSImageSetValue* cssImageSetValue() const { return m_value->isImageSetValue() ? toCSSImageSetValue(m_value) : nullptr; }
</del><ins>+ CSSImageSetValue* cssImageSetValue() const { return m_value && m_value->isImageSetValue() ? toCSSImageSetValue(m_value) : nullptr; }
</ins><span class="cx"> #endif
</span><span class="cx">
</span><ins>+ void detachFromCSSValue() { m_value = nullptr; }
+
</ins><span class="cx"> private:
</span><del>- virtual WrappedImagePtr data() const OVERRIDE { return toCSSImageValue(m_value); }
</del><ins>+ virtual WrappedImagePtr data() const OVERRIDE { return const_cast<StylePendingImage*>(this); }
</ins><span class="cx">
</span><span class="cx"> virtual PassRefPtr<CSSValue> cssValue() const OVERRIDE { return m_value; }
</span><span class="cx">
</span><span class="lines">@@ -85,4 +87,5 @@
</span><span class="cx"> };
</span><span class="cx">
</span><span class="cx"> }
</span><ins>+
</ins><span class="cx"> #endif
</span></span></pre>
</div>
</div>
</body>
</html>