<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[161456] branches/safari-537.74-branch</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/161456">161456</a></dd>
<dt>Author</dt> <dd>lforschler@apple.com</dd>
<dt>Date</dt> <dd>2014-01-07 14:27:44 -0800 (Tue, 07 Jan 2014)</dd>
</dl>
<h3>Log Message</h3>
<pre>Merged <a href="http://trac.webkit.org/projects/webkit/changeset/160479">r160479</a>. <rdar://problems/15754470></pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#branchessafari53774branchLayoutTestsChangeLog">branches/safari-537.74-branch/LayoutTests/ChangeLog</a></li>
<li><a href="#branchessafari53774branchSourceWebCoreChangeLog">branches/safari-537.74-branch/Source/WebCore/ChangeLog</a></li>
<li><a href="#branchessafari53774branchSourceWebCorecssCSSCursorImageValuecpp">branches/safari-537.74-branch/Source/WebCore/css/CSSCursorImageValue.cpp</a></li>
<li><a href="#branchessafari53774branchSourceWebCorecssCSSCursorImageValueh">branches/safari-537.74-branch/Source/WebCore/css/CSSCursorImageValue.h</a></li>
<li><a href="#branchessafari53774branchSourceWebCorecssCSSImageSetValuecpp">branches/safari-537.74-branch/Source/WebCore/css/CSSImageSetValue.cpp</a></li>
<li><a href="#branchessafari53774branchSourceWebCorecssCSSImageSetValueh">branches/safari-537.74-branch/Source/WebCore/css/CSSImageSetValue.h</a></li>
<li><a href="#branchessafari53774branchSourceWebCorecssCSSImageValuecpp">branches/safari-537.74-branch/Source/WebCore/css/CSSImageValue.cpp</a></li>
<li><a href="#branchessafari53774branchSourceWebCorecssCSSImageValueh">branches/safari-537.74-branch/Source/WebCore/css/CSSImageValue.h</a></li>
<li><a href="#branchessafari53774branchSourceWebCorerenderingstyleStylePendingImageh">branches/safari-537.74-branch/Source/WebCore/rendering/style/StylePendingImage.h</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#branchessafari53774branchLayoutTestsfastcsspendingimagecrashexpectedtxt">branches/safari-537.74-branch/LayoutTests/fast/css/pending-image-crash-expected.txt</a></li>
<li><a href="#branchessafari53774branchLayoutTestsfastcsspendingimagecrashxhtml">branches/safari-537.74-branch/LayoutTests/fast/css/pending-image-crash.xhtml</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="branchessafari53774branchLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: branches/safari-537.74-branch/LayoutTests/ChangeLog (161455 => 161456)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-537.74-branch/LayoutTests/ChangeLog 2014-01-07 22:24:37 UTC (rev 161455)
+++ branches/safari-537.74-branch/LayoutTests/ChangeLog 2014-01-07 22:27:44 UTC (rev 161456)
</span><span class="lines">@@ -1,3 +1,17 @@
</span><ins>+2014-01-07 Lucas Forschler <lforschler@apple.com>
+
+ Merge r160479
+
+ 2013-12-11 Darin Adler <darin@apple.com>
+
+ StylePendingImage needs to correctly manage the CSSValue pointer lifetime
+ https://bugs.webkit.org/show_bug.cgi?id=125468
+
+ Reviewed by Andreas Kling.
+
+ * fast/css/pending-image-crash-expected.txt: Added.
+ * fast/css/pending-image-crash.xhtml: Added.
+
</ins><span class="cx"> 2013-12-19 Matthew Hanson <matthew_hanson@apple.com>
</span><span class="cx">
</span><span class="cx"> Merge r160826: <rdar://problems/15701133>
</span></span></pre></div>
<a id="branchessafari53774branchLayoutTestsfastcsspendingimagecrashexpectedtxtfromrev160479trunkLayoutTestsfastcsspendingimagecrashexpectedtxt"></a>
<div class="copfile"><h4>Copied: branches/safari-537.74-branch/LayoutTests/fast/css/pending-image-crash-expected.txt (from rev 160479, trunk/LayoutTests/fast/css/pending-image-crash-expected.txt) (0 => 161456)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-537.74-branch/LayoutTests/fast/css/pending-image-crash-expected.txt (rev 0)
+++ branches/safari-537.74-branch/LayoutTests/fast/css/pending-image-crash-expected.txt 2014-01-07 22:27:44 UTC (rev 161456)
</span><span class="lines">@@ -0,0 +1,5 @@
</span><ins>+PASS test did not crash
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
</ins></span></pre></div>
<a id="branchessafari53774branchLayoutTestsfastcsspendingimagecrashxhtmlfromrev160479trunkLayoutTestsfastcsspendingimagecrashxhtml"></a>
<div class="copfile"><h4>Copied: branches/safari-537.74-branch/LayoutTests/fast/css/pending-image-crash.xhtml (from rev 160479, trunk/LayoutTests/fast/css/pending-image-crash.xhtml) (0 => 161456)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-537.74-branch/LayoutTests/fast/css/pending-image-crash.xhtml (rev 0)
+++ branches/safari-537.74-branch/LayoutTests/fast/css/pending-image-crash.xhtml 2014-01-07 22:27:44 UTC (rev 161456)
</span><span class="lines">@@ -0,0 +1,24 @@
</span><ins>+<!DOCTYPE html>
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head id="head">
+<script src="../../resources/js-test-pre.js"></script>
+<script>
+window.jsTestIsAsync = true;
+var count = 0;
+for (i = 0; i != 50; i++) {
+ setTimeout(function() {
+ var head = document.getElementsByTagName("head")[0];
+ var style = document.createElement("style");
+ style.innerHTML=":first-of-type {-webkit-border-image:-webkit-cross-fade(url(#head), url(#head), 100%);}";
+ head.appendChild(style);
+ count++;
+ if (count == 50) {
+ testPassed("test did not crash");
+ finishJSTest();
+ }
+ }, 36);
+}
+</script>
+<script src="../../resources/js-test-post.js"></script>
+</head>
+</html>
</ins></span></pre></div>
<a id="branchessafari53774branchSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: branches/safari-537.74-branch/Source/WebCore/ChangeLog (161455 => 161456)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-537.74-branch/Source/WebCore/ChangeLog 2014-01-07 22:24:37 UTC (rev 161455)
+++ branches/safari-537.74-branch/Source/WebCore/ChangeLog 2014-01-07 22:27:44 UTC (rev 161456)
</span><span class="lines">@@ -1,3 +1,58 @@
</span><ins>+2014-01-07 Lucas Forschler <lforschler@apple.com>
+
+ Merge r160479
+
+ 2013-12-11 Darin Adler <darin@apple.com>
+
+ StylePendingImage needs to correctly manage the CSSValue pointer lifetime
+ https://bugs.webkit.org/show_bug.cgi?id=125468
+
+ Reviewed by Andreas Kling.
+
+ Test: fast/css/pending-image-crash.xhtml
+
+ Disconnect the reference counted StylePendingImage from the CSSValue that owns
+ it when it's not needed any more, otherwise we could end up using a pointer
+ that might no longer be valid.
+
+ * css/CSSCursorImageValue.cpp:
+ (WebCore::CSSCursorImageValue::detachPendingImage): Added. Calls detachFromCSSValue
+ on the current image if it is a StylePendingImage.
+ (WebCore::CSSCursorImageValue::~CSSCursorImageValue): Call detachPendingImage.
+ (WebCore::CSSCursorImageValue::cachedImage): Call detachPendingImage before changing
+ m_image to a new value.
+ (WebCore::CSSCursorImageValue::clearCachedImage): Ditto.
+ * css/CSSCursorImageValue.h: Added detachPendingImage.
+
+ * css/CSSImageSetValue.cpp:
+ (WebCore::CSSImageSetValue::detachPendingImage): Added. Calls detachFromCSSValue
+ on the current image set if it is a StylePendingImage.
+ (WebCore::CSSImageSetValue::~CSSImageSetValue): Call detachPendingImage.
+ (WebCore::CSSImageSetValue::cachedImageSet): Call detachPendingImage before changing
+ m_imageSet to a new value.
+ * css/CSSImageSetValue.h: Added detachPendingImage.
+
+ * css/CSSImageValue.cpp:
+ (WebCore::CSSImageValue::detachPendingImage): Added. Calls detachFromCSSValue on the
+ current image if it is a StylePendingImage.
+ (WebCore::CSSImageValue::~CSSImageValue): Call detachPendingImage.
+ (WebCore::CSSImageValue::cachedImage): Call detachPendingImage before changing m_image
+ to a new value.
+ * css/CSSImageValue.h: Added detachPendingImage.
+
+ * rendering/style/StylePendingImage.h:
+ (WebCore::StylePendingImage::cssImageValue): Added a null check.
+ (WebCore::StylePendingImage::cssImageGeneratorValue): Added a null check.
+ (WebCore::StylePendingImage::cssCursorImageValue): Added a null check.
+ (WebCore::StylePendingImage::cssImageSetValue): Added a null check.
+ (WebCore::StylePendingImage::detachFromCSSValue): Added. Sets m_value to null since
+ the style is no longer using this StylePendingImage.
+ (WebCore::StylePendingImage::data): Changed to use the "this" pointer since all we
+ need is some arbitrary pointer uniquely identifying the image. Before loading the image,
+ we have no suitable weak identifier, so it suffices to use the unique pointer to each
+ StylePendingImage object. This function is used only in a limited way; it would be nice
+ to find a way to make the code less strange long term.
+
</ins><span class="cx"> 2013-12-23 Matthew Hanson <matthew_hanson@apple.com>
</span><span class="cx">
</span><span class="cx"> Merge 161050: <rdar://problem/15754482>
</span></span></pre></div>
<a id="branchessafari53774branchSourceWebCorecssCSSCursorImageValuecpp"></a>
<div class="modfile"><h4>Modified: branches/safari-537.74-branch/Source/WebCore/css/CSSCursorImageValue.cpp (161455 => 161456)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-537.74-branch/Source/WebCore/css/CSSCursorImageValue.cpp 2014-01-07 22:24:37 UTC (rev 161455)
+++ branches/safari-537.74-branch/Source/WebCore/css/CSSCursorImageValue.cpp 2014-01-07 22:27:44 UTC (rev 161456)
</span><span class="lines">@@ -67,8 +67,16 @@
</span><span class="cx"> {
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+inline void CSSCursorImageValue::detachPendingImage()
+{
+ if (m_image && m_image->isPendingImage())
+ static_cast<StylePendingImage&>(*m_image).detachFromCSSValue();
+}
+
</ins><span class="cx"> CSSCursorImageValue::~CSSCursorImageValue()
</span><span class="cx"> {
</span><ins>+ detachPendingImage();
+
</ins><span class="cx"> #if ENABLE(SVG)
</span><span class="cx"> if (!isSVGCursor())
</span><span class="cx"> return;
</span><span class="lines">@@ -153,6 +161,7 @@
</span><span class="cx"> RefPtr<CSSImageValue> imageValue = static_cast<CSSImageValue*>(m_imageValue.get());
</span><span class="cx"> // FIXME: This will fail if the <cursor> element is in a shadow DOM (bug 59827)
</span><span class="cx"> if (SVGCursorElement* cursorElement = resourceReferencedByCursorElement(imageValue->url(), loader->document())) {
</span><ins>+ detachPendingImage();
</ins><span class="cx"> RefPtr<CSSImageValue> svgImageValue = CSSImageValue::create(cursorElement->href());
</span><span class="cx"> StyleCachedImage* cachedImage = svgImageValue->cachedImage(loader);
</span><span class="cx"> m_image = cachedImage;
</span><span class="lines">@@ -161,8 +170,10 @@
</span><span class="cx"> }
</span><span class="cx"> #endif
</span><span class="cx">
</span><del>- if (m_imageValue->isImageValue())
- m_image = static_cast<CSSImageValue*>(m_imageValue.get())->cachedImage(loader);
</del><ins>+ if (m_imageValue->isImageValue()) {
+ detachPendingImage();
+ m_image = static_cast<CSSImageValue*>(m_imageValue.get())->cachedImage(loader);
+ }
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> if (m_image && m_image->isCachedImage())
</span><span class="lines">@@ -205,7 +216,8 @@
</span><span class="cx">
</span><span class="cx"> void CSSCursorImageValue::clearCachedImage()
</span><span class="cx"> {
</span><del>- m_image = 0;
</del><ins>+ detachPendingImage();
+ m_image = nullptr;
</ins><span class="cx"> m_accessedImage = false;
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="branchessafari53774branchSourceWebCorecssCSSCursorImageValueh"></a>
<div class="modfile"><h4>Modified: branches/safari-537.74-branch/Source/WebCore/css/CSSCursorImageValue.h (161455 => 161456)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-537.74-branch/Source/WebCore/css/CSSCursorImageValue.h 2014-01-07 22:24:37 UTC (rev 161455)
+++ branches/safari-537.74-branch/Source/WebCore/css/CSSCursorImageValue.h 2014-01-07 22:27:44 UTC (rev 161456)
</span><span class="lines">@@ -64,6 +64,8 @@
</span><span class="cx"> private:
</span><span class="cx"> CSSCursorImageValue(PassRefPtr<CSSValue> imageValue, bool hasHotSpot, const IntPoint& hotSpot);
</span><span class="cx">
</span><ins>+ void detachPendingImage();
+
</ins><span class="cx"> #if ENABLE(SVG)
</span><span class="cx"> bool isSVGCursor() const;
</span><span class="cx"> String cachedImageURL();
</span></span></pre></div>
<a id="branchessafari53774branchSourceWebCorecssCSSImageSetValuecpp"></a>
<div class="modfile"><h4>Modified: branches/safari-537.74-branch/Source/WebCore/css/CSSImageSetValue.cpp (161455 => 161456)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-537.74-branch/Source/WebCore/css/CSSImageSetValue.cpp 2014-01-07 22:24:37 UTC (rev 161455)
+++ branches/safari-537.74-branch/Source/WebCore/css/CSSImageSetValue.cpp 2014-01-07 22:27:44 UTC (rev 161456)
</span><span class="lines">@@ -49,8 +49,16 @@
</span><span class="cx"> {
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+inline void CSSImageSetValue::detachPendingImage()
+{
+ if (m_imageSet && m_imageSet->isPendingImage())
+ static_cast<StylePendingImage&>(*m_imageSet).detachFromCSSValue();
+}
+
</ins><span class="cx"> CSSImageSetValue::~CSSImageSetValue()
</span><span class="cx"> {
</span><ins>+ detachPendingImage();
+
</ins><span class="cx"> if (m_imageSet && m_imageSet->isCachedImageSet())
</span><span class="cx"> static_cast<StyleCachedImageSet*>(m_imageSet.get())->clearImageSetValue();
</span><span class="cx"> }
</span><span class="lines">@@ -114,6 +122,7 @@
</span><span class="cx"> CachedResourceRequest request(ResourceRequest(document->completeURL(image.imageURL)));
</span><span class="cx"> request.setInitiator(cachedResourceRequestInitiators().css);
</span><span class="cx"> if (CachedResourceHandle<CachedImage> cachedImage = loader->requestImage(request)) {
</span><ins>+ detachPendingImage();
</ins><span class="cx"> m_imageSet = StyleCachedImageSet::create(cachedImage.get(), image.scaleFactor, this);
</span><span class="cx"> m_accessedBestFitImage = true;
</span><span class="cx"> }
</span></span></pre></div>
<a id="branchessafari53774branchSourceWebCorecssCSSImageSetValueh"></a>
<div class="modfile"><h4>Modified: branches/safari-537.74-branch/Source/WebCore/css/CSSImageSetValue.h (161455 => 161456)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-537.74-branch/Source/WebCore/css/CSSImageSetValue.h 2014-01-07 22:24:37 UTC (rev 161455)
+++ branches/safari-537.74-branch/Source/WebCore/css/CSSImageSetValue.h 2014-01-07 22:27:44 UTC (rev 161456)
</span><span class="lines">@@ -71,6 +71,7 @@
</span><span class="cx"> CSSImageSetValue();
</span><span class="cx"> CSSImageSetValue(const CSSImageSetValue& cloneFrom);
</span><span class="cx">
</span><ins>+ void detachPendingImage();
</ins><span class="cx"> void fillImageSet();
</span><span class="cx"> static inline bool compareByScaleFactor(ImageWithScale first, ImageWithScale second) { return first.scaleFactor < second.scaleFactor; }
</span><span class="cx">
</span></span></pre></div>
<a id="branchessafari53774branchSourceWebCorecssCSSImageValuecpp"></a>
<div class="modfile"><h4>Modified: branches/safari-537.74-branch/Source/WebCore/css/CSSImageValue.cpp (161455 => 161456)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-537.74-branch/Source/WebCore/css/CSSImageValue.cpp 2014-01-07 22:24:37 UTC (rev 161455)
+++ branches/safari-537.74-branch/Source/WebCore/css/CSSImageValue.cpp 2014-01-07 22:27:44 UTC (rev 161456)
</span><span class="lines">@@ -51,8 +51,15 @@
</span><span class="cx"> {
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+inline void CSSImageValue::detachPendingImage()
+{
+ if (m_image && m_image->isPendingImage())
+ static_cast<StylePendingImage&>(*m_image).detachFromCSSValue();
+}
+
</ins><span class="cx"> CSSImageValue::~CSSImageValue()
</span><span class="cx"> {
</span><ins>+ detachPendingImage();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> StyleImage* CSSImageValue::cachedOrPendingImage()
</span><span class="lines">@@ -75,8 +82,10 @@
</span><span class="cx"> request.setInitiator(cachedResourceRequestInitiators().css);
</span><span class="cx"> else
</span><span class="cx"> request.setInitiator(m_initiatorName);
</span><del>- if (CachedResourceHandle<CachedImage> cachedImage = loader->requestImage(request))
</del><ins>+ if (CachedResourceHandle<CachedImage> cachedImage = loader->requestImage(request)) {
+ detachPendingImage();
</ins><span class="cx"> m_image = StyleCachedImage::create(cachedImage.get());
</span><ins>+ }
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> return (m_image && m_image->isCachedImage()) ? static_cast<StyleCachedImage*>(m_image.get()) : 0;
</span></span></pre></div>
<a id="branchessafari53774branchSourceWebCorecssCSSImageValueh"></a>
<div class="modfile"><h4>Modified: branches/safari-537.74-branch/Source/WebCore/css/CSSImageValue.h (161455 => 161456)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-537.74-branch/Source/WebCore/css/CSSImageValue.h 2014-01-07 22:24:37 UTC (rev 161455)
+++ branches/safari-537.74-branch/Source/WebCore/css/CSSImageValue.h 2014-01-07 22:27:44 UTC (rev 161456)
</span><span class="lines">@@ -59,6 +59,7 @@
</span><span class="cx"> private:
</span><span class="cx"> explicit CSSImageValue(const String& url);
</span><span class="cx"> CSSImageValue(const String& url, StyleImage*);
</span><ins>+ void detachPendingImage();
</ins><span class="cx">
</span><span class="cx"> String m_url;
</span><span class="cx"> RefPtr<StyleImage> m_image;
</span></span></pre></div>
<a id="branchessafari53774branchSourceWebCorerenderingstyleStylePendingImageh"></a>
<div class="modfile"><h4>Modified: branches/safari-537.74-branch/Source/WebCore/rendering/style/StylePendingImage.h (161455 => 161456)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-537.74-branch/Source/WebCore/rendering/style/StylePendingImage.h 2014-01-07 22:24:37 UTC (rev 161455)
+++ branches/safari-537.74-branch/Source/WebCore/rendering/style/StylePendingImage.h 2014-01-07 22:27:44 UTC (rev 161456)
</span><span class="lines">@@ -32,7 +32,6 @@
</span><span class="cx"> #include "CSSImageSetValue.h"
</span><span class="cx"> #endif
</span><span class="cx"> #include "CSSImageValue.h"
</span><del>-#include "Image.h"
</del><span class="cx"> #include "StyleImage.h"
</span><span class="cx">
</span><span class="cx"> namespace WebCore {
</span><span class="lines">@@ -48,12 +47,14 @@
</span><span class="cx"> virtual WrappedImagePtr data() const { return static_cast<CSSImageValue*>(m_value); }
</span><span class="cx">
</span><span class="cx"> virtual PassRefPtr<CSSValue> cssValue() const { return m_value; }
</span><del>- CSSImageValue* cssImageValue() const { return m_value->isImageValue() ? static_cast<CSSImageValue*>(m_value) : 0; }
- CSSImageGeneratorValue* cssImageGeneratorValue() const { return m_value->isImageGeneratorValue() ? static_cast<CSSImageGeneratorValue*>(m_value) : 0; }
- CSSCursorImageValue* cssCursorImageValue() const { return m_value->isCursorImageValue() ? static_cast<CSSCursorImageValue*>(m_value) : 0; }
</del><ins>+ CSSImageValue* cssImageValue() const { return m_value && m_value->isImageValue() ? static_cast<CSSImageValue*>(m_value) : nullptr; }
+ CSSImageGeneratorValue* cssImageGeneratorValue() const { return m_value && m_value->isImageGeneratorValue() ? static_cast<CSSImageGeneratorValue*>(m_value) : nullptr; }
+ CSSCursorImageValue* cssCursorImageValue() const { return m_value && m_value->isCursorImageValue() ? static_cast<CSSCursorImageValue*>(m_value) : nullptr; }
</ins><span class="cx"> #if ENABLE(CSS_IMAGE_SET)
</span><del>- CSSImageSetValue* cssImageSetValue() const { return m_value->isImageSetValue() ? static_cast<CSSImageSetValue*>(m_value) : 0; }
</del><ins>+ CSSImageSetValue* cssImageSetValue() const { return m_value && m_value->isImageSetValue() ? static_cast<CSSImageSetValue*>(m_value) : nullptr; }
</ins><span class="cx"> #endif
</span><ins>+
+ void detachFromCSSValue() { m_value = nullptr; }
</ins><span class="cx">
</span><span class="cx"> virtual LayoutSize imageSize(const RenderObject*, float /*multiplier*/) const OVERRIDE { return LayoutSize(); }
</span><span class="cx"> virtual bool imageHasRelativeWidth() const { return false; }
</span><span class="lines">@@ -81,4 +82,5 @@
</span><span class="cx"> };
</span><span class="cx">
</span><span class="cx"> }
</span><ins>+
</ins><span class="cx"> #endif
</span></span></pre>
</div>
</div>
</body>
</html>