Source/WebCore/ChangeLog

 12011-05-20 Andrey Petrov <andrey.petrov@gmail.com>
 2
 3 Using jQuery to show/hide IMG elements crashes WebKit
 4 https://bugs.webkit.org/show_bug.cgi?id=31721
 5
 6 For platform code, do not assert nodes always have renderer at
 7 the time context menu action is invoked.
 8 Renderer can actually be empty for a given node if it was hidden
 9 or removed from domtree by some non-user generated event (e.g timeout)
 10 after the popup menu had been created.
 11
 12 Changing Chromium, Gtk, Mac, Qt, Win and WinCE.
 13
 14 Test: editing/pasteboard/copy-standalone-image-crash.html
 15
 16 * platform/chromium/PasteboardChromium.cpp:
 17 (WebCore::Pasteboard::writeImage):
 18 * platform/gtk/PasteboardGtk.cpp:
 19 (WebCore::Pasteboard::writeImage):
 20 * platform/mac/PasteboardMac.mm:
 21 (WebCore::Pasteboard::writeImage):
 22 * platform/qt/PasteboardQt.cpp:
 23 (WebCore::Pasteboard::writeImage):
 24 * platform/win/PasteboardWin.cpp:
 25 (WebCore::Pasteboard::writeImage):
 26 * platform/wince/PasteboardWinCE.cpp:
 27 (WebCore::Pasteboard::writeImage):
 28
1292011-05-20 Alexey Proskuryakov <ap@apple.com>
230
331 Reviewed by Kent Tamura.
87008

Source/WebCore/platform/chromium/PasteboardChromium.cpp

@@void Pasteboard::writeURL(const KURL& ur
122122void Pasteboard::writeImage(Node* node, const KURL&, const String& title)
123123{
124124 ASSERT(node);
125  ASSERT(node->renderer());
 125
 126 if (!node->renderer())
 127 return;
 128
126129 ASSERT(node->renderer()->isImage());
127130 RenderImage* renderer = toRenderImage(node->renderer());
128131 CachedImage* cachedImage = renderer->cachedImage();

@@void Pasteboard::writeImage(Node* node,
130133 return;
131134 Image* image = cachedImage->image();
132135 ASSERT(image);
133 
 136
134137 NativeImagePtr bitmap = image->nativeImageForCurrentFrame();
135138 if (!bitmap)
136139 return;
86648

Source/WebCore/platform/gtk/PasteboardGtk.cpp

@@static KURL getURLForImageNode(Node* nod
118118void Pasteboard::writeImage(Node* node, const KURL&, const String& title)
119119{
120120 ASSERT(node);
121  ASSERT(node->renderer());
 121
 122 if (!node->renderer())
 123 return;
 124
122125 RenderImage* renderer = toRenderImage(node->renderer());
123126 CachedImage* cachedImage = renderer->cachedImage();
124127 if (!cachedImage || cachedImage->errorOccurred())
86648

Source/WebCore/platform/mac/PasteboardMac.mm

@@void Pasteboard::writeFileWrapperAsRTFDA
291291void Pasteboard::writeImage(Node* node, const KURL& url, const String& title)
292292{
293293 ASSERT(node);
 294
 295 if (!node->renderer())
 296 return;
 297
294298 Frame* frame = node->document()->frame();
295299
296300 NSURL *cocoaURL = url;
297301 ASSERT(cocoaURL);
298302
299  ASSERT(node->renderer() && node->renderer()->isImage());
 303 ASSERT(node->renderer()->isImage());
300304 RenderImage* renderer = toRenderImage(node->renderer());
301305 CachedImage* cachedImage = renderer->cachedImage();
302306 if (!cachedImage || cachedImage->errorOccurred())
86648

Source/WebCore/platform/qt/PasteboardQt.cpp

@@void Pasteboard::writeURL(const KURL& ur
152152
153153void Pasteboard::writeImage(Node* node, const KURL&, const String&)
154154{
155  ASSERT(node && node->renderer() && node->renderer()->isImage());
 155 ASSERT(node);
 156
 157 if (!node->renderer())
 158 return;
 159
 160 ASSERT(node->renderer()->isImage());
156161
157162#ifndef QT_NO_CLIPBOARD
158163 CachedImage* cachedImage = toRenderImage(node->renderer())->cachedImage();
86648

Source/WebCore/platform/win/PasteboardWin.cpp

@@void Pasteboard::writeURL(const KURL& ur
208208
209209void Pasteboard::writeImage(Node* node, const KURL&, const String&)
210210{
211  ASSERT(node && node->renderer() && node->renderer()->isImage());
 211 ASSERT(node);
 212
 213 if (!node->renderer())
 214 return;
 215
 216 ASSERT(node->renderer()->isImage());
 217
212218 RenderImage* renderer = toRenderImage(node->renderer());
213219 CachedImage* cachedImage = renderer->cachedImage();
214220 if (!cachedImage || cachedImage->errorOccurred())
86648

Source/WebCore/platform/wince/PasteboardWinCE.cpp

@@void Pasteboard::writeURL(const KURL& ur
200200
201201void Pasteboard::writeImage(Node* node, const KURL&, const String&)
202202{
203  ASSERT(node && node->renderer() && node->renderer()->isImage());
 203 ASSERT(node);
 204
 205 if (!node->renderer())
 206 return;
 207
 208 ASSERT(node->renderer()->isImage());
 209
204210 RenderImage* renderer = static_cast<RenderImage*>(node->renderer());
205211 CachedImage* cachedImage = static_cast<CachedImage*>(renderer->cachedImage());
206212 ASSERT(cachedImage);
86648

LayoutTests/ChangeLog

 12011-05-20 Andrey Petrov <andrey.petrov@gmail.com>
 2
 3 Reviewed by NOBODY (OOPS!).
 4
 5 Using jQuery to show/hide IMG elements crashes WebKit
 6 https://bugs.webkit.org/show_bug.cgi?id=31721
 7
 8 * editing/pasteboard/copy-standalone-image-crash-expected.txt: Added.
 9 * editing/pasteboard/copy-standalone-image-crash.html: Added.
 10
1112011-05-20 Alexey Proskuryakov <ap@apple.com>
212
313 Reviewed by Kent Tamura.
87008

LayoutTests/editing/pasteboard/copy-standalone-image-crash-expected.txt

 1PASS
0

LayoutTests/editing/pasteboard/copy-standalone-image-crash.html

 1<html>
 2<head>
 3<script>
 4
 5var items;
 6
 7if (window.layoutTestController) {
 8 window.layoutTestController.dumpAsText();
 9 window.layoutTestController.waitUntilDone();
 10}
 11
 12function doclick() {
 13
 14 for (var i = 0; i < items.length; i++)
 15 {
 16 var title = items[i].title;
 17
 18 if (!title)
 19 break;
 20
 21 // it is pretty tricky to deal with accelerators in a decent way, but I suppose
 22 // just removing the underscores is a good enough way
 23
 24 title = title.replace(/_/g,'');
 25
 26 if (title.match("Copy Image")) {
 27 items[i].click();
 28 break;
 29 }
 30 }
 31
 32 // As long as didn't crash, we passed.
 33 document.body.innerHTML = "PASS";
 34
 35 window.layoutTestController.notifyDone();
 36}
 37
 38function hidediv() {
 39
 40 var div = document.getElementById ("DIV");
 41 div.style.display="none";
 42
 43}
 44
 45// this is for manual testing only
 46function delayhide() {
 47
 48 setTimeout(hidediv, 100);
 49
 50}
 51
 52function doTest() {
 53
 54 if (!window.layoutTestController)
 55 return;
 56
 57 var image = document.getElementById ("IMG");
 58
 59 x = image.offsetLeft + 10;
 60 y = image.offsetTop + 10;
 61
 62 eventSender.mouseMoveTo(x, y);
 63 items = eventSender.contextClick();
 64
 65 hidediv();
 66
 67 setTimeout(doclick, 10);
 68
 69}
 70
 71</script>
 72</head>
 73<body onload="doTest()" onmousedown="delayhide()">
 74This is an automated test case for bug <a href="https://bugs.webkit.org/show_bug.cgi?id=31721">31721</a><br>
 75If you wish to test manually, mouseover to image, activate context menu, wait for the image to disappear and then click copy image.<br>
 76There should be no crash.
 77<div ID="DIV">
 78 <div> <img id="IMG" src="resources/apple.gif"/> </div>
 79 </div>
 80</body>
 81
 82</html>
0