CrashTracer: com.apple.WebKit.WebContent at com.apple.WebCore: WebCor…

…e::CachedResource::addClientToSet + 27

https://bugs.webkit.org/show_bug.cgi?id=156602
<rdar://problem/18921091>

Reviewed by Simon Fraser.

Source/WebCore:

The CSS property list-style-image is inherited, so a transition on a parent
might cause a transition on a child. On that child, the value might be between
two generated crossfade images which haven't yet resolved, causing a crash.

Test: transitions/crossfade-transition.html

* css/CSSCrossfadeValue.cpp:
(WebCore::CSSCrossfadeValue::blend): Return null if there are no cached images.
* page/animation/CSSPropertyAnimation.cpp:
(WebCore::blendFunc): If we don't have an actual image to blend between, fall
out to the default case.

LayoutTests:

Tests that an animation between two inherited crossfade elements will not crash.

* transitions/crossfade-transition-expected.txt: Added.
* transitions/crossfade-transition.html: Added.

Canonical link: https://commits.webkit.org/174701@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@199561 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog

@@ -1,3 +1,16 @@
+2016-04-14  Dean Jackson  <dino@apple.com>
+
+        CrashTracer: com.apple.WebKit.WebContent at com.apple.WebCore: WebCore::CachedResource::addClientToSet + 27
+        https://bugs.webkit.org/show_bug.cgi?id=156602
+        <rdar://problem/18921091>
+
+        Reviewed by Simon Fraser.
+
+        Tests that an animation between two inherited crossfade elements will not crash.
+
+        * transitions/crossfade-transition-expected.txt: Added.
+        * transitions/crossfade-transition.html: Added.
+
 2016-04-14  Joseph Pecoraro  <pecoraro@apple.com>
 
         Web Inspector: Add a JavaScript Formatting test for template strings

LayoutTests/transitions/crossfade-transition-expected.txt

@@ -0,0 +1 @@
+Test passes if there is no crash

LayoutTests/transitions/crossfade-transition.html

@@ -0,0 +1,36 @@
+<script>
+if (window.testRunner) {
+    window.testRunner.waitUntilDone();
+    window.testRunner.dumpAsText();
+}
+
+window.addEventListener("load", function () {
+    setTimeout(function () {
+        document.body.className = "foo";
+        if (window.testRunner) {
+            setTimeout(function () {
+                window.testRunner.notifyDone();
+            }, 50);
+        }
+    }, 0);
+}, false);
+</script>
+<style>
+.a > li,
+.a > li p {
+  transition: all 0.1s ease;
+}
+
+.a > li.b {
+  list-style-image: url('data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 1 1"><rect width="1" height="1" fill="blue"/></svg>');
+}
+.foo .a > li.b {
+  list-style-image: url('data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 1 1"><rect width="1" height="1" fill="red"/></svg>');
+}
+
+</style>
+<ul class="a">
+  <li class="b">
+    <p>Test passes if there is no crash</p>
+  </li>
+</ul>

Source/WebCore/ChangeLog

@@ -1,3 +1,23 @@
+2016-04-14  Dean Jackson  <dino@apple.com>
+
+        CrashTracer: com.apple.WebKit.WebContent at com.apple.WebCore: WebCore::CachedResource::addClientToSet + 27
+        https://bugs.webkit.org/show_bug.cgi?id=156602
+        <rdar://problem/18921091>
+
+        Reviewed by Simon Fraser.
+
+        The CSS property list-style-image is inherited, so a transition on a parent
+        might cause a transition on a child. On that child, the value might be between
+        two generated crossfade images which haven't yet resolved, causing a crash.
+
+        Test: transitions/crossfade-transition.html
+
+        * css/CSSCrossfadeValue.cpp:
+        (WebCore::CSSCrossfadeValue::blend): Return null if there are no cached images.
+        * page/animation/CSSPropertyAnimation.cpp:
+        (WebCore::blendFunc): If we don't have an actual image to blend between, fall
+        out to the default case.
+
 2016-04-14  Antonio Gomes  <tonikitoo@webkit.org>
 
         Allow listbox content and scrollbar to intrude padding area.

Source/WebCore/css/CSSCrossfadeValue.cpp

@@ -194,6 +194,8 @@ bool CSSCrossfadeValue::traverseSubresources(const std::function<bool (const Cac
 RefPtr<CSSCrossfadeValue> CSSCrossfadeValue::blend(const CSSCrossfadeValue& from, double progress) const
 {
     ASSERT(equalInputImages(from));
+    if (!m_cachedToImage || !m_cachedFromImage)
+        return nullptr;
     RefPtr<StyleCachedImage> toStyledImage = StyleCachedImage::create(m_cachedToImage.get());
     RefPtr<StyleCachedImage> fromStyledImage = StyleCachedImage::create(m_cachedFromImage.get());
 

Source/WebCore/page/animation/CSSPropertyAnimation.cpp

@@ -318,8 +318,10 @@ static inline PassRefPtr<StyleImage> blendFunc(const AnimationBase* anim, StyleI
         if (is<CSSCrossfadeValue>(fromGenerated) && is<CSSCrossfadeValue>(toGenerated)) {
             CSSCrossfadeValue& fromCrossfade = downcast<CSSCrossfadeValue>(fromGenerated);
             CSSCrossfadeValue& toCrossfade = downcast<CSSCrossfadeValue>(toGenerated);
-            if (fromCrossfade.equalInputImages(toCrossfade))
-                return StyleGeneratedImage::create(*toCrossfade.blend(fromCrossfade, progress));
+            if (fromCrossfade.equalInputImages(toCrossfade)) {
+                if (auto crossfadeBlend = toCrossfade.blend(fromCrossfade, progress))
+                    return StyleGeneratedImage::create(*crossfadeBlend);
+            }
         }
 
         // FIXME: Add support for animation between two *gradient() functions.