RESOLVED FIXED 89148
Null-pointer crash when a derived color like -webkit-activelink is set in a gradient stop 
https://bugs.webkit.org/show_bug.cgi?id=89148
Summary Null-pointer crash when a derived color like -webkit-activelink is set in a g...
dstockwell
Reported 2012-06-14 18:27:52 PDT
CSSGradientValue does not resolve colors until paint time when the corresponding element is not available. As reported at http://crbug.com/85080
Attachments
Patch (8.21 KB, patch)
2012-06-14 19:07 PDT, dstockwell 		no flags
DetailsFormatted DiffDiff
Archive of layout-test-results from ec2-cr-linux-02 (673.83 KB, application/zip)
2012-06-15 00:27 PDT, WebKit Review Bot 		no flags
Details
Patch (15.12 KB, patch)
2012-06-17 22:41 PDT, dstockwell 		no flags
DetailsFormatted DiffDiff
Patch (15.26 KB, patch)
2012-07-16 20:33 PDT, dstockwell 		no flags
DetailsFormatted DiffDiff
Patch (15.42 KB, patch)
2012-07-18 19:09 PDT, dstockwell 		no flags
DetailsFormatted DiffDiff
Patch (15.47 KB, patch)
2012-07-22 18:25 PDT, dstockwell 		no flags
DetailsFormatted DiffDiff
Archive of layout-test-results from gce-cr-linux-06 (535.20 KB, application/zip)
2012-07-22 19:38 PDT, WebKit Review Bot 		no flags
Details
Patch (15.55 KB, patch)
2012-07-22 20:19 PDT, dstockwell 		no flags
DetailsFormatted DiffDiff
Archive of layout-test-results from gce-cr-linux-06 (294.98 KB, application/zip)
2012-07-22 21:23 PDT, WebKit Review Bot 		no flags
Details
Archive of layout-test-results from gce-cr-linux-07 (608.12 KB, application/zip)
2012-07-22 22:23 PDT, WebKit Review Bot 		no flags
Details
Patch (15.37 KB, patch)
2012-07-22 23:16 PDT, dstockwell 		no flags
DetailsFormatted DiffDiff
Patch (15.52 KB, patch)
2012-07-23 18:51 PDT, dstockwell 		no flags
DetailsFormatted DiffDiff
Show Obsolete (8) View All Add attachment proposed patch, testcase, etc.
dstockwell
Comment 1 2012-06-14 19:07:01 PDT
Created attachment 147709 [details] Patch
WebKit Review Bot
Comment 2 2012-06-15 00:27:23 PDT
Comment on attachment 147709 [details] Patch Attachment 147709 [details] did not pass chromium-ews (chromium-xvfb): Output: http://queues.webkit.org/results/12966276 New failing tests: fast/gradients/generated-gradients.html fast/css/linear-gradient-currentcolor.html
WebKit Review Bot
Comment 3 2012-06-15 00:27:36 PDT
Created attachment 147757 [details] Archive of layout-test-results from ec2-cr-linux-02 The attached test failures were seen while running run-webkit-tests on the chromium-ews. Bot: ec2-cr-linux-02 Port: <class 'webkitpy.common.config.ports.ChromiumXVFBPort'> Platform: Linux-2.6.35-28-virtual-x86_64-with-Ubuntu-10.10-maverick
dstockwell
Comment 4 2012-06-17 22:41:21 PDT
Created attachment 148054 [details] Patch
Simon Fraser (smfr)
Comment 5 2012-07-16 18:00:18 PDT
Comment on attachment 148054 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=148054&action=review > Source/WebCore/css/CSSGradientValue.cpp:108 > +PassRefPtr<CSSGradientValue> CSSGradientValue::resolveStyles(StyleResolver* styleResolver) It's a bit odd that a method called resolveStyles resturns a gradient. Maybe gradientWithStylesResolved()? It's also odd that this method changes |this| yet returns a clone. > Source/WebCore/css/CSSGradientValue.cpp:112 > + derived = derived || styleResolver->isElementDerivedColor(m_stops[i].m_color.get()); derived |= Putting m_stops[i].m_color in a local variable would be a minor win here. > Source/WebCore/css/StyleResolver.h:224 > + static bool isElementDerivedColor(CSSPrimitiveValue*); This name is hard to read. Is it "is element-derived color", or "is element derived-color"? It's also not being called on a color-related class.
dstockwell
Comment 6 2012-07-16 20:33:48 PDT
Created attachment 152689 [details] Patch
dstockwell
Comment 7 2012-07-16 20:46:29 PDT
Thanks for the review, please take another look. (In reply to comment #5) > It's a bit odd that a method called resolveStyles resturns a gradient. Maybe gradientWithStylesResolved()? Done. > It's also odd that this method changes |this| yet returns a clone. Yes, but this seems a little simpler than the alternatives that I could see. > > Source/WebCore/css/CSSGradientValue.cpp:112 > > + derived = derived || styleResolver->isElementDerivedColor(m_stops[i].m_color.get()); > > derived |= > Putting m_stops[i].m_color in a local variable would be a minor win here. > > > Source/WebCore/css/StyleResolver.h:224 > > + static bool isElementDerivedColor(CSSPrimitiveValue*); > > This name is hard to read. Is it "is element-derived color", or "is element derived-color"? It's also not being called on a color-related class. Renamed.
Simon Fraser (smfr)
Comment 8 2012-07-17 11:02:39 PDT
(In reply to comment #7) > Thanks for the review, please take another look. > > (In reply to comment #5) > > It's a bit odd that a method called resolveStyles resturns a gradient. Maybe gradientWithStylesResolved()? > > Done. > > > It's also odd that this method changes |this| yet returns a clone. > > Yes, but this seems a little simpler than the alternatives that I could see. Why not see if any of the color stops need to be derived, and if so clone and modify, otherwise return |this|?
dstockwell
Comment 9 2012-07-18 19:09:33 PDT
Created attachment 153159 [details] Patch
dstockwell
Comment 10 2012-07-18 19:10:39 PDT
(In reply to comment #8) > > > It's also odd that this method changes |this| yet returns a clone. > > > > Yes, but this seems a little simpler than the alternatives that I could see. > > Why not see if any of the color stops need to be derived, and if so clone and modify, otherwise return |this|? Done.
Simon Fraser (smfr)
Comment 11 2012-07-19 10:13:29 PDT
Comment on attachment 153159 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=153159&action=review > Source/WebCore/css/CSSGradientValue.cpp:441 > + if (StyleResolver::colorFromPrimitiveValueIsDerivedFromElement(stop.m_color.get())) Shame that we do this test here as well as in gradientWithStylesResolved(). Maybe we should just cache this state? > Source/WebCore/css/StyleResolver.cpp:3372 > + if (item->isGradientValue()) { > + m_style->setContent(StyleGeneratedImage::create(static_cast<CSSGradientValue*>(item)->gradientWithStylesResolved(this).get()), didSet); > + didSet = true; > + } else { > + m_style->setContent(StyleGeneratedImage::create(static_cast<CSSImageGeneratorValue*>(item)), didSet); > + didSet = true; > + } didSet is true for both branches, so not sure why you have to do that inside the conditional.
dstockwell
Comment 12 2012-07-22 18:25:01 PDT
Created attachment 153716 [details] Patch
dstockwell
Comment 13 2012-07-22 18:26:01 PDT
(In reply to comment #11) > > Source/WebCore/css/CSSGradientValue.cpp:441 > > + if (StyleResolver::colorFromPrimitiveValueIsDerivedFromElement(stop.m_color.get())) > > Shame that we do this test here as well as in gradientWithStylesResolved(). Maybe we should just cache this state? Done. > didSet is true for both branches, so not sure why you have to do that inside the conditional. Fixed.
WebKit Review Bot
Comment 14 2012-07-22 19:38:21 PDT
Comment on attachment 153716 [details] Patch Attachment 153716 [details] did not pass chromium-ews (chromium-xvfb): Output: http://queues.webkit.org/results/13324096 New failing tests: transitions/equivalent-background-image-no-transition.html
WebKit Review Bot
Comment 15 2012-07-22 19:38:26 PDT
Created attachment 153720 [details] Archive of layout-test-results from gce-cr-linux-06 The attached test failures were seen while running run-webkit-tests on the chromium-ews. Bot: gce-cr-linux-06 Port: <class 'webkitpy.common.config.ports.ChromiumXVFBPort'> Platform: Linux-2.6.39-gcg-201203291735-x86_64-with-Ubuntu-10.04-lucid
dstockwell
Comment 16 2012-07-22 20:19:07 PDT
Created attachment 153723 [details] Patch
WebKit Review Bot
Comment 17 2012-07-22 21:23:48 PDT
Comment on attachment 153723 [details] Patch Attachment 153723 [details] did not pass chromium-ews (chromium-xvfb): Output: http://queues.webkit.org/results/13312903 New failing tests: transitions/equivalent-background-image-no-transition.html
WebKit Review Bot
Comment 18 2012-07-22 21:23:53 PDT
Created attachment 153730 [details] Archive of layout-test-results from gce-cr-linux-06 The attached test failures were seen while running run-webkit-tests on the chromium-ews. Bot: gce-cr-linux-06 Port: <class 'webkitpy.common.config.ports.ChromiumXVFBPort'> Platform: Linux-2.6.39-gcg-201203291735-x86_64-with-Ubuntu-10.04-lucid
WebKit Review Bot
Comment 19 2012-07-22 22:23:43 PDT
Comment on attachment 153723 [details] Patch Attachment 153723 [details] did not pass chromium-ews (chromium-xvfb): Output: http://queues.webkit.org/results/13316884 New failing tests: transitions/equivalent-background-image-no-transition.html
WebKit Review Bot
Comment 20 2012-07-22 22:23:49 PDT
Created attachment 153731 [details] Archive of layout-test-results from gce-cr-linux-07 The attached test failures were seen while running run-webkit-tests on the chromium-ews. Bot: gce-cr-linux-07 Port: <class 'webkitpy.common.config.ports.ChromiumXVFBPort'> Platform: Linux-2.6.39-gcg-201203291735-x86_64-with-Ubuntu-10.04-lucid
dstockwell
Comment 21 2012-07-22 23:16:25 PDT
Created attachment 153735 [details] Patch
dstockwell
Comment 22 2012-07-23 18:51:26 PDT
Created attachment 153934 [details] Patch
noel gordon
Comment 23 2012-07-23 20:54:51 PDT
Ok cq+ given Simon's r+.
WebKit Review Bot
Comment 24 2012-07-23 22:35:01 PDT
Comment on attachment 153934 [details] Patch Clearing flags on attachment: 153934 Committed r123426: <http://trac.webkit.org/changeset/123426>
WebKit Review Bot
Comment 25 2012-07-23 22:35:08 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.