[webkit-changes] [116693] trunk

Thu, 10 May 2012 15:07:43 -0700

Title: [116693] trunk
Revision
116693
Author
jchaffr...@webkit.org
Date
2012-05-10 15:08:27 -0700 (Thu, 10 May 2012)

Log Message

Crash in computedCSSPadding* functions due to RenderImage::imageDimensionsChanged called during attachment
https://bugs.webkit.org/show_bug.cgi?id=85912

Reviewed by Eric Seidel.

Source/WebCore:

Tests: fast/images/link-body-content-imageDimensionChanged-crash.html
       fast/images/script-counter-imageDimensionChanged-crash.html

The bug comes from CSS generated images that could end up calling imageDimensionsChanged during attachment. As the
rest of the code (e.g. computedCSSPadding*) would assumes that we are already inserted in the tree, we would crash.

The solution is to bail out in this case as newly inserted RenderObject will trigger layout later on and properly
handle what we would be doing as part of imageDimensionChanged (the only exception being updating our intrinsic
size which should be done as part of imageDimensionsChanged).

* rendering/RenderImage.cpp:
(WebCore::RenderImage::imageDimensionsChanged):

LayoutTests:

* fast/images/link-body-content-imageDimensionChanged-crash-expected.txt: Added.
* fast/images/link-body-content-imageDimensionChanged-crash.html: Added.
* fast/images/script-counter-imageDimensionChanged-crash-expected.txt: Added.
* fast/images/script-counter-imageDimensionChanged-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (116692 => 116693)


--- trunk/LayoutTests/ChangeLog	2012-05-10 22:00:02 UTC (rev 116692)
+++ trunk/LayoutTests/ChangeLog	2012-05-10 22:08:27 UTC (rev 116693)
@@ -1,3 +1,15 @@
+2012-05-10  Julien Chaffraix  <jchaffr...@webkit.org>
+
+        Crash in computedCSSPadding* functions due to RenderImage::imageDimensionsChanged called during attachment
+        https://bugs.webkit.org/show_bug.cgi?id=85912
+
+        Reviewed by Eric Seidel.
+
+        * fast/images/link-body-content-imageDimensionChanged-crash-expected.txt: Added.
+        * fast/images/link-body-content-imageDimensionChanged-crash.html: Added.
+        * fast/images/script-counter-imageDimensionChanged-crash-expected.txt: Added.
+        * fast/images/script-counter-imageDimensionChanged-crash.html: Added.
+
 2012-05-10  Brady Eidson  <beid...@apple.com>
 
         <rdar://problem/10972577> and https://bugs.webkit.org/show_bug.cgi?id=80170

Added: trunk/LayoutTests/fast/images/link-body-content-imageDimensionChanged-crash-expected.txt (0 => 116693)


--- trunk/LayoutTests/fast/images/link-body-content-imageDimensionChanged-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/images/link-body-content-imageDimensionChanged-crash-expected.txt	2012-05-10 22:08:27 UTC (rev 116693)
@@ -0,0 +1,5 @@
+Bug 85912: Crash in computedCSSPadding* functions due to RenderImage::imageDimensionsChanged called during attachment
+
+This test PASSED if it did not crash.
+
+

Added: trunk/LayoutTests/fast/images/link-body-content-imageDimensionChanged-crash.html (0 => 116693)


--- trunk/LayoutTests/fast/images/link-body-content-imageDimensionChanged-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/images/link-body-content-imageDimensionChanged-crash.html	2012-05-10 22:08:27 UTC (rev 116693)
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+<head>
+<style>
+div {
+    content: url("data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAA8AAAAPAQMAAAABGAcJAAAAA1BMVEUAgACc+aWRAAAADElEQVR42mNgIAEAAAAtAAH7KhMqAAAAAElFTkSuQmCC");
+    padding-bottom: 10581%;
+}
+ </style>
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+</script>
+</head>
+<p> Bug <a href="" Crash in computedCSSPadding* functions due to RenderImage::imageDimensionsChanged called during attachment</p>
+<p> This test PASSED if it did not crash. </p>
+<div>
+    <link href="" rel=stylesheet>
+    <body style='content: "PASSED, no crash"; '></body>
+</div>
+</html>

Added: trunk/LayoutTests/fast/images/script-counter-imageDimensionChanged-crash-expected.txt (0 => 116693)


--- trunk/LayoutTests/fast/images/script-counter-imageDimensionChanged-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/images/script-counter-imageDimensionChanged-crash-expected.txt	2012-05-10 22:08:27 UTC (rev 116693)
@@ -0,0 +1,5 @@
+Bug 85912: Crash in computedCSSPadding* functions due to RenderImage::imageDimensionsChanged called during attachment
+
+This test PASSED if it did not crash.
+
+

Added: trunk/LayoutTests/fast/images/script-counter-imageDimensionChanged-crash.html (0 => 116693)


--- trunk/LayoutTests/fast/images/script-counter-imageDimensionChanged-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/images/script-counter-imageDimensionChanged-crash.html	2012-05-10 22:08:27 UTC (rev 116693)
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<html>
+<head>
+<style>
+div {
+    content: url("data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAA8AAAAPAQMAAAABGAcJAAAAA1BMVEUAgACc+aWRAAAADElEQVR42mNgIAEAAAAtAAH7KhMqAAAAAElFTkSuQmCC");
+    padding-top: 100%;
+}
+
+body {
+    content: counter(foobar);
+}
+</style>
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+</script>
+</head>
+<p> Bug <a href="" Crash in computedCSSPadding* functions due to RenderImage::imageDimensionsChanged called during attachment</p>
+<p> This test PASSED if it did not crash. </p>
+<div>
+<script src=""
+<body>
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (116692 => 116693)


--- trunk/Source/WebCore/ChangeLog	2012-05-10 22:00:02 UTC (rev 116692)
+++ trunk/Source/WebCore/ChangeLog	2012-05-10 22:08:27 UTC (rev 116693)
@@ -1,3 +1,23 @@
+2012-05-10  Julien Chaffraix  <jchaffr...@webkit.org>
+
+        Crash in computedCSSPadding* functions due to RenderImage::imageDimensionsChanged called during attachment
+        https://bugs.webkit.org/show_bug.cgi?id=85912
+
+        Reviewed by Eric Seidel.
+
+        Tests: fast/images/link-body-content-imageDimensionChanged-crash.html
+               fast/images/script-counter-imageDimensionChanged-crash.html
+
+        The bug comes from CSS generated images that could end up calling imageDimensionsChanged during attachment. As the
+        rest of the code (e.g. computedCSSPadding*) would assumes that we are already inserted in the tree, we would crash.
+
+        The solution is to bail out in this case as newly inserted RenderObject will trigger layout later on and properly
+        handle what we would be doing as part of imageDimensionChanged (the only exception being updating our intrinsic
+        size which should be done as part of imageDimensionsChanged).
+
+        * rendering/RenderImage.cpp:
+        (WebCore::RenderImage::imageDimensionsChanged):
+
 2012-05-10  Adam Barth  <aba...@webkit.org>
 
         ASSERT in BidiResolver<Iterator, Run>::commitExplicitEmbedding makes running debug builds annoying

Modified: trunk/Source/WebCore/rendering/RenderImage.cpp (116692 => 116693)


--- trunk/Source/WebCore/rendering/RenderImage.cpp	2012-05-10 22:00:02 UTC (rev 116692)
+++ trunk/Source/WebCore/rendering/RenderImage.cpp	2012-05-10 22:08:27 UTC (rev 116693)
@@ -188,29 +188,33 @@
 
 void RenderImage::imageDimensionsChanged(bool imageSizeChanged, const IntRect* rect)
 {
+    bool intrinsicSizeChanged = updateIntrinsicSizeIfNeeded(m_imageResource->imageSize(style()->effectiveZoom()), imageSizeChanged);
+
+    // In the case of generated image content using :before/:after/content, we might not be
+    // in the render tree yet. In that case, we just need to update our intrinsic size.
+    // layout() will be called after we are inserted in the tree which will take care of
+    // what we are doing here.
+    if (!containingBlock())
+        return;
+
     bool shouldRepaint = true;
-    if (updateIntrinsicSizeIfNeeded(m_imageResource->imageSize(style()->effectiveZoom()), imageSizeChanged)) {
-        // In the case of generated image content using :before/:after, we might not be in the
-        // render tree yet.  In that case, we don't need to worry about check for layout, since we'll get a
-        // layout when we get added in to the render tree hierarchy later.
-        if (containingBlock()) {
-            // lets see if we need to relayout at all..
-            int oldwidth = width();
-            int oldheight = height();
-            if (!preferredLogicalWidthsDirty())
-                setPreferredLogicalWidthsDirty(true);
-            computeLogicalWidth();
-            computeLogicalHeight();
+    if (intrinsicSizeChanged) {
+        // lets see if we need to relayout at all..
+        int oldwidth = width();
+        int oldheight = height();
+        if (!preferredLogicalWidthsDirty())
+            setPreferredLogicalWidthsDirty(true);
+        computeLogicalWidth();
+        computeLogicalHeight();
 
-            if (imageSizeChanged || width() != oldwidth || height() != oldheight) {
-                shouldRepaint = false;
-                if (!selfNeedsLayout())
-                    setNeedsLayout(true);
-            }
+        if (imageSizeChanged || width() != oldwidth || height() != oldheight) {
+            shouldRepaint = false;
+            if (!selfNeedsLayout())
+                setNeedsLayout(true);
+        }
 
-            setWidth(oldwidth);
-            setHeight(oldheight);
-        }
+        setWidth(oldwidth);
+        setHeight(oldheight);
     }
 
     if (shouldRepaint) {

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to