[Webkit-unassigned] [Bug 31721] New: Using jQuery to show/hide IMG elements crashes WebKit

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Nov 20 06:10:12 PST 2009 

https://bugs.webkit.org/show_bug.cgi?id=31721

           Summary: Using jQuery to show/hide IMG elements crashes WebKit
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Mac OS X 10.5
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: Images
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: mihnea at adobe.com


Created an attachment (id=43574)
 --> (https://bugs.webkit.org/attachment.cgi?id=43574)
Archive of the javascript application

Hi,
I was using JQuery 1.3.2 to show/hide IMG elements in a simple javascript
application.

<html>
    <head>
        <script type="text/javascript" src="jquery-1.3.2.js"></script>
        <script>
            // this reproduces the problem because hide calls animate
            function openPreferences()
            {
                $('#DIV').hide
                (
                    300,
                    function()
                    {
                        $('#DIV_NIGHT').show(300);
                    }
                );
            }
        </script>
    </head>

    <body onmousedown="openPreferences()"> 
        <div>
            <div ID="DIV">
                <div>
                    <img id="IMG" src="5day.png"/>
                </div>    
            </div>
            <div ID="DIV_NIGHT" style="display:none">
                <div>
                    <img id="IMG_NIGHT" src="night.png"/>
                </div>    
            </div>
        </div>
        Test 
    </body>    
</html>

1. When the application is displayed, i place the mouse over the image
displayed (5day.png). 
2. Right-click
3. From the contextual menu opened, i choose "Copy Image". Note that in the
meantime, the original image is replaced with another image.
4. As an effect of step 3 - context menu & image replaced, the WebKit browser
crashes

The problem appears on Mac 10.5.8 Safari 4.0.4/WebKit 51229 WindowsXP Safari
4.0.4/WebKit 51228.
Chrome3.0.195.27 does not crash (Win), FF3.5.4 does not crash (Mac/Win), Opera
10 does not crash (Mac/Win), IE8 does not crash on Win.

Digging a little in the code:
1. In WebCore/editing/Editor.cpp copyImage(const HitTestResult& result)
    The member m_innerNonSharedNode from HitTestResult does not have a valid
renderer (0). Because of that, absoluteImageURL() returns a url that is not
valid and cannot be used to be passed to writeImage.
2. A possible fix to this issue would be to check the url to be valid before
calling writeImage
    if (url.isValid())
       
Pasteboard::generalPasteboard()->writeImage(result.innerNonSharedNode(), url,
result.altDisplayString());

However, i do not understand the exact cause of the issue, so the above fix
might not be very appropriate.

Could be related to WebKit bug 25381: jQuery animation crashing Safari
(Mac/Win) / Chrome (Win)

Regards,
Mihnea

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list