[Webkit-unassigned] [Bug 46120] New: RenderImage::intrinsicSizeChanged crashes when m_imageResource is missing

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Sep 20 14:24:03 PDT 2010 

https://bugs.webkit.org/show_bug.cgi?id=46120

           Summary: RenderImage::intrinsicSizeChanged crashes when
                    m_imageResource is missing
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
        OS/Version: All
            Status: UNCONFIRMED
          Severity: Major
          Priority: P1
         Component: CSS
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: ctruta at chromium.org


This is a regression from bug 43779, changeset 66223. It has been noticed in Chromium; see the Chromium issue 54972 at
http://code.google.com/p/chromium/issues/detail?id=54972

I am submitting a straightforward patch that fixes the crash, although I am not entirely sure this is the right fix. Input from reviewers will be highly appreciated.

My understanding of the changeset 66223 is that RenderImage objects must have an ImageResource, so setImageResource must be called either inside the constructor (as it's the case with RenderMedia), or immediately after the constructor (as it's the case with the renderer associated with HTMLImageElement, HTMLInputElement, HTMLObjectElement, etc.). This, however, doesn't work well in the case of RenderObject or RenderObjectChildList: inside RenderObject::createObject, as well as inside RenderObjectChildList::updateBeforeAfterContent, setImageResource is called only after setting the image style.

This leads to a crash when the style is zoomed, because RenderImage::setStyle (or more precisely, RenderImage::intrinsicSizeChanged) assumes that an ImageResource object exists. Swapping setStyle and setImageResource doesn't work any better, because setImageResource also assumes that a style exists!

I am setting the severity/priority level to Major/P1, because it is crashing Chromium badly.
I will submit, shortly, my very simple patch and layout test.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list