[Webkit-unassigned] [Bug 85912] New: Crash in computedCSSPadding* functions due to RenderImage::imageDimensionsChanged called during attachment

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue May 8 14:11:15 PDT 2012 

https://bugs.webkit.org/show_bug.cgi?id=85912

           Summary: Crash in computedCSSPadding* functions due to
                    RenderImage::imageDimensionsChanged called during
                    attachment
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: P1
         Component: Layout and Rendering
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: jchaffraix at webkit.org


Created an attachment (id=140779)
 --> (https://bugs.webkit.org/attachment.cgi?id=140779&action=review)
Reproduction

Example stacktrace:

0:000> kp
ChildEBP RetAddr  
0012ed7c 0311270d chrome_1c30000!WebCore::RenderBoxModelObject::computedCSSPaddingBottom(void)+0x5b [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\rendering\renderboxmodelobject.cpp @ 633]
0012ed8c 0310278c chrome_1c30000!WebCore::RenderBoxModelObject::paddingBottom(void)+0xd [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\rendering\renderboxmodelobject.h @ 102]
0012edcc 03355ae7 chrome_1c30000!WebCore::RenderBox::contentBoxRect(void)+0x3c [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\rendering\renderbox.h @ 138]
0012ee6c 03355c9a chrome_1c30000!WebCore::RenderImage::imageDimensionsChanged(bool imageSizeChanged = false, class WebCore::IntRect * rect = 0x00000000)+0x1a7 [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\rendering\renderimage.cpp @ 225]
0012ee90 03425a00 chrome_1c30000!WebCore::RenderImage::imageChanged(void * newImage = 0x01a71700, class WebCore::IntRect * rect = 0x00000000)+0x12a [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\rendering\renderimage.cpp @ 176]
0012eeb0 033df56e chrome_1c30000!WebCore::CachedImage::didAddClient(class WebCore::CachedResourceClient * c = 0x01a3411c)+0xa0 [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\loader\cache\cachedimage.cpp @ 117]
0012eec4 033423f2 chrome_1c30000!WebCore::CachedResource::addClient(class WebCore::CachedResourceClient * client = 0x01a3411c)+0x1e [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\loader\cache\cachedresource.cpp @ 381]
0012eed4 0335481d chrome_1c30000!WebCore::RenderImageResourceStyleImage::initialize(class WebCore::RenderObject * renderer = 0x01a3411c)+0x32 [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\rendering\renderimageresourcestyleimage.cpp @ 53]
0012eee4 032da771 chrome_1c30000!WebCore::RenderImage::setImageResource(class WTF::PassOwnPtr<WebCore::RenderImageResource> imageResource = class WTF::PassOwnPtr<WebCore::RenderImageResource>)+0x2d [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\rendering\renderimage.cpp @ 74]
0012eefc 036d4a27 chrome_1c30000!WebCore::RenderObject::createObject(class WebCore::Node * node = 0x01284200, class WebCore::RenderStyle * style = 0x01b4d010)+0x91 [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\rendering\renderobject.cpp @ 135]
0012ef10 037c3132 chrome_1c30000!WebCore::HTMLElement::createRenderer(class WebCore::RenderArena * arena = 0x019fd380, class WebCore::RenderStyle * style = 0x01b4e000)+0x47 [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\html\htmlelement.cpp @ 781]
0012ef28 037c329d chrome_1c30000!WebCore::NodeRendererFactory::createRenderer(void)+0x22 [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\dom\noderenderingcontext.cpp @ 351]
0012ef44 03788396 chrome_1c30000!WebCore::NodeRendererFactory::createRendererIfNeeded(void)+0xfd [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\dom\noderenderingcontext.cpp @ 400]
0012ef6c 03791506 chrome_1c30000!WebCore::Node::createRendererIfNeeded(void)+0x16 [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\dom\node.cpp @ 1427]
0012ef7c 03739036 chrome_1c30000!WebCore::Element::attach(void)+0x16 [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\dom\element.cpp @ 977]
0012ef80 03739b80 chrome_1c30000!WebCore::executeTask(struct WebCore::HTMLConstructionSiteTask * task = 0x01a3411c)+0x66 [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\html\parser\htmlconstructionsite.cpp @ 103]
0012efb4 0372f5f2 chrome_1c30000!WebCore::HTMLConstructionSite::executeQueuedTasks(void)+0x60 [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\html\parser\htmlconstructionsite.cpp @ 140]
0012efc4 0372f820 chrome_1c30000!WebCore::HTMLTreeBuilder::constructTreeFromAtomicToken(class WebCore::AtomicHTMLToken * token = 0x0012efd8)+0xb2 [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\html\parser\htmltreebuilder.cpp @ 482]
0012effc 03710c49 chrome_1c30000!WebCore::HTMLTreeBuilder::constructTreeFromToken(class WebCore::HTMLToken * rawToken = 0x019e805c)+0x30 [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\html\parser\htmltreebuilder.cpp @ 461]
0012f03c 03710fc9 chrome_1c30000!WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode mode = AllowYield (0))+0x119 [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\html\parser\htmldocumentparser.cpp @ 278]

It looks like the code already knows about the issue as we NULL-check for containingBlock() in RenderImage::imageDimensionsChanged.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list