Bug 19964

Summary: divide by zero crash in RenderBox::calculateBackgroundSize with 0,0 bmp background image
Product: WebKit Reporter: Alexander Mohr <amohr>
Component: CSSAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Major    
Priority: P3    
Version: 528+ (Nightly build)   
Hardware: All   
OS: OS X 10.5   
Attachments:
Description Flags
sample 0,0 bitmap
none
page that links to 0,0 bitmap bugfile that causes crash
none
Proposed fix
chrisb: review-
New patch for bug 19964 darin: review+

Description Alexander Mohr 2008-07-09 11:33:27 PDT 
there's a divide by zero crash in RenderBox::calculateBackgroundSize when you load a 0,0 bmp as the background image and specify -khtml-background-size

It crashes on:
w = bg->imageSize(this, style()->effectiveZoom()).width() * h / bg->imageSize(this, style()->effectiveZoom()).height();

since bg->imageSize returns 0,0
Comment 1 Alexander Mohr 2008-07-09 11:35:35 PDT 
Created attachment 22187 [details]
sample 0,0 bitmap
Comment 2 Alexander Mohr 2008-07-09 11:43:46 PDT 
Created attachment 22188 [details]
page that links to 0,0 bitmap bugfile that causes crash
Comment 3 Chris Brichford 2008-07-25 10:32:30 PDT 
I suspect change set 31981 introduced this bug when it removed the following statements from RenderBox::imageChanged:

if (!image || !image->canRender(style()->effectiveZoom()) || !parent() || !view()) 
        return;

canRender will return false if the image is zero width or zero height.  If we take the early out in RenderBox::imageChanged we never call calculateBackgroundSize, which assumes that any background images have non-zero height.
Comment 4 Chris Brichford 2008-07-25 13:19:52 PDT 
Created attachment 22479 [details]
Proposed fix

Proposed fix, including LayoutTest.
Comment 5 Chris Brichford 2008-07-25 18:11:51 PDT 
My fix is busted.  Breaks rendering of broken images.
Comment 6 Mihnea Ovidenie 2008-08-06 08:33:25 PDT 
Created attachment 22681 [details]
New patch for bug 19964
Comment 7 Darin Adler 2008-08-21 17:45:20 PDT 
Comment on attachment 22681 [details]
New patch for bug 19964

+        * ChangeLog:

The ChangeLog itself shouldn't be listed in the ChangeLog.

We need a ChangeLog for the LayoutTests directory too, not just WebCore.

Otherwise this patch looks good. I'm going to say review+ but having no patch for LayoutTests does add work for whoever commits the patch.
Comment 8 Mihnea Ovidenie 2008-08-22 01:28:53 PDT 
Hello,
Can you please explain me what did you mean by having no patch for LayoutTests? The patch i submitted included a test for the problem itself: "LayoutTests/css3/khtml-background-size-0x0-bmp.html" and the needed bitmap for the test.

If more tests are needed for the patch to land in the trunk, please tell me and i will be glad to do it.

Regards,
Mihnea Ovidenie


> (From update of attachment 22681 [details] [edit])
> +        * ChangeLog:
> 
> The ChangeLog itself shouldn't be listed in the ChangeLog.
> 
> We need a ChangeLog for the LayoutTests directory too, not just WebCore.
> 
> Otherwise this patch looks good. I'm going to say review+ but having no patch
> for LayoutTests does add work for whoever commits the patch.
>
Comment 9 Mark Rowe (bdash) 2008-09-02 23:23:22 PDT 
Landed in r36047.

Mihnea, what Darin meant is that you did not include a ChangeLog entry for your changes inside LayoutTests.  I added one when I landed the change, but in the future you should include one with your patches.