Bug 52225

Summary: Webkit crashes when a gradient is applied using the first-line pseudo element
Product: WebKit Reporter: Matias <mtiasv>
Component: Layout and RenderingAssignee: Simon Fraser (smfr) <simon.fraser>
Status: RESOLVED FIXED    
Severity: Normal CC: hyatt, mitz, simon.fraser
Priority: P1 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Mac (Intel)   
OS: OS X 10.6   
URL: http://matiasventura.com/test.htm
Attachments:
Description Flags
Patch mitz: review+

Matias
Reported 2011-01-11 10:52:51 PST
The following code crashes with Webkit for me (can be tested on the url above): <!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Test</title> <style> body { background: #eee; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-weight: 200; } #wrapper { margin: 150px auto; width: 700px; } .sleeve_main { background: #fff; margin: 0; padding: 100px 40px; border-radius: 8px; } h2:first-line { background-image: -webkit-gradient(linear, 0% 0%, 0% 100%, from(#EED200), to(#EDBE00)); } </style> </head> <body> <div id="wrapper"> <div class="sleeve_main"> <h2>Quisque facilisis erat a dui. Nam malesuada ornare dolor.</h2> </div> </div> </body> </html>
Attachments
Patch (3.52 KB, patch)
2011-01-11 21:13 PST, Simon Fraser (smfr) 		mitz: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2011-01-11 11:26:17 PST
<rdar://problem/8045778>
Simon Fraser (smfr)
Comment 2 2011-01-11 20:56:36 PST
The problem here is that we don't go through the normal updateFillImages() code for the :first-line style (which might be a cached pseudostyle), so the image has no reference to its clients, and the CSSValue fails to cache the Image in its hash table, so nothing keeps the Image alive.
Simon Fraser (smfr)
Comment 3 2011-01-11 21:04:51 PST
The fact that the RenderObject isn't registered as a client of the image in the pseudostyle is also evident in the fact that animated background-images used in :first-line fail to repaint their renderer.
Simon Fraser (smfr)
Comment 4 2011-01-11 21:13:49 PST
Created attachment 78648 [details] Patch
Simon Fraser (smfr)
Comment 5 2011-01-11 21:30:58 PST
http://trac.webkit.org/changeset/75585
Note You need to log in before you can comment on or make changes to this bug.