Bug 90885

Summary: Accessing width or height of a detached image input element causes crash
Product: WebKit Reporter: Niels Leenheer (HTML5test) <info>
Component: FormsAssignee: Kent Tamura <tkent>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, dw.im, haraken, mifenton, morrita, tkent, webkit.review.bot
Priority: P1    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Attachments:
Description Flags
Patch
none
Patch 2 haraken: review+

Niels Leenheer (HTML5test)
Reported 2012-07-10 07:26:01 PDT
When trying to access the height or width of an image input field which has not been appended to the DOM tree will cause the browser to crash. Confirmed with Chrome 22 (nightlies currently do not work on Mountain Lion). e = document.createElement('input'); e.type = 'image'; typeof e.height; > ***CRASH*** e.height; > ***CRASH*** While the following does work: e = document.createElement('input'); document.body.appendChild(e); e.type = 'image'; typeof e.height; > "number" e.height > 13
Attachments
Patch (3.88 KB, patch)
2012-07-11 21:19 PDT, Kent Tamura 		no flags
DetailsFormatted DiffDiff
Patch 2 (3.86 KB, patch)
2012-07-11 21:20 PDT, Kent Tamura 		haraken: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2012-07-11 00:31:06 PDT
In a debug build: Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x000000010429ef88 WTF::OwnPtr<WebCore::HTMLImageLoader>::operator->() const + 88 (OwnPtr.h:64) 1 com.apple.WebCore 0x000000010438b005 WebCore::ImageInputType::height() const + 165 (ImageInputType.cpp:193) 2 com.apple.WebCore 0x00000001042c37f0 WebCore::HTMLInputElement::height() const + 48 (HTMLInputElement.cpp:1712) 3 com.apple.WebCore 0x00000001046e807a WebCore::jsHTMLInputElementHeight(JSC::ExecState*, JSC::JSValue, JSC::PropertyName) + 74 (JSHTMLInputElement.cpp:378) 4 com.apple.JavaScriptCore 0x0000000102e2e739 JSC::PropertySlot::getValue(JSC::ExecState*, JSC::PropertyName) const + 249 (PropertySlot.h:75)
Kent Tamura
Comment 2 2012-07-11 21:19:10 PDT
Created attachment 151851 [details] Patch
Kent Tamura
Comment 3 2012-07-11 21:20:32 PDT
Created attachment 151852 [details] Patch 2 typo
Kentaro Hara
Comment 4 2012-07-11 22:08:07 PDT
Comment on attachment 151852 [details] Patch 2 View in context: https://bugs.webkit.org/attachment.cgi?id=151852&action=review Looks OK > LayoutTests/fast/forms/image/width-and-height-of-detached-input.html:4 > +description('Width and height proerties of a detached input element should return 0.'); Nit: proerties => properties
Kent Tamura
Comment 5 2012-07-11 22:17:37 PDT
Committed r122418: <http://trac.webkit.org/changeset/122418>
Note You need to log in before you can comment on or make changes to this bug.