Bug 90885

Summary:

Accessing width or height of a detached image input element causes crash

Product:

WebKit

Reporter:

Niels Leenheer (HTML5test) <info>

Component:

Forms

Assignee:

Kent Tamura <tkent>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

ap, dw.im, haraken, mifenton, morrita, tkent, webkit.review.bot

Priority:

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Attachments:

Description	Flags
Patch	none
Patch 2	haraken: review+

Description Niels Leenheer (HTML5test) 2012-07-10 07:26:01 PDT

When trying to access the height or width of an image input field which has not been appended to the DOM tree will cause the browser to crash. Confirmed with Chrome 22 (nightlies currently do not work on Mountain Lion).

e = document.createElement('input');
e.type = 'image';

typeof e.height;
> ***CRASH***

e.height;
> ***CRASH***


While the following does work:

e = document.createElement('input');
document.body.appendChild(e);
e.type = 'image';

typeof e.height;
> "number"

e.height
> 13

Comment 1 Alexey Proskuryakov 2012-07-11 00:31:06 PDT

In a debug build:

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x000000010429ef88 WTF::OwnPtr<WebCore::HTMLImageLoader>::operator->() const + 88 (OwnPtr.h:64)
1   com.apple.WebCore             	0x000000010438b005 WebCore::ImageInputType::height() const + 165 (ImageInputType.cpp:193)
2   com.apple.WebCore             	0x00000001042c37f0 WebCore::HTMLInputElement::height() const + 48 (HTMLInputElement.cpp:1712)
3   com.apple.WebCore             	0x00000001046e807a WebCore::jsHTMLInputElementHeight(JSC::ExecState*, JSC::JSValue, JSC::PropertyName) + 74 (JSHTMLInputElement.cpp:378)
4   com.apple.JavaScriptCore      	0x0000000102e2e739 JSC::PropertySlot::getValue(JSC::ExecState*, JSC::PropertyName) const + 249 (PropertySlot.h:75)

Comment 2 Kent Tamura 2012-07-11 21:19:10 PDT

Created attachment 151851 [details]
Patch

Comment 3 Kent Tamura 2012-07-11 21:20:32 PDT

Created attachment 151852 [details]
Patch 2

typo

Comment 4 Kentaro Hara 2012-07-11 22:08:07 PDT

Comment on attachment 151852 [details]
Patch 2

View in context: https://bugs.webkit.org/attachment.cgi?id=151852&action=review

Looks OK

> LayoutTests/fast/forms/image/width-and-height-of-detached-input.html:4
> +description('Width and height proerties of a detached input element should return 0.');

Nit: proerties => properties

Comment 5 Kent Tamura 2012-07-11 22:17:37 PDT

Committed r122418: <http://trac.webkit.org/changeset/122418>