RESOLVED FIXED 108409
Making -webkit-image-set() the first value of background property causes crash. 
https://bugs.webkit.org/show_bug.cgi?id=108409
Summary Making -webkit-image-set() the first value of background property causes crash.
Simon Fraser (smfr)
Reported 2013-01-30 17:31:07 PST
Created attachment 185633 [details] Testcase (crashes!) Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x00000001035517a9 WebCore::CSSPrimitiveValue::getDoubleValue() const + 9 1 com.apple.WebCore 0x0000000103521933 WebCore::CSSImageSetValue::fillImageSet() + 99 2 com.apple.WebCore 0x0000000103521b01 WebCore::CSSImageSetValue::cachedImageSet(WebCore::CachedResourceLoader*) + 97 3 com.apple.WebCore 0x0000000103c74a21 WebCore::StyleResolver::loadPendingImage(WebCore::StylePendingImage*) + 241 4 com.apple.WebCore 0x0000000103c74d47 WebCore::StyleResolver::loadPendingImages() + 759 5 com.apple.WebCore 0x0000000103c67a23 WebCore::StyleResolver::applyMatchedProperties(WebCore::StyleResolver::MatchResult const&, WebCore::Element const*) + 1091 6 com.apple.WebCore 0x0000000103c6366c WebCore::StyleResolver::styleForElement(WebCore::Element*, WebCore::RenderStyle*, WebCore::StyleSharingBehavior, WebCore::RuleMatchingBehavior, WebCore::RenderRegion*) + 4236 7 com.apple.WebCore 0x000000010368581e WebCore::Element::styleForRenderer() + 126 8 com.apple.WebCore 0x0000000103a9bb14 WebCore::NodeRenderingContext::createRendererForElementIfNeeded() + 52 9 com.apple.WebCore 0x000000010301994a WebCore::Element::attach() + 58 10 com.apple.WebCore 0x0000000103718afc WebCore::executeTask(WebCore::HTMLConstructionSiteTask&) + 172
Attachments
Testcase (crashes!) (203 bytes, text/html)
2013-01-30 17:31 PST, Simon Fraser (smfr) 		no flags
Details
Patch (3.91 KB, patch)
2013-01-30 22:29 PST, Takashi Sakamoto 		no flags
DetailsFormatted DiffDiff
Patch (3.96 KB, patch)
2013-01-30 23:33 PST, Takashi Sakamoto 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2013-01-30 17:31:34 PST
<rdar://problem/13121118>
Simon Fraser (smfr)
Comment 2 2013-01-30 17:34:45 PST
Found by Detmund_ on #webkit
Simon Fraser (smfr)
Comment 3 2013-01-30 17:35:52 PST
s/Detmund_/DETMUD
Simon Fraser (smfr)
Comment 4 2013-01-30 17:37:06 PST
Debug build hits: ASSERTION FAILED: imageValue->isImageValue() /Volumes/SSData/Development/OSX/webkit/OpenSource/Source/WebCore/css/CSSImageSetValue.cpp(65) : void WebCore::CSSImageSetValue::fillImageSet() 1 0x103872c95 WebCore::CSSImageSetValue::fillImageSet() 2 0x10387304b WebCore::CSSImageSetValue::cachedImageSet(WebCore::CachedResourceLoader*) 3 0x104e993c0 WebCore::StyleResolver::loadPendingImage(WebCore::StylePendingImage*) 4 0x104e99713 WebCore::StyleResolver::loadPendingImages() 5 0x104e90fe9 WebCore::StyleResolver::loadPendingResources() 6 0x104e8a362 WebCore::StyleResolver::applyMatchedProperties(WebCore::StyleResolver::MatchResult const&, WebCore::Element const*) 7 0x104e84570 WebCore::StyleResolver::styleForElement(WebCore::Element*, WebCore::RenderStyle*, WebCore::StyleSharingBehavior, WebCore::RuleMatchingBehavior, WebCore::RenderRegion*)
detmud
Comment 5 2013-01-30 18:03:07 PST
Its not just the -webkit-image-set() in the body, its the layering of -webkit-image-set() and -webkit-gradient() in the body. Detmud_ #webkit
Takashi Sakamoto
Comment 6 2013-01-30 22:29:29 PST
Created attachment 185678 [details] Patch
Simon Fraser (smfr)
Comment 7 2013-01-30 22:53:37 PST
Comment on attachment 185678 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=185678&action=review > Source/WebCore/ChangeLog:3 > + -webkit-image-set() on the body causes crash The crash is not related to the image-set being used on the body. Please amend the bug title and Changelog. > LayoutTests/fast/css/image-set-value-crash-in-fillImageSet.html:17 > + -webkit-image-set( > + url(images/noise.png) 1x, > + url(images/noise@2x.png) 2x), > + -webkit-gradient( > + linear, left top, left bottom, > + from(#eaeaea), > + to(#d2d2d2) > + );"> Please remove the tabs, and unwrap the lines.
Takashi Sakamoto
Comment 8 2013-01-30 23:33:20 PST
Created attachment 185684 [details] Patch
Takashi Sakamoto
Comment 9 2013-01-30 23:34:48 PST
Comment on attachment 185678 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=185678&action=review Thank you for reviewing. >> Source/WebCore/ChangeLog:3 >> + -webkit-image-set() on the body causes crash > > The crash is not related to the image-set being used on the body. Please amend the bug title and Changelog. Sure. Done. >> LayoutTests/fast/css/image-set-value-crash-in-fillImageSet.html:17 >> + );"> > > Please remove the tabs, and unwrap the lines. Done. I also moved the inline style to a style element in document.head.
WebKit Review Bot
Comment 10 2013-02-02 12:57:22 PST
Comment on attachment 185684 [details] Patch Clearing flags on attachment: 185684 Committed r141701: <http://trac.webkit.org/changeset/141701>
WebKit Review Bot
Comment 11 2013-02-02 12:57:26 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.