52225 – Webkit crashes when a gradient is applied using the first-line pseudo element

RESOLVED FIXED 52225

Webkit crashes when a gradient is applied using the first-line pseudo element

https://bugs.webkit.org/show_bug.cgi?id=52225

Summary Webkit crashes when a gradient is applied using the first-line pseudo element

Matias

Reported 2011-01-11 10:52:51 PST

The following code crashes with Webkit for me (can be tested on the url above): <!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Test</title> <style> body { background: #eee; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-weight: 200; } #wrapper { margin: 150px auto; width: 700px; } .sleeve_main { background: #fff; margin: 0; padding: 100px 40px; border-radius: 8px; } h2:first-line { background-image: -webkit-gradient(linear, 0% 0%, 0% 100%, from(#EED200), to(#EDBE00)); } </style> </head> <body> <div id="wrapper"> <div class="sleeve_main"> <h2>Quisque facilisis erat a dui. Nam malesuada ornare dolor.</h2> </div> </div> </body> </html>

Attachments
Patch (3.52 KB, patch) 2011-01-11 21:13 PST, Simon Fraser (smfr)	mitz: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Alexey Proskuryakov

Comment 1 2011-01-11 11:26:17 PST

<rdar://problem/8045778>

Simon Fraser (smfr)

Comment 2 2011-01-11 20:56:36 PST

The problem here is that we don't go through the normal updateFillImages() code for the :first-line style (which might be a cached pseudostyle), so the image has no reference to its clients, and the CSSValue fails to cache the Image in its hash table, so nothing keeps the Image alive.

Simon Fraser (smfr)

Comment 3 2011-01-11 21:04:51 PST

The fact that the RenderObject isn't registered as a client of the image in the pseudostyle is also evident in the fact that animated background-images used in :first-line fail to repaint their renderer.

Simon Fraser (smfr)

Comment 4 2011-01-11 21:13:49 PST

Created attachment 78648 [details] Patch

Simon Fraser (smfr)

Comment 5 2011-01-11 21:30:58 PST

http://trac.webkit.org/changeset/75585

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P1

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware Mac (Intel)

OS OS X 10.6

Product WebKit

Component Layout and Rendering

Assignee

Simon Fraser (smfr)

Reported

2011-01-11 10:52 PST

Modified

2011-01-11 21:30 PST History

CC List

3 users Show

URL

http://matiasventura.com/test.htm

Keywords InRadar

Depends on

Blocks