When trying to access the height or width of an image input field which has not been appended to the DOM tree will cause the browser to crash. Confirmed with Chrome 22 (nightlies currently do not work on Mountain Lion). e = document.createElement('input'); e.type = 'image'; typeof e.height; > ***CRASH*** e.height; > ***CRASH*** While the following does work: e = document.createElement('input'); document.body.appendChild(e); e.type = 'image'; typeof e.height; > "number" e.height > 13
In a debug build: Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x000000010429ef88 WTF::OwnPtr<WebCore::HTMLImageLoader>::operator->() const + 88 (OwnPtr.h:64) 1 com.apple.WebCore 0x000000010438b005 WebCore::ImageInputType::height() const + 165 (ImageInputType.cpp:193) 2 com.apple.WebCore 0x00000001042c37f0 WebCore::HTMLInputElement::height() const + 48 (HTMLInputElement.cpp:1712) 3 com.apple.WebCore 0x00000001046e807a WebCore::jsHTMLInputElementHeight(JSC::ExecState*, JSC::JSValue, JSC::PropertyName) + 74 (JSHTMLInputElement.cpp:378) 4 com.apple.JavaScriptCore 0x0000000102e2e739 JSC::PropertySlot::getValue(JSC::ExecState*, JSC::PropertyName) const + 249 (PropertySlot.h:75)
Created attachment 151851 [details] Patch
Created attachment 151852 [details] Patch 2 typo
Comment on attachment 151852 [details] Patch 2 View in context: https://bugs.webkit.org/attachment.cgi?id=151852&action=review Looks OK > LayoutTests/fast/forms/image/width-and-height-of-detached-input.html:4 > +description('Width and height proerties of a detached input element should return 0.'); Nit: proerties => properties
Committed r122418: <http://trac.webkit.org/changeset/122418>