Crash in computedCSSPadding* functions due to RenderImage::imageDimensionsChanged...
authorjchaffraix@webkit.org <jchaffraix@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 10 May 2012 22:08:27 +0000 (22:08 +0000)
committerjchaffraix@webkit.org <jchaffraix@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 10 May 2012 22:08:27 +0000 (22:08 +0000)
commit64e734eec4bd560158011334726b7f1284923f88
tree8bcb15bef263c09bc39b1b02b0af0b304a6f579f
parentc809f3ac99e743384b5d2a9a514f53164535ad5a
Crash in computedCSSPadding* functions due to RenderImage::imageDimensionsChanged called during attachment
https://bugs.webkit.org/show_bug.cgi?id=85912

Reviewed by Eric Seidel.

Source/WebCore:

Tests: fast/images/link-body-content-imageDimensionChanged-crash.html
       fast/images/script-counter-imageDimensionChanged-crash.html

The bug comes from CSS generated images that could end up calling imageDimensionsChanged during attachment. As the
rest of the code (e.g. computedCSSPadding*) would assumes that we are already inserted in the tree, we would crash.

The solution is to bail out in this case as newly inserted RenderObject will trigger layout later on and properly
handle what we would be doing as part of imageDimensionChanged (the only exception being updating our intrinsic
size which should be done as part of imageDimensionsChanged).

* rendering/RenderImage.cpp:
(WebCore::RenderImage::imageDimensionsChanged):

LayoutTests:

* fast/images/link-body-content-imageDimensionChanged-crash-expected.txt: Added.
* fast/images/link-body-content-imageDimensionChanged-crash.html: Added.
* fast/images/script-counter-imageDimensionChanged-crash-expected.txt: Added.
* fast/images/script-counter-imageDimensionChanged-crash.html: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@116693 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/fast/images/link-body-content-imageDimensionChanged-crash-expected.txt [new file with mode: 0644]
LayoutTests/fast/images/link-body-content-imageDimensionChanged-crash.html [new file with mode: 0644]
LayoutTests/fast/images/script-counter-imageDimensionChanged-crash-expected.txt [new file with mode: 0644]
LayoutTests/fast/images/script-counter-imageDimensionChanged-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/rendering/RenderImage.cpp