VERIFIED FIXED 8132
CSS parser sometimes accepts real number as integer 
https://bugs.webkit.org/show_bug.cgi?id=8132
Summary CSS parser sometimes accepts real number as integer
Gérard Talbot (no longer involved)
Reported 2006-04-01 19:06:03 PST
rgb(int, int, float) is accepted by the CSS parser when it should trigger an error and subsequent error condition. References: "The format of an RGB value in the functional notation is 'rgb(' followed by a comma-separated list of three numerical values (either three *_integer_* values or three percentage values) followed by ')'." CSS 2.1, Section 4.3.6 Colors http://www.w3.org/TR/CSS21/syndata.html#value-def-color "An <integer> consists of one or more digits "0" to "9". A <number> can either be an <integer>, or it can be zero or more digits followed by a dot (.) followed by one or more digits." CSS 2.1, Section 4.3.1 Integers and real numbers http://www.w3.org/TR/CSS21/syndata.html#q15 "illegal values, or values with illegal parts, are treated as if the declaration weren't there at all" CSS1 Forward compatibility http://www.w3.org/TR/CSS1#forward-compatible-parsing So, an integer, according to CSS 2.1, clearly excludes the presence of a dot (.), therefore selector {color: rgb(0, 0, 128.0);} should trigger a CSS parsing error and the whole declaration should be dropped, ignored. This is what the testcase at provided URL tests. Safari 2.02 (41613) fails the second line of the testcase at provided URL: the 2nd line is blue and not green. Another good testpage is: http://www.hixie.ch/tests/evil/css/css21/tests/t040306-syntax-01-f.htm I searched for a duplicate and couldn't find one.
Attachments
Proposed patch (3.00 KB, patch)
2006-05-05 14:06 PDT, Rob Buis 		no flags
DetailsFormatted DiffDiff
Updated patch (3.95 KB, patch)
2006-05-07 04:52 PDT, Rob Buis 		darin: review-
DetailsFormatted DiffDiff
Updated patch after darins feedback (5.55 KB, patch)
2006-05-07 13:16 PDT, Rob Buis 		darin: review-
DetailsFormatted DiffDiff
Updated patch, removing unrelated code (5.16 KB, patch)
2006-05-08 00:58 PDT, Rob Buis 		darin: review+
DetailsFormatted DiffDiff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2006-04-10 10:44:24 PDT
FWIW, WinIE 6 and Safari give identical results for the test from the bug URL - but Firefox passes.
Rob Buis
Comment 2 2006-05-05 14:06:02 PDT
Created attachment 8128 [details] Proposed patch This patch solves the problem, but I do not know whether it has the right approach. Also the new flag true_float should probably part of a bit string. Because of this I do not request a review yet, but would like some feedback :) Cheers, Rob.
Rob Buis
Comment 3 2006-05-07 04:52:13 PDT
Created attachment 8141 [details] Updated patch Updated version after feedback from othermaciej. No extra shift/reduce conflicts are added because of this patch. Cheers, Rob.
Darin Adler
Comment 4 2006-05-07 10:28:14 PDT
Comment on attachment 8141 [details] Updated patch num [0-9]+|[0-9]*"."[0-9]+ +intnum [0-9]+|[0-9]* This looks wrong to me. [0-9]+ would be correct, the [0-9]* part is not relevant nor do we need a "|". I'm also unclear on how flex handles the ambiguity since both {num} and {intnum} can match the same thing. We might need to rearrange the regular expressions so that is not the case. I suggest using INTEGER instead of INTNUMBER and perhaps changing the name of NUMBER to something like FLOAT. We need a test case. We don't check in bug fixes without test cases.
Rob Buis
Comment 5 2006-05-07 13:16:57 PDT
Created attachment 8151 [details] Updated patch after darins feedback Indeed the regexp was badly copy-pasted, corrected now. I think it also increases the number of conflicts, but the tests show no difference. Finally, I took the original testcase and places it in css2.1/, not sure if that is the best place, but the testcase itself is pretty clear IMHO. Cheers, Rob.
Darin Adler
Comment 6 2006-05-07 18:45:44 PDT
(In reply to comment #5) > I think it also increases the number of conflicts, but the tests show no difference. I believe a change to the lexer could change the number of conflicts. Conflicts are something in the Bison-generated parser, not the Flex-generated lexer. > I took the original testcase and placed it in css2.1 The test case is not included in the patch.
Darin Adler
Comment 7 2006-05-07 18:46:13 PDT
(In reply to comment #6) > The test case is not included in the patch. Oops, my bad. It is.
Darin Adler
Comment 8 2006-05-07 18:50:20 PDT
Comment on attachment 8151 [details] Updated patch after darins feedback + | IMPORT_SYM maybe_space string_or_uri maybe_space maybe_media_list { + $$ = static_cast<CSSParser *>(parser)->createImportRule($3, $5); + } What does this change have to do with the bug you're fixing? Looks like something else you were working on? I think it's quite ugly that isInt is there all the time, but only used for the CSS_NUMBER case. Might need at least a comment to make that clear. review- just because of the IMPORT_SYM line; no need for more review, but we need a patch without that change
Rob Buis
Comment 9 2006-05-08 00:58:00 PDT
Created attachment 8162 [details] Updated patch, removing unrelated code Indeed I had bits from another patch in there. Just shows that creating patches while watching a movie is a bad idea :) Cheers, Rob.
Rob Buis
Comment 10 2006-05-12 01:00:21 PDT
Comment on attachment 8162 [details] Updated patch, removing unrelated code Hmm, no idea why I didnt ask for review before :}
Alexey Proskuryakov
Comment 11 2006-05-13 08:08:16 PDT
Landed the test into fast/css, rather than css2.1 (the latter contains W3C tests).
Timothy Hatcher
Comment 12 2006-05-13 10:26:02 PDT
Landed in r14352
Note You need to log in before you can comment on or make changes to this bug.