25812 2009-05-14 16:44:37 -0700 Uninitialized varilable referenced while parsing CSS 2009-11-24 18:40:31 -0800 1 1 1 Unclassified WebKit CSS 528+ (Nightly build) PC Windows XP RESOLVED FIXED LayoutTests/fast/canvas/canvas-gradient-addStop-error.html P2 Normal --- 0 kuchhal webkit-unassigned mattm oldest_to_newest 121410 0 kuchhal 2009-05-14 16:44:37 -0700 Debug Safari while opening LayoutTests/fast/canvas/canvas-gradient-addStop-error.html. CSSParserValueList::addValue(const CSSParserValue& v) gets called by cssyparse several times: void CSSParserValueList::addValue(const CSSParserValue& v) { if (v.unit == CSSPrimitiveValue::CSS_PARSER_VARIABLE_FUNCTION_SYNTAX) m_variablesCount++; m_values.append(v); } But looks like in many of these cases v.unit is not really initialized and holds junk value. For example in one instance of such call: - v {id=0 isInt=true fValue=-9.2559592782649444e+061 ...} const WebCore::CSSParserValue & id 0 int isInt true bool fValue -9.2559592782649444e+061 double iValue 58260512 int + string {characters=0x0378fc20 "??" length=-858993460 } WebCore::CSSParserString + function 0x0378fc20 {name={...} args=0x061a0d20 } WebCore::CSSParserFunction * unit 1048577 int Same problem is in CSSParserValueList::~CSSParserValueList() too. It tries to read unit of all m_values when some of them have junk values for unit. 121412 1 dank 2009-05-14 17:10:51 -0700 Originally found on Linux, see http://code.google.com/p/chromium/issues/detail?id=9524, but probably also on other systems. 121479 2 ap 2009-05-15 02:33:27 -0700 See also: bug 22772. 166314 3 mattm 2009-11-24 17:40:59 -0800 I can't repro this now, and inspecting the CSSGrammar.y file it appears all "value" rules set the unit member. I believe it was fixed with http://trac.webkit.org/changeset/44075 (2009-05-22)