49055 2010-11-04 21:25:10 -0700 getPropertyValue("background") causes crash 2010-11-08 08:56:23 -0800 1 1 1 Unclassified WebKit CSS 528+ (Nightly build) Mac (Intel) OS X 10.6 RESOLVED FIXED P1 Major --- 1 max apavlov ap phnixwxz oldest_to_newest 305129 0 73032 max 2010-11-04 21:25:10 -0700 Created attachment 73032 reduced test case - TRIGGERS CRASH WHEN OPENED WebCore::CSSPrimitiveValue::getIdent() crashes Webkit when certain styling conditions are met. This crash can be triggered by running `getPropertyValue("background")` on a CSSStyleDeclaration object in Javascript, as long as that style declaration sets the `background` shorthand property with a minimum of two background image values and sets the `background-repeat` property to a maximum of one less value than set in the `background` property. The actual values of the two properties does not seem to matter--the `background` shorthand may contain any kind of images/image functions, and may or may not specify background-repeat or other background values itself. The source of the rule (style attribute, element, etc) does not matter, but both properties must be set within a single rule declaration. The crash can also be triggered by the Web Inspector trying to display said CSS rule in the style pane. I have attached a test case which makes the bug easy to reproduce. Simply opening it will cause the crash. Here's the top my crash log: Process: Safari [26168] Path: /Applications/Safari.app/Contents/MacOS/Safari Identifier: org.webkit.nightly.WebKit Version: r71204 (71204) Code Type: X86-64 (Native) Parent Process: launchd [355] Date/Time: 2010-11-04 20:59:02.010 -0700 OS Version: Mac OS X 10.6.4 (10F569) Report Version: 6 Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x000000000000000c Crashed Thread: 0 Dispatch queue: com.apple.main-thread Thread 0 Crashed: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x0000000100d65964 WebCore::CSSPrimitiveValue::getIdent() + 4 1 com.apple.WebCore 0x0000000100d4603a WebCore::CSSMutableStyleDeclaration::getLayeredShorthandValue(int const*, unsigned int) const + 1370 2 com.apple.WebCore 0x0000000100d47343 WebCore::CSSMutableStyleDeclaration::getPropertyValue(int) const + 1075 3 com.apple.WebCore 0x0000000100d74af0 WebCore::CSSStyleDeclaration::getPropertyValue(WTF::String const&) + 80 The next lines in the backtrace vary depending on how the bug is triggered (starting with either "WebCore::InspectorDOMAgent::shorthandValue(WebCore::CSSStyleDeclaration*, WTF::String const&) + 39", or "WebCore::jsCSSStyleDeclarationPrototypeFunctionGetPropertyValue(JSC::ExecState*) + 310") This bug also effects release Safari 5.0.2 (6533.18.5). 305498 1 ap 2010-11-05 13:54:25 -0700 See also: <rdar://problem/8100046> (only visible to Apple employees). 306103 2 73237 apavlov 2010-11-08 06:27:55 -0800 Created attachment 73237 [PATCH] Suggested fix The code obviously lacks a NULL check since the input is pre-modified for every property layer. 306129 3 73237 hyatt 2010-11-08 08:21:37 -0800 Comment on attachment 73237 [PATCH] Suggested fix r=me 306145 4 apavlov 2010-11-08 08:56:23 -0800 Committed r71530: <http://trac.webkit.org/changeset/71530> 73032 2010-11-04 21:25:10 -0700 2010-11-04 21:25:10 -0700 reduced test case - TRIGGERS CRASH WHEN OPENED reduction.html text/html 142 max PGJvZHkgc3R5bGU9ImJhY2tncm91bmQ6dXJsKCksdXJsKCk7IGJhY2tncm91bmQtcmVwZWF0Om5v LXJlcGVhdDsiPjxzY3JpcHQ+ZG9jdW1lbnQuYm9keS5zdHlsZS5nZXRQcm9wZXJ0eVZhbHVlKCJi YWNrZ3JvdW5kIik8L3NjcmlwdD48L2JvZHk+Cg== 73237 2010-11-08 06:27:55 -0800 2010-11-08 08:21:37 -0800 [PATCH] Suggested fix norepeat.patch text/plain 3843 apavlov Y29tbWl0IDQ2NTYzNTVkZDU4Mjk1N2MyYTY3MzViZDQxOTNmNjQyYmM4ODFjNzEKQXV0aG9yOiBB bGV4YW5kZXIgUGF2bG92IDxhcGF2bG92QGNocm9taXVtLm9yZz4KRGF0ZTogICBNb24gTm92IDgg MTc6MjM6MjYgMjAxMCArMDMwMAoKICAgIEZpeCBjcmFzaAoKZGlmZiAtLWdpdCBhL0xheW91dFRl c3RzL0NoYW5nZUxvZyBiL0xheW91dFRlc3RzL0NoYW5nZUxvZwppbmRleCBjMjE5MWQ5Li4yNmJl YzVhIDEwMDY0NAotLS0gYS9MYXlvdXRUZXN0cy9DaGFuZ2VMb2cKKysrIGIvTGF5b3V0VGVzdHMv Q2hhbmdlTG9nCkBAIC0xLDMgKzEsMTMgQEAKKzIwMTAtMTEtMDggIEFsZXhhbmRlciBQYXZsb3Yg IDxhcGF2bG92QGNocm9taXVtLm9yZz4KKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9P UFMhKS4KKworICAgICAgICBnZXRQcm9wZXJ0eVZhbHVlKCJiYWNrZ3JvdW5kIikgY2F1c2VzIGNy YXNoCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD00OTA1 NQorCisgICAgICAgICogZmFzdC9jc3MvYmFja2dyb3VuZC1ub3JlcGVhdC1jcmFzaC1leHBlY3Rl ZC50eHQ6IEFkZGVkLgorICAgICAgICAqIGZhc3QvY3NzL2JhY2tncm91bmQtbm9yZXBlYXQtY3Jh c2guaHRtbDogQWRkZWQuCisKIDIwMTAtMTEtMDggIFJlbmF0YSBIb2RvdmFuICA8cmVuaUB3ZWJr aXQub3JnPgogCiAgICAgICAgIFJldmlld2VkIGJ5IE5pa29sYXMgWmltbWVybWFubi4KZGlmZiAt LWdpdCBhL0xheW91dFRlc3RzL2Zhc3QvY3NzL2JhY2tncm91bmQtbm9yZXBlYXQtY3Jhc2gtZXhw ZWN0ZWQudHh0IGIvTGF5b3V0VGVzdHMvZmFzdC9jc3MvYmFja2dyb3VuZC1ub3JlcGVhdC1jcmFz aC1leHBlY3RlZC50eHQKbmV3IGZpbGUgbW9kZSAxMDA2NDQKaW5kZXggMDAwMDAwMC4uZTUzNWZk NAotLS0gL2Rldi9udWxsCisrKyBiL0xheW91dFRlc3RzL2Zhc3QvY3NzL2JhY2tncm91bmQtbm9y ZXBlYXQtY3Jhc2gtZXhwZWN0ZWQudHh0CkBAIC0wLDAgKzEsOSBAQAorbGF5ZXIgYXQgKDAsMCkg c2l6ZSA4MDB4NjAwCisgIFJlbmRlclZpZXcgYXQgKDAsMCkgc2l6ZSA4MDB4NjAwCitsYXllciBh dCAoMCwwKSBzaXplIDgwMHg2MDAKKyAgUmVuZGVyQmxvY2sge0hUTUx9IGF0ICgwLDApIHNpemUg ODAweDYwMAorICAgIFJlbmRlckJvZHkge0JPRFl9IGF0ICg4LDgpIHNpemUgNzg0eDU3NgorICAg ICAgUmVuZGVyQmxvY2sge1B9IGF0ICgwLDApIHNpemUgNzg0eDM2CisgICAgICAgIFJlbmRlclRl eHQgeyN0ZXh0fSBhdCAoMCwwKSBzaXplIDY4NngzNgorICAgICAgICAgIHRleHQgcnVuIGF0ICgw LDApIHdpZHRoIDY4NjogIlRlc3QgZm9yIGNyYXNoIHdoZW4gcmV0cmlldmluZyB0aGUgaW1wbGlj aXQgXCJiYWNrZ3JvdW5kXCIgcHJvcGVydHkgdmFsdWUgd2l0aCBcImJhY2tncm91bmQtcmVwZWF0 OiBuby1yZXBlYXRcIiIKKyAgICAgICAgICB0ZXh0IHJ1biBhdCAoMCwxOCkgd2lkdGggNTY1OiAi KGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD00OTA1NSkuIElmIHRoaXMg dGV4dCBhcHBlYXJzLCB0aGUgdGVzdCBoYXMgcGFzc2VkLiIKZGlmZiAtLWdpdCBhL0xheW91dFRl c3RzL2Zhc3QvY3NzL2JhY2tncm91bmQtbm9yZXBlYXQtY3Jhc2guaHRtbCBiL0xheW91dFRlc3Rz L2Zhc3QvY3NzL2JhY2tncm91bmQtbm9yZXBlYXQtY3Jhc2guaHRtbApuZXcgZmlsZSBtb2RlIDEw MDY0NAppbmRleCAwMDAwMDAwLi5mMTAxMzJhCi0tLSAvZGV2L251bGwKKysrIGIvTGF5b3V0VGVz dHMvZmFzdC9jc3MvYmFja2dyb3VuZC1ub3JlcGVhdC1jcmFzaC5odG1sCkBAIC0wLDAgKzEsNiBA QAorPGJvZHkgc3R5bGU9ImJhY2tncm91bmQ6dXJsKCksdXJsKCk7IGJhY2tncm91bmQtcmVwZWF0 Om5vLXJlcGVhdDsiPgorPHNjcmlwdD5kb2N1bWVudC5ib2R5LnN0eWxlLmdldFByb3BlcnR5VmFs dWUoImJhY2tncm91bmQiKTwvc2NyaXB0PgorPHA+CisgICAgVGVzdCBmb3IgY3Jhc2ggd2hlbiBy ZXRyaWV2aW5nIHRoZSBpbXBsaWNpdCAiYmFja2dyb3VuZCIgcHJvcGVydHkgdmFsdWUgd2l0aCAi YmFja2dyb3VuZC1yZXBlYXQ6IG5vLXJlcGVhdCIgKGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3No b3dfYnVnLmNnaT9pZD00OTA1NSkuIElmIHRoaXMgdGV4dCBhcHBlYXJzLCB0aGUgdGVzdCBoYXMg cGFzc2VkLgorPC9wPgorPC9ib2R5PgpkaWZmIC0tZ2l0IGEvV2ViQ29yZS9DaGFuZ2VMb2cgYi9X ZWJDb3JlL0NoYW5nZUxvZwppbmRleCA2OWYxZmI4Li43ZWRhMGQyIDEwMDY0NAotLS0gYS9XZWJD b3JlL0NoYW5nZUxvZworKysgYi9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDE1IEBACisy MDEwLTExLTA4ICBBbGV4YW5kZXIgUGF2bG92ICA8YXBhdmxvdkBjaHJvbWl1bS5vcmc+CisKKyAg ICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgZ2V0UHJvcGVydHlW YWx1ZSgiYmFja2dyb3VuZCIpIGNhdXNlcyBjcmFzaAorICAgICAgICBodHRwczovL2J1Z3Mud2Vi a2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9NDkwNTUKKworICAgICAgICBUZXN0OiBmYXN0L2Nzcy9i YWNrZ3JvdW5kLW5vcmVwZWF0LWNyYXNoLmh0bWwKKworICAgICAgICAqIGNzcy9DU1NNdXRhYmxl U3R5bGVEZWNsYXJhdGlvbi5jcHA6CisgICAgICAgIChXZWJDb3JlOjpDU1NNdXRhYmxlU3R5bGVE ZWNsYXJhdGlvbjo6Z2V0TGF5ZXJlZFNob3J0aGFuZFZhbHVlKToKKwogMjAxMC0xMS0wOCAgUmVu YXRhIEhvZG92YW4gIDxyZW5pQHdlYmtpdC5vcmc+CiAKICAgICAgICAgUmV2aWV3ZWQgYnkgTmlr b2xhcyBaaW1tZXJtYW5uLgpkaWZmIC0tZ2l0IGEvV2ViQ29yZS9jc3MvQ1NTTXV0YWJsZVN0eWxl RGVjbGFyYXRpb24uY3BwIGIvV2ViQ29yZS9jc3MvQ1NTTXV0YWJsZVN0eWxlRGVjbGFyYXRpb24u Y3BwCmluZGV4IDliMWRkNzEuLjAyMzE5ZjUgMTAwNjQ0Ci0tLSBhL1dlYkNvcmUvY3NzL0NTU011 dGFibGVTdHlsZURlY2xhcmF0aW9uLmNwcAorKysgYi9XZWJDb3JlL2Nzcy9DU1NNdXRhYmxlU3R5 bGVEZWNsYXJhdGlvbi5jcHAKQEAgLTMzNiw3ICszMzYsOSBAQCBTdHJpbmcgQ1NTTXV0YWJsZVN0 eWxlRGVjbGFyYXRpb246OmdldExheWVyZWRTaG9ydGhhbmRWYWx1ZShjb25zdCBpbnQqIHByb3Bl cnRpZQogICAgICAgICAgICAgLy8gdGhlbiBpdCB3YXMgd3JpdHRlbiB3aXRoIG9ubHkgb25lIHZh bHVlLiBIZXJlIHdlIGZpZ3VyZSBvdXQgd2hpY2ggdmFsdWUgdGhhdCB3YXMgc28gd2UgY2FuCiAg ICAgICAgICAgICAvLyByZXBvcnQgYmFjayBjb3JyZWN0bHkuIAogICAgICAgICAgICAgaWYgKHBy b3BlcnRpZXNbal0gPT0gQ1NTUHJvcGVydHlCYWNrZ3JvdW5kUmVwZWF0WCAmJiBpc1Byb3BlcnR5 SW1wbGljaXQocHJvcGVydGllc1tqXSkpIHsKLSAgICAgICAgICAgICAgICBpZiAoaiA8IG51bWJl ciAtIDEgJiYgcHJvcGVydGllc1tqICsgMV0gPT0gQ1NTUHJvcGVydHlCYWNrZ3JvdW5kUmVwZWF0 WSkgeworCisgICAgICAgICAgICAgICAgLy8gQlVHIDQ5MDU1OiBtYWtlIHN1cmUgdGhlIHZhbHVl IHdhcyBub3QgcmVzZXQgaW4gdGhlIGxheWVyIGNoZWNrIGp1c3QgYWJvdmUuCisgICAgICAgICAg ICAgICAgaWYgKGogPCBudW1iZXIgLSAxICYmIHByb3BlcnRpZXNbaiArIDFdID09IENTU1Byb3Bl cnR5QmFja2dyb3VuZFJlcGVhdFkgJiYgdmFsdWUpIHsKICAgICAgICAgICAgICAgICAgICAgUmVm UHRyPENTU1ZhbHVlPiB5VmFsdWU7CiAgICAgICAgICAgICAgICAgICAgIFJlZlB0cjxDU1NWYWx1 ZT4gbmV4dFZhbHVlID0gdmFsdWVzW2ogKyAxXTsKICAgICAgICAgICAgICAgICAgICAgaWYgKG5l eHRWYWx1ZS0+aXNWYWx1ZUxpc3QoKSkK