68307 2011-09-16 22:08:22 -0700 Crash in WebCore::CSSBorderImageValue::cssText 2011-09-17 16:11:25 -0700 1 1 1 Unclassified WebKit CSS 528+ (Nightly build) All All RESOLVED FIXED InRadar P2 Major --- 1 csilv hyatt ap dbeam hyatt oldest_to_newest 469022 0 csilv 2011-09-16 22:08:22 -0700 The following javascript snippit will lead to a crash in WebCore::CSSBorderImageValue::cssText: var el = document.getElementById('bar'); el.style.WebkitMaskBoxImage = '-webkit-linear-gradient(red,green,blue)'; console.log(el.style); This is a regression that was introduced in r95099. The problem with the above snippit is that we are not providing a 'slice' value. Prior to r95099, CSSParser::parseBorderImage would always set a slice value if one was not provided. With the recent changes, a default slice value is no longer set. This will lead to a crash if CSSBorderImageValue::cssText() is called because it assumes m_imageSlice is valid. The simple fix may simply be to change CSSBorderImageValue::cssText() as follows: // Now the slices. if (m_imageSlice) text += m_imageSlice->cssText(); (I am not certain if the above fix is complete or if there are other side effects that may occur due to CSSBorderImageValue lacking an image slice.) Crash log: Thread 0 *CRASHED* ( EXC_BAD_ACCESS / KERN_PROTECTION_FAILURE @ 0x00000000 ) 0x01350ab8 [Google Chrome Framework - CSSBorderImageValue.cpp:50] WebCore::CSSBorderImageValue::cssText 0x0139bb23 [Google Chrome Framework - CSSProperty.cpp:32] WebCore::CSSProperty::cssText 0x013745a7 [Google Chrome Framework - CSSMutableStyleDeclaration.cpp:708] WebCore::CSSMutableStyleDeclaration::cssText 0x0115459e [Google Chrome Framework - StyledElement.cpp:116] WebCore::StyledElement::updateStyleAttribute 0x013e61b2 [Google Chrome Framework - Element.h:480] WebCore::SelectorChecker::checkOneSelector 0x013e5bf1 [Google Chrome Framework - SelectorChecker.cpp:421] WebCore::SelectorChecker::checkSelector 0x013cfc8f [Google Chrome Framework - CSSStyleSelector.cpp:1800] WebCore::CSSStyleSelector::checkSelector 0x013b8bb3 [Google Chrome Framework - CSSStyleSelector.cpp:606] WebCore::CSSStyleSelector::matchRulesForList 0x013b88b4 [Google Chrome Framework - CSSStyleSelector.cpp:536] WebCore::CSSStyleSelector::matchRules 0x013b7199 [Google Chrome Framework - CSSStyleSelector.cpp:1204] WebCore::CSSStyleSelector::styleForElement 0x0111f3e5 [Google Chrome Framework - Element.cpp:1055] WebCore::Element::recalcStyle 0x0111f7f0 [Google Chrome Framework - Element.cpp:1157] WebCore::Element::recalcStyle 0x0111f7f0 [Google Chrome Framework - Element.cpp:1157] WebCore::Element::recalcStyle 0x0111f7f0 [Google Chrome Framework - Element.cpp:1157] WebCore::Element::recalcStyle 0x0111f7f0 [Google Chrome Framework - Element.cpp:1157] WebCore::Element::recalcStyle 0x0111f7f0 [Google Chrome Framework - Element.cpp:1157] WebCore::Element::recalcStyle 0x0111f7f0 [Google Chrome Framework - Element.cpp:1157] WebCore::Element::recalcStyle 0x0111f7f0 [Google Chrome Framework - Element.cpp:1157] WebCore::Element::recalcStyle 0x0111f7f0 [Google Chrome Framework - Element.cpp:1157] WebCore::Element::recalcStyle 0x0111f7f0 [Google Chrome Framework - Element.cpp:1157] WebCore::Element::recalcStyle 0x011052a9 [Google Chrome Framework - Document.cpp:1568] WebCore::Document::recalcStyle 0x01106038 [Google Chrome Framework - Document.cpp:1625] WebCore::Document::updateStyleIfNeeded 0x01106164 [Google Chrome Framework - Document.cpp:1652] WebCore::Document::updateLayout 0x01106257 [Google Chrome Framework - Document.cpp:1688] WebCore::Document::updateLayoutIgnorePendingStylesheets 0x0111c2bb [Google Chrome Framework - Element.cpp:347] WebCore::Element::offsetHeight 0x0174056a [Google Chrome Framework - V8Element.cpp:93] WebCore::ElementInternal::offsetHeightAttrGetter 0x00d1df3c [Google Chrome Framework - objects.cc:203] v8::internal::Object::GetPropertyWithCallback 0x00d1dd38 [Google Chrome Framework - objects.cc:583] v8::internal::Object::GetProperty 469089 1 ap 2011-09-17 12:47:26 -0700 <rdar://problem/10142425> 469090 2 ap 2011-09-17 12:49:00 -0700 Are there any live Web sites affected by this? That information greatly affects prioritization. 469098 3 dbeam 2011-09-17 14:00:11 -0700 Well, the New Tab Page in Chrome was affected - on every drag there was a crash because we're adding this style (http://goo.gl/jZpBZ). It was also Chrome Canary's #1 crash the day it was introduced (crbug.com/96851#c1). 469104 4 hyatt 2011-09-17 14:53:07 -0700 Both the image source and image slice just need to be null checked. 469108 5 107777 hyatt 2011-09-17 15:51:57 -0700 Created attachment 107777 Patch 469109 6 hyatt 2011-09-17 16:11:25 -0700 Fixed in r95386. 107777 2011-09-17 15:51:57 -0700 2011-09-17 15:54:53 -0700 Patch patch.txt text/plain 3379 hyatt SW5kZXg6IFNvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2Vi Q29yZS9DaGFuZ2VMb2cJKHJldmlzaW9uIDk1Mzg1KQorKysgU291cmNlL1dlYkNvcmUvQ2hhbmdl TG9nCSh3b3JraW5nIGNvcHkpCkBAIC0xLDMgKzEsMTcgQEAKKzIwMTEtMDktMTcgIERhdmlkIEh5 YXR0ICA8aHlhdHRAYXBwbGUuY29tPgorCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3Jn L3Nob3dfYnVnLmNnaT9pZD02ODMwNworICAgICAgICAKKyAgICAgICAgQ3Jhc2ggaW4gYm9yZGVy IGltYWdlIGNzc1RleHQuIE1ha2Ugc3VyZSB0byBudWxsIGNoZWNrIGFsbCB0aGUgY29tcG9uZW50 cywgc2luY2UgdGhleSdyZSBhbGwKKyAgICAgICAgb3B0aW9uYWwgbm93LgorCisgICAgICAgIFJl dmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIEFkZGVkIGZhc3QvYm9yZGVycy9i b3JkZXItaW1hZ2Utc2xpY2Utb21pc3Npb24uaHRtbAorCisgICAgICAgICogY3NzL0NTU0JvcmRl ckltYWdlVmFsdWUuY3BwOgorICAgICAgICAoV2ViQ29yZTo6Q1NTQm9yZGVySW1hZ2VWYWx1ZTo6 Y3NzVGV4dCk6CisKIDIwMTEtMDktMTcgIEFhcm9uIEJvb2RtYW4gIDxhYUBjaHJvbWl1bS5vcmc+ CiAKICAgICAgICAgUmV3b3JrIHNjcmlwdCBjb250ZXh0IGNyZWF0aW9uL3JlbGVhc2Ugbm90aWZp Y2F0aW9ucwpJbmRleDogU291cmNlL1dlYkNvcmUvY3NzL0NTU0JvcmRlckltYWdlVmFsdWUuY3Bw Cj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT0KLS0tIFNvdXJjZS9XZWJDb3JlL2Nzcy9DU1NCb3JkZXJJbWFnZVZhbHVlLmNw cAkocmV2aXNpb24gOTUyOTQpCisrKyBTb3VyY2UvV2ViQ29yZS9jc3MvQ1NTQm9yZGVySW1hZ2VW YWx1ZS5jcHAJKHdvcmtpbmcgY29weSkKQEAgLTQzLDExICs0MywxNyBAQCBDU1NCb3JkZXJJbWFn ZVZhbHVlOjp+Q1NTQm9yZGVySW1hZ2VWYWx1CiBTdHJpbmcgQ1NTQm9yZGVySW1hZ2VWYWx1ZTo6 Y3NzVGV4dCgpIGNvbnN0CiB7CiAgICAgLy8gSW1hZ2UgZmlyc3QuCi0gICAgU3RyaW5nIHRleHQo bV9pbWFnZS0+Y3NzVGV4dCgpKTsKLSAgICB0ZXh0ICs9ICIgIjsKKyAgICBTdHJpbmcgdGV4dDsK KyAgICAKKyAgICBpZiAobV9pbWFnZSkKKyAgICAgICAgdGV4dCArPSBtX2ltYWdlLT5jc3NUZXh0 KCk7CiAKICAgICAvLyBOb3cgdGhlIHNsaWNlcy4KLSAgICB0ZXh0ICs9IG1faW1hZ2VTbGljZS0+ Y3NzVGV4dCgpOworICAgIGlmIChtX2ltYWdlU2xpY2UpIHsKKyAgICAgICAgaWYgKCF0ZXh0Lmlz RW1wdHkoKSkKKyAgICAgICAgICAgIHRleHQgKz0gIiAiOworICAgICAgICB0ZXh0ICs9IG1faW1h Z2VTbGljZS0+Y3NzVGV4dCgpOworICAgIH0KIAogICAgIC8vIE5vdyB0aGUgYm9yZGVyIHdpZHRo cy4KICAgICBpZiAobV9ib3JkZXJTbGljZSkgewpAQCAtNjIsNyArNjgsOCBAQCBTdHJpbmcgQ1NT Qm9yZGVySW1hZ2VWYWx1ZTo6Y3NzVGV4dCgpIGNvCiAKICAgICBpZiAobV9yZXBlYXQpIHsKICAg ICAgICAgLy8gTm93IHRoZSBrZXl3b3Jkcy4KLSAgICAgICAgdGV4dCArPSAiICI7CisgICAgICAg IGlmICghdGV4dC5pc0VtcHR5KCkpCisgICAgICAgICAgICB0ZXh0ICs9ICIgIjsKICAgICAgICAg dGV4dCArPSBtX3JlcGVhdC0+Y3NzVGV4dCgpOwogICAgIH0KIApJbmRleDogTGF5b3V0VGVzdHMv Q2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT0KLS0tIExheW91dFRlc3RzL0NoYW5nZUxvZwkocmV2aXNpb24g OTUzODUpCisrKyBMYXlvdXRUZXN0cy9DaGFuZ2VMb2cJKHdvcmtpbmcgY29weSkKQEAgLTEsMyAr MSwxNCBAQAorMjAxMS0wOS0xNyAgRGF2aWQgSHlhdHQgIDxoeWF0dEBhcHBsZS5jb20+CisKKyAg ICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTY4MzA3CisgICAg ICAgIAorICAgICAgICBDcmFzaCBpbiBib3JkZXIgaW1hZ2UgY3NzVGV4dC4gTWFrZSBzdXJlIHRv IG51bGwgY2hlY2sgYWxsIHRoZSBjb21wb25lbnRzLCBzaW5jZSB0aGV5J3JlIGFsbAorICAgICAg ICBvcHRpb25hbCBub3cuCisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisK KyAgICAgICAgKiBmYXN0L2JvcmRlcnMvYm9yZGVyLWltYWdlLXNsaWNlLW9taXNzaW9uLmh0bWw6 IEFkZGVkLgorCiAyMDExLTA5LTE3ICBDc2FiYSBPc3p0cm9nb27DoWMgIDxvc3N5QHdlYmtpdC5v cmc+CiAKICAgICAgICAgW1F0XVtXSzJdIGZhc3QvZXZlbnRzL21lZGlhLWVsZW1lbnQtZm9jdXMt dGFiLmh0bWwgZmFpbHMKSW5kZXg6IExheW91dFRlc3RzL2Zhc3QvYm9yZGVycy9ib3JkZXItaW1h Z2Utc2xpY2Utb21pc3Npb24tZXhwZWN0ZWQudHh0Cj09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIExheW91dFRlc3Rz L2Zhc3QvYm9yZGVycy9ib3JkZXItaW1hZ2Utc2xpY2Utb21pc3Npb24tZXhwZWN0ZWQudHh0CShy ZXZpc2lvbiAwKQorKysgTGF5b3V0VGVzdHMvZmFzdC9ib3JkZXJzL2JvcmRlci1pbWFnZS1zbGlj ZS1vbWlzc2lvbi1leHBlY3RlZC50eHQJKHJldmlzaW9uIDApCkBAIC0wLDAgKzEgQEAKK1RoaXMg dGVzdCBwYXNzZXMgaWYgaXQgZG9lcyBub3QgY3Jhc2guCkluZGV4OiBMYXlvdXRUZXN0cy9mYXN0 L2JvcmRlcnMvYm9yZGVyLWltYWdlLXNsaWNlLW9taXNzaW9uLmh0bWwKPT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0g TGF5b3V0VGVzdHMvZmFzdC9ib3JkZXJzL2JvcmRlci1pbWFnZS1zbGljZS1vbWlzc2lvbi5odG1s CShyZXZpc2lvbiAwKQorKysgTGF5b3V0VGVzdHMvZmFzdC9ib3JkZXJzL2JvcmRlci1pbWFnZS1z bGljZS1vbWlzc2lvbi5odG1sCShyZXZpc2lvbiAwKQpAQCAtMCwwICsxLDE3IEBACis8aHRtbD4K KzxoZWFkPgorPHNjcmlwdD4KK2lmICh3aW5kb3cubGF5b3V0VGVzdENvbnRyb2xsZXIpCisgICAg d2luZG93LmxheW91dFRlc3RDb250cm9sbGVyLmR1bXBBc1RleHQoKQorCitmdW5jdGlvbiBydW5U ZXN0KCkKK3sKKyAgIGRvY3VtZW50LmJvZHkuc3R5bGUuYm9yZGVySW1hZ2UgPSAnbm9uZScKKyAg IGRvY3VtZW50LmJvZHkuc3R5bGUuY3NzVGV4dAorfQorPC9zY3JpcHQ+Cis8L2hlYWQ+Cis8Ym9k eSBvbmxvYWQ9InJ1blRlc3QoKSI+CitUaGlzIHRlc3QgcGFzc2VzIGlmIGl0IGRvZXMgbm90IGNy YXNoLgorPC9ib2R5PgorCg==