Bug 138774

Summary: Crash when setting 'alt' CSS property to inherit or initial
Product: WebKit Reporter: Chris Dumez <cdumez>
Component: CSSAssignee: Chris Dumez <cdumez>
Status: RESOLVED FIXED    
Severity: Normal CC: cfleizach, commit-queue, darin, dino, kling
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 138778    
Attachments:
Description Flags
Patch
none
Patch none

Description Chris Dumez 2014-11-15 23:16:33 PST 
Crash when setting 'alt' CSS property to inherit or initial:

>  1 com.apple.WebCore              0x1150c32ec WebCore::CSSPrimitiveValue::isString() const + 0xc
   2 com.apple.WebCore              0x1169f6e09 WebCore::StyleResolver::applyProperty(WebCore::CSSPropertyID, WebCore::CSSValue*) + 0x11e9
   3 com.apple.WebCore              0x116a03817 WebCore::StyleResolver::CascadedProperties::Property::apply(WebCore::StyleResolver&) + 0xd7
   4 com.apple.WebCore              0x1169f5ada WebCore::StyleResolver::applyCascadedProperties(WebCore::StyleResolver::CascadedProperties&, int, int) + 0xaa
   5 com.apple.WebCore              0x1169f4227 WebCore::StyleResolver::applyMatchedProperties(WebCore::StyleResolver::MatchResult const&, WebCore::Element const*, WebCore::StyleResolver::ShouldUseMatchedPropertiesCache) + 0x747
   6 com.apple.WebCore              0x1169f1eb3 WebCore::StyleResolver::styleForElement(WebCore::Element*, WebCore::RenderStyle*, WebCore::StyleSharingBehavior, WebCore::RuleMatchingBehavior, WebCore::RenderRegion const*) + 0x4e3
   7 com.apple.WebCore              0x116a23543 WebCore::Style::styleForElement(WebCore::Element&, WebCore::RenderStyle&) + 0x153
   8 com.apple.WebCore              0x116a226a0 WebCore::Style::createRendererIfNeeded(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) + 0xd0
   9 com.apple.WebCore              0x116a22267 WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) + 0x107
  10 com.apple.WebCore              0x116a22c6b WebCore::Style::attachChildren(WebCore::ContainerNode&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&) + 0x15b
  11 com.apple.WebCore              0x116a22339 WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) + 0x1d9
  12 com.apple.WebCore              0x116a22c6b WebCore::Style::attachChildren(WebCore::ContainerNode&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&) + 0x15b
  13 com.apple.WebCore              0x116a22339 WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) + 0x1d9
  14 com.apple.WebCore              0x116a215b0 WebCore::Style::resolveLocal(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WebCore::Style::Change) + 0x190
  15 com.apple.WebCore              0x116a1eeed WebCore::Style::resolveTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WebCore::Style::Change) + 0x12d
  16 com.apple.WebCore              0x116a1eda8 WebCore::Style::resolveTree(WebCore::Document&, WebCore::Style::Change) + 0x1e8
  17 com.apple.WebCore              0x1152a7606 WebCore::Document::recalcStyle(WebCore::Style::Change) + 0x1d6
  18 com.apple.WebCore              0x1152a37ef WebCore::Document::updateStyleIfNeeded() + 0x1af
  19 com.apple.WebCore              0x1152b40a2 WebCore::Document::finishedParsing() + 0x1c2
  20 com.apple.WebCore              0x11574ec38 WebCore::HTMLConstructionSite::finishedParsing() + 0x18
  21 com.apple.WebCore              0x11588c717 WebCore::HTMLTreeBuilder::finished() + 0xb7
  22 com.apple.WebCore              0x11577db6e WebCore::HTMLDocumentParser::end() + 0xbe
  23 com.apple.WebCore              0x11577bbd3 WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() + 0x113
  24 com.apple.WebCore              0x11577b9e0 WebCore::HTMLDocumentParser::prepareToStopParsing() + 0x120
  25 com.apple.WebCore              0x11577dbc3 WebCore::HTMLDocumentParser::attemptToEnd() + 0x43
  26 com.apple.WebCore              0x11577dc18 WebCore::HTMLDocumentParser::finish() + 0x48
  27 com.apple.WebCore              0x11533585a WebCore::DocumentWriter::end() + 0x15a

Radar: rdar://problem/18995409
Comment 1 Chris Dumez 2014-11-15 23:23:42 PST 
Created attachment 241677 [details]
Patch
Comment 2 Chris Dumez 2014-11-15 23:27:20 PST 
Comment on attachment 241677 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=241677&action=review

> Source/WebCore/css/StyleResolver.cpp:2251
>              if (primitiveValue->isString()) {

The null dereference would happen here.
Comment 3 Chris Dumez 2014-11-15 23:28:58 PST 
Created attachment 241678 [details]
Patch
Comment 4 WebKit Commit Bot 2014-11-16 07:54:50 PST 
Comment on attachment 241678 [details]
Patch

Clearing flags on attachment: 241678

Committed r176161: <http://trac.webkit.org/changeset/176161>
Comment 5 WebKit Commit Bot 2014-11-16 07:54:56 PST 
All reviewed patches have been landed.  Closing bug.