Bug 138774

Summary: Crash when setting 'alt' CSS property to inherit or initial
Product: WebKit Reporter: Chris Dumez <cdumez>
Component: CSSAssignee: Chris Dumez <cdumez>
Status: RESOLVED FIXED    
Severity: Normal CC: cfleizach, commit-queue, darin, dino, kling
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 138778    
Attachments:
Description Flags
Patch
none
Patch none

Chris Dumez
Reported 2014-11-15 23:16:33 PST
Crash when setting 'alt' CSS property to inherit or initial: > 1 com.apple.WebCore 0x1150c32ec WebCore::CSSPrimitiveValue::isString() const + 0xc 2 com.apple.WebCore 0x1169f6e09 WebCore::StyleResolver::applyProperty(WebCore::CSSPropertyID, WebCore::CSSValue*) + 0x11e9 3 com.apple.WebCore 0x116a03817 WebCore::StyleResolver::CascadedProperties::Property::apply(WebCore::StyleResolver&) + 0xd7 4 com.apple.WebCore 0x1169f5ada WebCore::StyleResolver::applyCascadedProperties(WebCore::StyleResolver::CascadedProperties&, int, int) + 0xaa 5 com.apple.WebCore 0x1169f4227 WebCore::StyleResolver::applyMatchedProperties(WebCore::StyleResolver::MatchResult const&, WebCore::Element const*, WebCore::StyleResolver::ShouldUseMatchedPropertiesCache) + 0x747 6 com.apple.WebCore 0x1169f1eb3 WebCore::StyleResolver::styleForElement(WebCore::Element*, WebCore::RenderStyle*, WebCore::StyleSharingBehavior, WebCore::RuleMatchingBehavior, WebCore::RenderRegion const*) + 0x4e3 7 com.apple.WebCore 0x116a23543 WebCore::Style::styleForElement(WebCore::Element&, WebCore::RenderStyle&) + 0x153 8 com.apple.WebCore 0x116a226a0 WebCore::Style::createRendererIfNeeded(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) + 0xd0 9 com.apple.WebCore 0x116a22267 WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) + 0x107 10 com.apple.WebCore 0x116a22c6b WebCore::Style::attachChildren(WebCore::ContainerNode&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&) + 0x15b 11 com.apple.WebCore 0x116a22339 WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) + 0x1d9 12 com.apple.WebCore 0x116a22c6b WebCore::Style::attachChildren(WebCore::ContainerNode&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&) + 0x15b 13 com.apple.WebCore 0x116a22339 WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) + 0x1d9 14 com.apple.WebCore 0x116a215b0 WebCore::Style::resolveLocal(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WebCore::Style::Change) + 0x190 15 com.apple.WebCore 0x116a1eeed WebCore::Style::resolveTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WebCore::Style::Change) + 0x12d 16 com.apple.WebCore 0x116a1eda8 WebCore::Style::resolveTree(WebCore::Document&, WebCore::Style::Change) + 0x1e8 17 com.apple.WebCore 0x1152a7606 WebCore::Document::recalcStyle(WebCore::Style::Change) + 0x1d6 18 com.apple.WebCore 0x1152a37ef WebCore::Document::updateStyleIfNeeded() + 0x1af 19 com.apple.WebCore 0x1152b40a2 WebCore::Document::finishedParsing() + 0x1c2 20 com.apple.WebCore 0x11574ec38 WebCore::HTMLConstructionSite::finishedParsing() + 0x18 21 com.apple.WebCore 0x11588c717 WebCore::HTMLTreeBuilder::finished() + 0xb7 22 com.apple.WebCore 0x11577db6e WebCore::HTMLDocumentParser::end() + 0xbe 23 com.apple.WebCore 0x11577bbd3 WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() + 0x113 24 com.apple.WebCore 0x11577b9e0 WebCore::HTMLDocumentParser::prepareToStopParsing() + 0x120 25 com.apple.WebCore 0x11577dbc3 WebCore::HTMLDocumentParser::attemptToEnd() + 0x43 26 com.apple.WebCore 0x11577dc18 WebCore::HTMLDocumentParser::finish() + 0x48 27 com.apple.WebCore 0x11533585a WebCore::DocumentWriter::end() + 0x15a Radar: rdar://problem/18995409
Attachments
Patch (5.24 KB, patch)
2014-11-15 23:23 PST, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Patch (5.31 KB, patch)
2014-11-15 23:28 PST, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Chris Dumez
Comment 1 2014-11-15 23:23:42 PST
Created attachment 241677 [details] Patch
Chris Dumez
Comment 2 2014-11-15 23:27:20 PST
Comment on attachment 241677 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=241677&action=review > Source/WebCore/css/StyleResolver.cpp:2251 > if (primitiveValue->isString()) { The null dereference would happen here.
Chris Dumez
Comment 3 2014-11-15 23:28:58 PST
Created attachment 241678 [details] Patch
WebKit Commit Bot
Comment 4 2014-11-16 07:54:50 PST
Comment on attachment 241678 [details] Patch Clearing flags on attachment: 241678 Committed r176161: <http://trac.webkit.org/changeset/176161>
WebKit Commit Bot
Comment 5 2014-11-16 07:54:56 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.