Bug 20515

Summary: Crash upon parsing CSS: unicode-range: searchfield-cancel-buttonpt=-webkit-dashboard-region=
Product: WebKit Reporter: Robert Swiecki <robert.swiecki+wkbugs>
Component: WebKit Misc.Assignee: Beth Dakin <bdakin>
Status: RESOLVED FIXED    
Severity: Normal Keywords: HasReduction, InRadar
Priority: P1    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Windows XP   
Attachments:
Description Flags
Patch to handle invalid IDs
hyatt: review-
Patch 2 hyatt: review+

Description Robert Swiecki 2008-08-25 13:26:37 PDT 
Webkit: 35904

Crash on the following code:

<html>
<style>
body {
        unicode-range: searchfield-cancel-buttonpt=-webkit-dashboard-region=
}
</style>
</html>


Seems similar (according to the stacktrace) to https://bugs.webkit.org/show_bug.cgi?id=20513

(994.de8): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=7fd225e0 ecx=00000000 edx=0012f65c esi=7fd52338 edi=00000000
eip=00b4f1c2 esp=0012f610 ebp=0012f8f4 iopl=0         nv up ei ng nz ac po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000293
WebKit!WebCore::CSSStyleSelector::resolveVariablesForDeclaration+0xc3:
00b4f1c2 8b07            mov     eax,dword ptr [edi]  ds:0023:00000000=????????
0:000> kb
ChildEBP RetAddr  Args to Child              
0012f8f4 00aa2fa1 7fd22600 7fd225e0 0012f918 WebKit!WebCore::CSSStyleSelector::resolveVariablesForDeclaration+0xc3 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\css\cssstyleselector.cpp @ 547]
0012f944 00796977 7fd22600 ffffffff 7fed8780 WebKit!WebCore::CSSStyleSelector::addMatchedDeclaration+0x315141
0012f968 00797785 0012f9a8 0012f9a4 7fd4e448 WebKit!WebCore::CSSStyleSelector::matchRules+0x127 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\css\cssstyleselector.cpp @ 618]
0012f998 007902f4 7fd3f9b0 00000001 00000001 WebKit!WebCore::CSSStyleSelector::styleForElement+0x165 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\css\cssstyleselector.cpp @ 1137]
0012f9ac 00791f9c 7fd4e448 7fd3f9b0 0012fa28 WebKit!WebCore::Element::styleForRenderer+0x14 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\dom\element.cpp @ 672]
0012f9cc 00790bbb 7fe93320 7fd3f9b0 0076f0f0 WebKit!WebCore::Node::createRendererIfNeeded+0x5c [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\dom\node.cpp @ 1015]
0012f9d8 0076f0f0 7ff0b800 0000000a 7ff9005c WebKit!WebCore::Element::attach+0xb [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\dom\element.cpp @ 718]
0012fa04 00769873 00000000 0012fa28 00000000 WebKit!WebCore::ContainerNode::appendChild+0xf0 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\dom\containernode.cpp @ 574]
0012fa40 009387fd 7febf6a8 7fe91250 00938ec8 WebKit!WebCore::Document::implicitClose+0x283 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\dom\document.cpp @ 1540]
0012fa4c 00938ec8 7fe91250 7ff0b82c 007ea32b WebKit!WebCore::FrameLoader::checkCompleted+0x9d [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\loader\frameloader.cpp @ 1295]
0012fa58 007ea32b 00000000 7fd3a428 00007f1e WebKit!WebCore::FrameLoader::finishedParsing+0x28 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\loader\frameloader.cpp @ 1243]
0012fa70 007e4f27 00c49174 0000001e 00007f1e WebKit!WebCore::Document::finishedParsing+0x4b [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\dom\document.cpp @ 3779]
0012fa94 007dc65e 7fd3a428 7fef6434 7fef6400 WebKit!WebCore::HTMLParser::finished+0xc7 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\html\htmlparser.cpp @ 1538]
0012fab4 007f4a21 7fd3cc00 7febf6a8 7fe91250 WebKit!WebCore::HTMLTokenizer::end+0x12e [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\html\htmltokenizer.cpp @ 1851]
0012fb08 00938e67 7fecca00 7febf6a8 00938b2b WebKit!WebCore::HTMLTokenizer::finish+0x51 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\html\htmltokenizer.cpp @ 1889]
0012fb14 00938b2b 7ff01a00 7fecca00 0486ca50 WebKit!WebCore::FrameLoader::endIfNotLoadingMainResource+0x47 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\loader\frameloader.cpp @ 1076]
0012fb24 009f2243 7fd2c450 045abcf0 009f4e67 WebKit!WebCore::FrameLoader::finishedLoading+0x2b [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\loader\frameloader.cpp @ 2914]
0012fb30 009f4e67 00944e11 7fd2c450 045abcf0 WebKit!WebCore::MainResourceLoader::didFinishLoading+0x23 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\loader\mainresourceloader.cpp @ 321]
0012fb34 00944e11 7fd2c450 045abcf0 6a535f00 WebKit!WebCore::ResourceLoader::didFinishLoading+0x7 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\loader\resourceloader.cpp @ 399]
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Safari\CFNetwork.dll - 
0012fb40 6a535f00 045abcf0 7fd2c450 0486ca50 WebKit!WebCore::didFinishLoading+0x21 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\platform\network\cf\resourcehandlecfnet.cpp @ 119]
Comment 1 Dave Hyatt 2008-08-25 13:42:28 PDT 
CSSParserValue::createCSSValue needs to handle unknown identifiers.  It drops them on the floor right now and returns 0.  Then the value list ends up with a null item.  We should fix this method to actually create a CSSPrimitiveValue that can really be used.  (Will probably need a new unit type like CSS_PARSER_IDENTIFIER for unknown identifiers.)
Comment 2 Mark Rowe (bdash) 2008-08-25 13:49:46 PDT 
<rdar://problem/6174100>
Comment 3 Beth Dakin 2008-09-18 14:13:38 PDT 
Created attachment 23537 [details]
Patch to handle invalid IDs
Comment 4 Dave Hyatt 2008-09-18 14:22:42 PDT 
Comment on attachment 23537 [details]
Patch to handle invalid IDs

All you're doing is making a value that has absolutely no contents.  You need to actually store the string and implement the round-tripping like the other CSS_PARSER_*** types do.

We're going to be turning CSS variables off, which means this bug isn't that high priority.
Comment 5 Beth Dakin 2008-09-18 14:57:47 PDT 
Created attachment 23539 [details]
Patch 2

I see. Using the other CSS_PARSER… types as a model, I think this does that.
Comment 6 Dave Hyatt 2008-09-18 15:06:46 PDT 
Comment on attachment 23539 [details]
Patch 2

+        case CSS_PARSER_IDENTIFIER:
+            text = quoteStringIfNeeded(m_value.string);

Add a "break;" in case we add more cases in the future.

This line is wrong:

+            value.unit = m_type;

It should set the type to CSS_IDENT.

Please put the layout test under fast/css/variables, since when we turn CSS variables off, we don't want to have to look for tests in other subdirectories.

Fix those two things and r=me
Comment 7 Beth Dakin 2008-09-18 15:18:37 PDT 
Fixed both and moved the tests. Thanks, Dave!
Comment 8 Beth Dakin 2008-09-18 15:18:52 PDT 
Oh, and r36624.