Bug 20515

Summary: Crash upon parsing CSS: unicode-range: searchfield-cancel-buttonpt=-webkit-dashboard-region=
Product: WebKit Reporter: Robert Swiecki <robert.swiecki+wkbugs>
Component: WebKit Misc.Assignee: Beth Dakin <bdakin>
Status: RESOLVED FIXED    
Severity: Normal Keywords: HasReduction, InRadar
Priority: P1    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Windows XP   
Attachments:
Description Flags
Patch to handle invalid IDs
hyatt: review-
Patch 2 hyatt: review+

Robert Swiecki
Reported 2008-08-25 13:26:37 PDT
Webkit: 35904 Crash on the following code: <html> <style> body { unicode-range: searchfield-cancel-buttonpt=-webkit-dashboard-region= } </style> </html> Seems similar (according to the stacktrace) to https://bugs.webkit.org/show_bug.cgi?id=20513 (994.de8): Access violation - code c0000005 (!!! second chance !!!) eax=00000000 ebx=7fd225e0 ecx=00000000 edx=0012f65c esi=7fd52338 edi=00000000 eip=00b4f1c2 esp=0012f610 ebp=0012f8f4 iopl=0 nv up ei ng nz ac po cy cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000293 WebKit!WebCore::CSSStyleSelector::resolveVariablesForDeclaration+0xc3: 00b4f1c2 8b07 mov eax,dword ptr [edi] ds:0023:00000000=???????? 0:000> kb ChildEBP RetAddr Args to Child 0012f8f4 00aa2fa1 7fd22600 7fd225e0 0012f918 WebKit!WebCore::CSSStyleSelector::resolveVariablesForDeclaration+0xc3 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\css\cssstyleselector.cpp @ 547] 0012f944 00796977 7fd22600 ffffffff 7fed8780 WebKit!WebCore::CSSStyleSelector::addMatchedDeclaration+0x315141 0012f968 00797785 0012f9a8 0012f9a4 7fd4e448 WebKit!WebCore::CSSStyleSelector::matchRules+0x127 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\css\cssstyleselector.cpp @ 618] 0012f998 007902f4 7fd3f9b0 00000001 00000001 WebKit!WebCore::CSSStyleSelector::styleForElement+0x165 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\css\cssstyleselector.cpp @ 1137] 0012f9ac 00791f9c 7fd4e448 7fd3f9b0 0012fa28 WebKit!WebCore::Element::styleForRenderer+0x14 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\dom\element.cpp @ 672] 0012f9cc 00790bbb 7fe93320 7fd3f9b0 0076f0f0 WebKit!WebCore::Node::createRendererIfNeeded+0x5c [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\dom\node.cpp @ 1015] 0012f9d8 0076f0f0 7ff0b800 0000000a 7ff9005c WebKit!WebCore::Element::attach+0xb [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\dom\element.cpp @ 718] 0012fa04 00769873 00000000 0012fa28 00000000 WebKit!WebCore::ContainerNode::appendChild+0xf0 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\dom\containernode.cpp @ 574] 0012fa40 009387fd 7febf6a8 7fe91250 00938ec8 WebKit!WebCore::Document::implicitClose+0x283 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\dom\document.cpp @ 1540] 0012fa4c 00938ec8 7fe91250 7ff0b82c 007ea32b WebKit!WebCore::FrameLoader::checkCompleted+0x9d [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\loader\frameloader.cpp @ 1295] 0012fa58 007ea32b 00000000 7fd3a428 00007f1e WebKit!WebCore::FrameLoader::finishedParsing+0x28 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\loader\frameloader.cpp @ 1243] 0012fa70 007e4f27 00c49174 0000001e 00007f1e WebKit!WebCore::Document::finishedParsing+0x4b [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\dom\document.cpp @ 3779] 0012fa94 007dc65e 7fd3a428 7fef6434 7fef6400 WebKit!WebCore::HTMLParser::finished+0xc7 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\html\htmlparser.cpp @ 1538] 0012fab4 007f4a21 7fd3cc00 7febf6a8 7fe91250 WebKit!WebCore::HTMLTokenizer::end+0x12e [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\html\htmltokenizer.cpp @ 1851] 0012fb08 00938e67 7fecca00 7febf6a8 00938b2b WebKit!WebCore::HTMLTokenizer::finish+0x51 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\html\htmltokenizer.cpp @ 1889] 0012fb14 00938b2b 7ff01a00 7fecca00 0486ca50 WebKit!WebCore::FrameLoader::endIfNotLoadingMainResource+0x47 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\loader\frameloader.cpp @ 1076] 0012fb24 009f2243 7fd2c450 045abcf0 009f4e67 WebKit!WebCore::FrameLoader::finishedLoading+0x2b [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\loader\frameloader.cpp @ 2914] 0012fb30 009f4e67 00944e11 7fd2c450 045abcf0 WebKit!WebCore::MainResourceLoader::didFinishLoading+0x23 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\loader\mainresourceloader.cpp @ 321] 0012fb34 00944e11 7fd2c450 045abcf0 6a535f00 WebKit!WebCore::ResourceLoader::didFinishLoading+0x7 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\loader\resourceloader.cpp @ 399] *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Safari\CFNetwork.dll - 0012fb40 6a535f00 045abcf0 7fd2c450 0486ca50 WebKit!WebCore::didFinishLoading+0x21 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\platform\network\cf\resourcehandlecfnet.cpp @ 119]
Attachments
Patch to handle invalid IDs (5.28 KB, patch)
2008-09-18 14:13 PDT, Beth Dakin 		hyatt: review-
DetailsFormatted DiffDiff
Patch 2 (5.01 KB, patch)
2008-09-18 14:57 PDT, Beth Dakin 		hyatt: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Dave Hyatt
Comment 1 2008-08-25 13:42:28 PDT
CSSParserValue::createCSSValue needs to handle unknown identifiers. It drops them on the floor right now and returns 0. Then the value list ends up with a null item. We should fix this method to actually create a CSSPrimitiveValue that can really be used. (Will probably need a new unit type like CSS_PARSER_IDENTIFIER for unknown identifiers.)
Mark Rowe (bdash)
Comment 2 2008-08-25 13:49:46 PDT
<rdar://problem/6174100>
Beth Dakin
Comment 3 2008-09-18 14:13:38 PDT
Created attachment 23537 [details] Patch to handle invalid IDs
Dave Hyatt
Comment 4 2008-09-18 14:22:42 PDT
Comment on attachment 23537 [details] Patch to handle invalid IDs All you're doing is making a value that has absolutely no contents. You need to actually store the string and implement the round-tripping like the other CSS_PARSER_*** types do. We're going to be turning CSS variables off, which means this bug isn't that high priority.
Beth Dakin
Comment 5 2008-09-18 14:57:47 PDT
Created attachment 23539 [details] Patch 2 I see. Using the other CSS_PARSER… types as a model, I think this does that.
Dave Hyatt
Comment 6 2008-09-18 15:06:46 PDT
Comment on attachment 23539 [details] Patch 2 + case CSS_PARSER_IDENTIFIER: + text = quoteStringIfNeeded(m_value.string); Add a "break;" in case we add more cases in the future. This line is wrong: + value.unit = m_type; It should set the type to CSS_IDENT. Please put the layout test under fast/css/variables, since when we turn CSS variables off, we don't want to have to look for tests in other subdirectories. Fix those two things and r=me
Beth Dakin
Comment 7 2008-09-18 15:18:37 PDT
Fixed both and moved the tests. Thanks, Dave!
Beth Dakin
Comment 8 2008-09-18 15:18:52 PDT
Oh, and r36624.
Note You need to log in before you can comment on or make changes to this bug.