Bug 22772

This issue is WebKit/WebCore/css/CSSParser.cpp:405 bool CSSParser::validUnit(CSSParserValue* value, Units unitflags, bool strict) { if (unitflags & FNonNeg && value->fValue < 0) return false; bool b = false; Not all bytes of value->fValue are valid. The problem happens when some CSS property is a function rather than a value. In this specific case it's the width of something. (I'm not claiming that this is valid CSS, but it happens on nytimes.com). value->fValue is a member of a union: WebKit/WebCore/css/CSSParserValue.h: struct CSSParserValue { int id; bool isInt; union { double fValue; int iValue; CSSParserString string; CSSParserFunction* function; }; enum { Operator = 0x100000, Function = 0x100001, Q_EMS = 0x100002 }; int unit; bool isVariable() const; PassRefPtr<CSSValue> createCSSValue(); }; Since it's a function, ->function is set, but that's only a 32-bit value on many platforms. However, the FNonNeg tests fValue, an 8-byte double, so only half the bytes are valid. It turns out that it doesn't matter because a CSSParserValue of type function will always end up returning false later in the function. However, it might be a surprise for someone down the road. I think the best solution is probably to write a constructor for CSSParserValue which initialises the members, although I really don't know the code very well.