Bug 25812
| Summary: | Uninitialized varilable referenced while parsing CSS | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Rahul Kuchhal <kuchhal> |
| Component: | CSS | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | mattm |
| Priority: | P2 | ||
| Version: | 528+ (Nightly build) | ||
| Hardware: | PC | ||
| OS: | Windows XP | ||
| URL: | LayoutTests/fast/canvas/canvas-gradient-addStop-error.html | ||
Rahul Kuchhal
Debug Safari while opening LayoutTests/fast/canvas/canvas-gradient-addStop-error.html.
CSSParserValueList::addValue(const CSSParserValue& v) gets called by cssyparse several times:
void CSSParserValueList::addValue(const CSSParserValue& v)
{
if (v.unit == CSSPrimitiveValue::CSS_PARSER_VARIABLE_FUNCTION_SYNTAX)
m_variablesCount++;
m_values.append(v);
}
But looks like in many of these cases v.unit is not really initialized and holds junk value. For example in one instance of such call:
- v {id=0 isInt=true fValue=-9.2559592782649444e+061 ...} const WebCore::CSSParserValue &
id 0 int
isInt true bool
fValue -9.2559592782649444e+061 double
iValue 58260512 int
+ string {characters=0x0378fc20 "??" length=-858993460 } WebCore::CSSParserString
+ function 0x0378fc20 {name={...} args=0x061a0d20 } WebCore::CSSParserFunction *
unit 1048577 int
Same problem is in CSSParserValueList::~CSSParserValueList() too. It tries to read unit of all m_values when some of them have junk values for unit.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Dan Kegel
Originally found on Linux, see
http://code.google.com/p/chromium/issues/detail?id=9524,
but probably also on other systems.
Alexey Proskuryakov
See also: bug 22772.
Matt Mueller
I can't repro this now, and inspecting the CSSGrammar.y file it appears all "value" rules set the unit member.
I believe it was fixed with http://trac.webkit.org/changeset/44075 (2009-05-22)