Bug 25812

Summary: Uninitialized varilable referenced while parsing CSS
Product: WebKit Reporter: Rahul Kuchhal <kuchhal>
Component: CSSAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: mattm
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Windows XP   
URL: LayoutTests/fast/canvas/canvas-gradient-addStop-error.html

Description Rahul Kuchhal 2009-05-14 16:44:37 PDT 
Debug Safari while opening LayoutTests/fast/canvas/canvas-gradient-addStop-error.html.

CSSParserValueList::addValue(const CSSParserValue& v) gets called by cssyparse several times:
void CSSParserValueList::addValue(const CSSParserValue& v)
{
    if (v.unit == CSSPrimitiveValue::CSS_PARSER_VARIABLE_FUNCTION_SYNTAX)
        m_variablesCount++;
    m_values.append(v);
}

But looks like in many of these cases v.unit is not really initialized and holds junk value. For example in one instance of such call:

-		v	{id=0 isInt=true fValue=-9.2559592782649444e+061 ...}	const WebCore::CSSParserValue &
		id	0	int
		isInt	true	bool
		fValue	-9.2559592782649444e+061	double
		iValue	58260512	int
+		string	{characters=0x0378fc20 "??" length=-858993460 }	WebCore::CSSParserString
+		function	0x0378fc20 {name={...} args=0x061a0d20 }	WebCore::CSSParserFunction *
		unit	1048577	int

Same problem is in CSSParserValueList::~CSSParserValueList() too. It tries to read unit of all m_values when some of them have junk values for unit.
Comment 1 Dan Kegel 2009-05-14 17:10:51 PDT 
Originally found on Linux, see
http://code.google.com/p/chromium/issues/detail?id=9524,
but probably also on other systems.
Comment 2 Alexey Proskuryakov 2009-05-15 02:33:27 PDT 
See also: bug 22772.
Comment 3 Matt Mueller 2009-11-24 17:40:59 PST 
I can't repro this now, and inspecting the CSSGrammar.y file it appears all "value" rules set the unit member.

I believe it was fixed with http://trac.webkit.org/changeset/44075 (2009-05-22)