Bug 27796

Summary: CSS -webkit-transition and (overflow: (and/or) display:) properties crash the browser
Product: WebKit Reporter: webkit
Component: CSSAssignee: Simon Fraser (smfr) <simon.fraser>
Status: RESOLVED FIXED    
Severity: Normal CC: mrowe, simon.fraser
Priority: P2 Keywords: InRadar, NeedsReduction
Version: 528+ (Nightly build)   
Hardware: Mac (Intel)   
OS: OS X 10.5   
Attachments:
Description Flags
Example
none
Patch, testcase, changelog mitz: review+

webkit
Reported 2009-07-29 01:46:43 PDT
Created attachment 33701 [details] Example On the attached file, see the line 228 to 236 : .content{ -webkit-transition-property: -webkit-transform; -webkit-transition-duration: 5s; -webkit-transition-timing-function: cubic-bezier(0.2, 0.6, 0.6, 0.9); -webkit-transform: translate3d(0, 0, 0); -webkit-column-count:0; overflow:hidden;/* only this line can generate a bug too */ display:table-row;/*only this line can generate a bug too */ } This CSS class crash the browser (I think it's a buffer overflow error... If anyone can confirm :).
Attachments
Example (4.81 KB, text/html)
2009-07-29 01:46 PDT, webkit 		no flags
Details
Patch, testcase, changelog (4.71 KB, patch)
2009-07-29 11:51 PDT, Simon Fraser (smfr) 		mitz: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Mark Rowe (bdash)
Comment 1 2009-07-29 02:21:05 PDT
I only see a crash with display: table-row present. The overflow: hidden does not appear to be relevant at all. It's a simple null-dereference.
Mark Rowe (bdash)
Comment 2 2009-07-29 02:21:34 PDT
<rdar://problem/7101325>
Simon Fraser (smfr)
Comment 3 2009-07-29 11:51:41 PDT
Created attachment 33727 [details] Patch, testcase, changelog
Simon Fraser (smfr)
Comment 4 2009-07-29 12:49:13 PDT
http://trac.webkit.org/changeset/46549
Note You need to log in before you can comment on or make changes to this bug.