Bug 27796

Summary:

CSS -webkit-transition and (overflow: (and/or) display:) properties crash the browser

Product:

WebKit

Reporter:

webkit

Component:

CSS

Assignee:

Simon Fraser (smfr) <simon.fraser>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

mrowe, simon.fraser

Priority:

Keywords:

InRadar, NeedsReduction

Version:

528+ (Nightly build)

Hardware:

Mac (Intel)

OS:

OS X 10.5

Attachments:

Description	Flags
Example	none
Patch, testcase, changelog	mitz: review+

Description webkit 2009-07-29 01:46:43 PDT

Created attachment 33701 [details]
Example

On the attached file, see the line 228 to 236 :

	.content{
		-webkit-transition-property: -webkit-transform;
		-webkit-transition-duration: 5s;
		-webkit-transition-timing-function: cubic-bezier(0.2, 0.6, 0.6, 0.9);
		-webkit-transform: translate3d(0, 0, 0);

		-webkit-column-count:0;

		overflow:hidden;/* only this line can generate a bug too */
		display:table-row;/*only this line can generate a bug too */
	}

This CSS class crash the browser (I think it's a buffer overflow error... If anyone can confirm :).

Comment 1 Mark Rowe (bdash) 2009-07-29 02:21:05 PDT

I only see a crash with display: table-row present.  The overflow: hidden does not appear to be relevant at all.  It's a simple null-dereference.

Comment 2 Mark Rowe (bdash) 2009-07-29 02:21:34 PDT

<rdar://problem/7101325>

Comment 3 Simon Fraser (smfr) 2009-07-29 11:51:41 PDT

Created attachment 33727 [details]
Patch, testcase, changelog

Comment 4 Simon Fraser (smfr) 2009-07-29 12:49:13 PDT

http://trac.webkit.org/changeset/46549