Bug 286767
| Summary: | StylePropertyMap::append is not properly verifying that we don't append CSSVariableReferenceValue style values | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Pedro Varangot <pvarangot> |
| Component: | Layout and Rendering | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | bfulgham, simon.fraser, webkit-bug-importer, zalan |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Local Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| See Also: | https://github.com/web-platform-tests/wpt/pull/51410 | ||
Pedro Varangot
This can result in crashes when attempting to resolve style later on. Example:
frame #0: WebCore`WebCore::convertToLengthSize(WebCore::CSSValue const&, WebCore::CSSToLengthConversionData const&, WebCore::LengthSize&)+0x318
frame #1: WebCore`WebCore::CSSToStyleMap::mapFillSize(WebCore::CSSPropertyID, WebCore::FillLayer&, WebCore::CSSValue const&) const+0x1a8
frame #2: WebCore`WebCore::Style::BuilderFunctions::applyValueBackgroundSize(WebCore::CSSPropertyID, WebCore::Style::BuilderState&, WebCore::CSSValue&)+0x200
frame #3: WebCore`WebCore::Style::BuilderGenerated::applyProperty(WebCore::CSSPropertyID, WebCore::Style::BuilderState&, WebCore::CSSValue&, WebCore::Style::ApplyValueType)+0x7e40
frame #4: WebCore`WebCore::Style::Builder::applyProperty(WebCore::CSSPropertyID, WebCore::CSSValue&, WebCore::SelectorChecker::LinkMatchMask)+0x3e40
frame #5: WebCore`WebCore::Style::Builder::applyNonHighPriorityProperties()+0xbd0
frame #6: WebCore`WebCore::Style::Resolver::applyMatchedProperties(WebCore::Style::Resolver::State&, WebCore::Style::MatchResult const&)+0x5cc
frame #7: WebCore`WebCore::Style::Resolver::styleForElement(WebCore::Element&, WebCore::Style::ResolutionContext const&, WebCore::RuleMatchingBehavior)+0x450
frame #8: WebCore`WebCore::Style::TreeResolver::styleForStyleable(WebCore::Styleable const&, WebCore::Style::TreeResolver::ResolutionType, WebCore::Style::ResolutionContext const&, WebCore::RenderStyle const*)+0xbb8
frame #9: WebCore`WebCore::Style::TreeResolver::resolveElement(WebCore::Element&, WebCore::RenderStyle const*, WebCore::Style::TreeResolver::ResolutionType)+0x4a8
frame #10: WebCore`WebCore::Style::TreeResolver::resolveComposedTree()+0x1978
frame #11: WebCore`WebCore::Style::TreeResolver::resolve()+0x55c
frame #12: WebCore`WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType)+0x50c
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Pedro Varangot
<rdar://problem/141031931>
Pedro Varangot
Submitted web-platform-tests pull request: https://github.com/web-platform-tests/wpt/pull/51410
Pedro Varangot
<rdar://problem/147350835>
EWS
Committed 292377@main (f2e814363ebf): <https://commits.webkit.org/292377@main>
Reviewed commits have been landed. Closing PR #39782 and removing active labels.