Bug 66219

Summary: CSS style code incorrectly assumes WebCore::Document::documentElement() does not return NULL
Product: WebKit Reporter: Berend-Jan Wever <skylined>
Component: CSSAssignee: Dave Hyatt <hyatt>
Status: NEW    
Severity: Normal CC: ap, eric, macpherson, shinyak
Priority: P1    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Windows Vista   
Attachments:
Description Flags
Repro (unzip and load repro.html)
none
Patch none

Berend-Jan Wever
Reported 2011-08-15 04:58:57 PDT
Created attachment 103903 [details] Repro (unzip and load repro.html) WebCore::Document::documentElement() can return NULL. There are a few places in the code where this is not taken into account. http://codesearch.google.com/codesearch#search/&q=documentElement%5C(%5C)%5C-%5C%3ErenderStyle&exact_package=chromium&type=cs Repro.html: <iframe src="repro.svg" onload="go(this)"></iframe> <script> function go(oIframe) { setTimeout(function() { document.adoptNode(oIframe.contentDocument.documentElement); }, 1); } </script> Repro.svg: <?xml version="1.0" standalone="no"?> <?xml-stylesheet href="repro.css" ?> Repro.css: @media (width:1) { @page {} } (I bet there is a simpler way to trigger this). id: webkit.dll!WebCore::Node::renderStyle ReadAV@NULL (c335e7a3c5b21e67401e64aac7846349) description: Attempt to read from unallocated NULL pointer+0x28 in webkit.dll!WebCore::Node::renderStyle application: Chromium 14.0.828.0 stack: webkit.dll!WebCore::Node::renderStyle webkit.dll!WebCore::widthMediaFeatureEval webkit.dll!WebCore::min_widthMediaFeatureEval webkit.dll!WebCore::MediaQueryEvaluator::eval webkit.dll!WebCore::CSSStyleSelector::affectedByViewportChange webkit.dll!WebCore::FrameView::layout webkit.dll!WebCore::FrameView::updateLayoutAndStyleIfNeededRecursive webkit.dll!WebKit::WebFrameImpl::layout webkit.dll!WebKit::WebViewImpl::layout chrome.dll!RenderWidget::DoDeferredUpdate chrome.dll!RenderWidget::DoDeferredUpdateAndSendInputAck chrome.dll!RenderWidget::InvalidationCallback ... @hyatt: in r45919 you added code to handle "rem" css units, which I think introduced this particular instance of this issue. The w3c docs do not specify how to handle "rem" units when there is no document element, so I don't know how to fix this. If you have a fix, could you see if the other places in the CSS code where the same problem seems to exist might be fixed in the same way?
Attachments
Repro (unzip and load repro.html) (557 bytes, application/x-zip-compressed)
2011-08-15 04:58 PDT, Berend-Jan Wever 		no flags
Details
Patch (4.53 KB, patch)
2011-10-23 21:09 PDT, Luke Macpherson 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Berend-Jan Wever
Comment 1 2011-08-15 05:00:51 PDT
Chromium: https://code.google.com/p/chromium/issues/detail?id=92880
Berend-Jan Wever
Comment 2 2011-09-02 04:55:37 PDT
*** Bug 67474 has been marked as a duplicate of this bug. ***
Luke Macpherson
Comment 3 2011-10-23 21:09:35 PDT
Created attachment 112137 [details] Patch
Luke Macpherson
Comment 4 2011-10-23 21:23:34 PDT
Patch added fixes the crash by treating rems as ems when the root style is unknown. Patch does not add a layout test.
Darin Adler
Comment 5 2011-10-23 21:24:46 PDT
Comment on attachment 112137 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=112137&action=review > Source/WebCore/ChangeLog:8 > + No new tests. (OOPS!) Why no tests?
Luke Macpherson
Comment 6 2011-10-23 21:36:09 PDT
Still working on it.
Note You need to log in before you can comment on or make changes to this bug.