Created attachment 217674 [details] Test case You can make WebKit crash through CSSParser with the following style tag: <style> * { border-image-source:radial-gradient(ellipse at left left); } </style> Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff0f5a7ca in WebCore::CSSValue::isPrimitiveValue (this=0x0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/css/CSSValue.h:66 66 bool isPrimitiveValue() const { return m_classType == PrimitiveClass; } (gdb) bt #0 0x00007ffff0f5a7ca in WebCore::CSSValue::isPrimitiveValue (this=0x0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/css/CSSValue.h:66 #1 0x00007ffff0fe04cc in WebCore::CSSParser::parseRadialGradient (this=0x7fffffffad50, valueList=0x1208d50, gradient=..., repeating=WebCore::NonRepeating) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/css/CSSParser.cpp:8310 #2 0x00007ffff0fe0d5c in WebCore::CSSParser::parseGeneratedImage (this=0x7fffffffad50, valueList=0x1208d50, value=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/css/CSSParser.cpp:8418 #3 0x00007ffff0fc7a85 in WebCore::CSSParser::parseValue (this=0x7fffffffad50, propId=WebCore::CSSPropertyBorderImageSource, important=false) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/css/CSSParser.cpp:2204 #4 0x00007ffff237a82f in cssyyparse (parser=0x7fffffffad50) at /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/DerivedSources/WebCore/CSSGrammar.y:1076 #5 0x00007ffff0fc24dd in WebCore::CSSParser::parseSheet (this=0x7fffffffad50, sheet=0x1198de0, string=..., startLineNumber=0, ruleSourceDataResult=0x0, logErrors=true) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/css/CSSParser.cpp:468 #6 0x00007ffff10e991f in WebCore::StyleSheetContents::parseStringAtLine (this=0x1198de0, sheetText=..., startLineNumber=0, createdByParser=true) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/css/StyleSheetContents.cpp:326 #7 0x00007ffff11aa01e in WebCore::InlineStyleSheetOwner::createSheet (this=0x944fc8, element=..., text=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/InlineStyleSheetOwner.cpp:147 #8 0x00007ffff11a9abe in WebCore::InlineStyleSheetOwner::createSheetFromTextContents (this=0x944fc8, element=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/InlineStyleSheetOwner.cpp:97 #9 0x00007ffff11a9a7b in WebCore::InlineStyleSheetOwner::finishParsingChildren (this=0x944fc8, element=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/InlineStyleSheetOwner.cpp:91 #10 0x00007ffff139056f in WebCore::HTMLStyleElement::finishParsingChildren (this=0x944f60) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/HTMLStyleElement.cpp:90 #11 0x00007ffff1427d22 in WebCore::HTMLElementStack::popCommon (this=0x108b338) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLElementStack.cpp:578 #12 0x00007ffff1426640 in WebCore::HTMLElementStack::pop (this=0x108b338) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLElementStack.cpp:214 #13 0x00007ffff144fbd0 in WebCore::HTMLTreeBuilder::processEndTag (this=0x108b300, token=0x7fffffffc200) ---Type <return> to continue, or q <return> to quit--- at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2195 #14 0x00007ffff1445faa in WebCore::HTMLTreeBuilder::processToken (this=0x108b300, token=0x7fffffffc200) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:381 #15 0x00007ffff1445dbc in WebCore::HTMLTreeBuilder::constructTree (this=0x108b300, token=0x7fffffffc200) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:349 #16 0x00007ffff1421208 in WebCore::HTMLDocumentParser::constructTreeFromHTMLToken (this=0x108b000, rawToken=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:586 #17 0x00007ffff1420e73 in WebCore::HTMLDocumentParser::pumpTokenizer (this=0x108b000, mode=WebCore::HTMLDocumentParser::AllowYield) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:543 #18 0x00007ffff1420663 in WebCore::HTMLDocumentParser::pumpTokenizerIfPossible (this=0x108b000, mode=WebCore::HTMLDocumentParser::AllowYield) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:227 #19 0x00007ffff1421749 in WebCore::HTMLDocumentParser::append (this=0x108b000, inputSource=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:733 #20 0x00007ffff11248ee in WebCore::DecodedDataDocumentParser::flush (this=0x108b000, writer=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/DecodedDataDocumentParser.cpp:60 #21 0x00007ffff159abe5 in WebCore::DocumentWriter::end (this=0x117a260) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentWriter.cpp:242 #22 0x00007ffff1587cea in WebCore::DocumentLoader::finishedLoading (this=0x117a1c0, finishTime=0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:408 #23 0x00007ffff1587a58 in WebCore::DocumentLoader::notifyFinished (this=0x117a1c0, resource=0x11903e0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:345 #24 0x00007ffff162181e in WebCore::CachedResource::checkNotify (this=0x11903e0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedResource.cpp:369 #25 0x00007ffff16218f8 in WebCore::CachedResource::finishLoading (this=0x11903e0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedResource.cpp:385 #26 0x00007ffff161e3fa in WebCore::CachedRawResource::finishLoading (this=0x11903e0, data=0x9236c0) ---Type <return> to continue, or q <return> to quit--- at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedRawResource.cpp:94 #27 0x00007ffff15dbc53 in WebCore::SubresourceLoader::didFinishLoading (this=0x1190950, finishTime=0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/SubresourceLoader.cpp:279 #28 0x00007ffff15d7f29 in WebCore::ResourceLoader::didFinishLoading (this=0x1190950, finishTime=0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/ResourceLoader.cpp:487 #29 0x00007ffff22dc0f2 in WebCore::readCallback (asyncResult=0x11959b0, data=0x1188d60) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp:1328 #30 0x00007fffe8521bc9 in async_ready_callback_wrapper (source_object=0x69e580, res=0x11959b0, user_data=0x1188d60) at ginputstream.c:530 #31 0x00007fffe8543ccb in g_task_return_now (task=0x11959b0) at gtask.c:1105 #32 complete_in_idle_cb (task=<optimized out>) at gtask.c:1114 #33 0x00007fffedc31473 in g_main_dispatch (context=0x11954a0) at gmain.c:3054 #34 g_main_context_dispatch (context=0x11954a0) at gmain.c:3630 #35 0x00007ffff7575aee in _ecore_glib_select__locked (ecore_timeout=0x11954a0, efds=<optimized out>, wfds=<optimized out>, rfds=<optimized out>, ecore_fds=1, ctx=<optimized out>) at ecore_glib.c:171 #36 _ecore_glib_select (ecore_fds=1, rfds=<optimized out>, wfds=<optimized out>, efds=<optimized out>, ecore_timeout=0x11954a0) at ecore_glib.c:205 #37 0x00007ffff756fcb9 in _ecore_main_select (timeout=<optimized out>) at ecore_main.c:1466 #38 0x00007ffff7570789 in _ecore_main_loop_iterate_internal (once_only=0) at ecore_main.c:1860 #39 0x00007ffff7570b47 in ecore_main_loop_begin () at ecore_main.c:956 #40 0x0000000000406dfa in main (argc=2, argv=0x7fffffffde68) at /home/reni/Data/REPOS/webkit_sec/Tools/EWebLauncher/main.c:1044
Created attachment 217700 [details] Patch
Seems legit.
Committed r162344: <http://trac.webkit.org/changeset/162344>