RESOLVED DUPLICATE of bug 156515 156512
Crash at com.apple.JavaScriptCore: bool WTF::startsWith<WTF::StringImpl, WTF::StringImpl> + 8 
https://bugs.webkit.org/show_bug.cgi?id=156512
Summary Crash at com.apple.JavaScriptCore: bool WTF::startsWith<WTF::StringImpl, WTF:...
Antti Koivisto
Reported 2016-04-12 13:17:15 PDT
<style> [class^="randomstring"] { background: white; } </style> <div class="" id="test"></div> <script> document.getElementById("test").attributes.class.value = null; </script>
Attachments
patch (7.29 KB, patch)
2016-04-12 13:32 PDT, Antti Koivisto 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Antti Koivisto
Comment 1 2016-04-12 13:17:42 PDT
rdar://problem/24220567
Antti Koivisto
Comment 2 2016-04-12 13:18:38 PDT
We crash in compiled selector code.
Antti Koivisto
Comment 3 2016-04-12 13:32:19 PDT
Created attachment 276270 [details] patch
Benjamin Poulain
Comment 4 2016-04-12 13:38:49 PDT
Comment on attachment 276270 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=276270&action=review > Source/WebCore/cssjit/SelectorCompiler.cpp:2823 > + if (attribute->value().isEmpty()) > + return false; Looks like this should be merged with the "AtomicStringImpl& valueImpl = *attribute->value().impl();" below.
Antti Koivisto
Comment 5 2016-04-13 01:30:01 PDT
Looks like Attr.value path that Chris fixed was the only way to make a null attribute value. All normal paths treat null value as "remove the attribute". I think we can do without the null check, I'll just land the test case here. *** This bug has been marked as a duplicate of bug 156515 ***
Antti Koivisto
Comment 6 2016-04-13 01:38:59 PDT
Landed the test in https://trac.webkit.org/r199428
Darin Adler
Comment 7 2016-04-13 08:21:00 PDT
Comment on attachment 276270 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=276270&action=review >> Source/WebCore/cssjit/SelectorCompiler.cpp:2823 >> + return false; > > Looks like this should be merged with the "AtomicStringImpl& valueImpl = *attribute->value().impl();" below. Checking for the null string would be more efficient than checking for the empty string for the non-null, non-empty case. So unless we want to optimize the empty string case, I suggest using isNull or checking if impl() is nullptr instead.
Darin Adler
Comment 8 2016-04-13 08:21:30 PDT
Oh, looks like we decided not to land this change and instead prevent null from ever getting here. Great!
Darin Adler
Comment 9 2016-04-13 08:49:11 PDT
Comment on attachment 276270 [details] patch Clearing the review flag because we decided not to land this.
Note You need to log in before you can comment on or make changes to this bug.