Bug 160823 - Dereferenced NULL pointer in StyleResolver
Summary: Dereferenced NULL pointer in StyleResolver
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: CSS (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-08-12 14:44 PDT by Jonathan Bedard
Modified: 2016-08-14 15:40 PDT (History)
2 users (show)

See Also:


Attachments
Patch (3.37 KB, patch)
2016-08-12 14:48 PDT, Jonathan Bedard
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jonathan Bedard 2016-08-12 14:44:28 PDT
In StyleResolver::CascadedProperties::addMatch(...) a point which is sometimes NULL is dereferenced before being provided as an argument to StyleResolver::CascadedProperties::addStyleProperties(...).
Comment 1 Jonathan Bedard 2016-08-12 14:48:54 PDT
Created attachment 285955 [details]
Patch
Comment 2 Sam Weinig 2016-08-13 15:27:23 PDT
I don't understand how fixing a nullptr dereference can be no change in behavior? Dereferencing a nullptr will crash the program, so removing it would fix the crash and therefore be testable.  Is that not the case here somehow?
Comment 3 Darin Adler 2016-08-14 14:53:29 PDT
(In reply to comment #2)
> I don't understand how fixing a nullptr dereference can be no change in
> behavior? Dereferencing a nullptr will crash the program, so removing it
> would fix the crash and therefore be testable.  Is that not the case here
> somehow?

Dereferencing a null pointer and then passing the resulting reference does not necessarily crash the program; as you know under the hood references are implemented almost the same way that pointers are.

But Jonathan is using some kind of "undefined behavior testing mode" for clang, and so he was able to detect that the value is null. The rest of us are using clang in its normal compilation mode and like all the other compilers it just passes null to the function, which ignores the passed-in reference.
Comment 4 WebKit Commit Bot 2016-08-14 15:40:31 PDT
Comment on attachment 285955 [details]
Patch

Clearing flags on attachment: 285955

Committed r204455: <http://trac.webkit.org/changeset/204455>
Comment 5 WebKit Commit Bot 2016-08-14 15:40:35 PDT
All reviewed patches have been landed.  Closing bug.