RESOLVED FIXED Bug 20069
CSSPrimitiveValue::parserValue() returns deleted memory 
https://bugs.webkit.org/show_bug.cgi?id=20069
Summary CSSPrimitiveValue::parserValue() returns deleted memory
Eric Seidel (no email)
Reported 2008-07-16 20:11:20 PDT
CSSParserValue CSSPrimitiveValue::parserValue() const: case CSS_IDENT: { value.id = m_value.ident; String name = valueOrPropertyName(m_value.ident); value.string.characters = const_cast<UChar*>(name.characters()); value.string.length = name.length(); break; } This function returns the resulting "value" which has a weak pointer to the UChar buffer which must have been freed when the String went out of scope. I discovered this will trying to remove callers of StringImpl::characters() (see bug 20065) so that we can play around with using different storage techniques for StringImpl's data. The only code which ever uses this is: void CSSStyleSelector::addMatchedDeclaration(CSSMutableStyleDeclaration* decl) Which I'm not sure what it even does. It seems to be used for variable resolution? Maybe for dealing with inline styles? Unclear. Perhaps Hyatt can explain. Once we know how this code is used, it should be easy to produce a test case which will crash under MallocScribble.
Attachments
Change valueOrPropertyName() to return an AtomicString from a static table (3.12 KB, patch)
2010-03-12 09:12 PST, mitz 		darin: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Eric Seidel (no email)
Comment 1 2008-07-16 20:12:36 PDT
In case you're wondering, valueOrPropertyName returns a char* which is transparently copied to create a String: static const char* valueOrPropertyName(int valueOrPropertyID) { if (const char* valueName = getValueName(valueOrPropertyID)) return valueName; return getPropertyName(static_cast<CSSPropertyID>(valueOrPropertyID)); } Seems sad that it would be copied. :(
Alexey Proskuryakov
Comment 2 2010-03-06 16:05:15 PST
<rdar://problem/7725534>
mitz
Comment 3 2010-03-12 09:12:53 PST
Created attachment 50602 [details] Change valueOrPropertyName() to return an AtomicString from a static table
Alexey Proskuryakov
Comment 4 2010-03-12 10:20:20 PST
You probably could have added a test case with a "checkConsistency"-style assertion.
mitz
Comment 5 2010-03-12 10:29:45 PST
Fixed in <http://trac.webkit.org/projects/webkit/changeset/55914>.
Note You need to log in before you can comment on or make changes to this bug.