Bug 20396 - Abort caused by failed allocation due to invalid counter/attr
Summary: Abort caused by failed allocation due to invalid counter/attr
Alias: None
Product: WebKit
Classification: Unclassified
Component: CSS (show other bugs)
Version: 525.x (Safari 3.1)
Hardware: PC OS X 10.5
: P2 Normal
Assignee: Beth Dakin
Keywords: HasReduction, InRadar
Depends on:
Reported: 2008-08-15 06:19 PDT by Tavis Ormandy
Modified: 2008-09-30 16:20 PDT (History)
2 users (show)

See Also:

Patch (2.89 KB, patch)
2008-09-30 16:07 PDT, Beth Dakin
darin: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Tavis Ormandy 2008-08-15 06:19:26 PDT
<style type="text/css">
body {
       content: counter(-7036167556735246188);

(content: attr(-4687060260085016321); also works)
Comment 1 Mark Rowe (bdash) 2008-08-15 08:14:06 PDT
Safari(77064,0xa0314d00) malloc: *** mmap(size=2276515840) failed (error code=12)
*** error: can't allocate region
*** set a breakpoint in malloc_error_break to debug

Program received signal SIGABRT, Aborted.
0x934e970a in __kill ()
(gdb) bt
#0  0x934e970a in __kill ()
#1  0x934e96fd in kill$UNIX2003 ()
#2  0x9355d75f in raise ()
#3  0x9356f205 in abort ()
#4  0x00444080 in WTF::fastMalloc (n=2276512446) at FastMalloc.cpp:192
#5  0x0288a47f in WebCore::newUCharVector (n=3285739871) at WebCore/platform/text/StringImpl.cpp:52
#6  0x0288d3b2 in WebCore::StringImpl::StringImpl (this=0x1b2c0e70, characters=0x4745d548, length=3285739871) at WebCore/platform/text/StringImpl.cpp:79
#7  0x0288cb19 in WebCore::StringImpl::create (characters=0x4745d548, length=3285739871) at WebCore/platform/text/StringImpl.cpp:1019
#8  0x02887874 in WebCore::String::String (this=0xbfff9b5c, str=0x4745d548, len=3285739871) at WebCore/platform/text/String.cpp:50
#9  0x022b76ab in WebCore::CSSParserString::operator WebCore::String (this=0x45e32b4) at CSSParserValues.h:36
#10 0x022c8f9e in WebCore::CSSParser::parseCounterContent (this=0xbfffb2ec, args=0x45e32a0, counters=false) at WebCore/css/CSSParser.cpp:2658
#11 0x022ccd6e in WebCore::CSSParser::parseContent (this=0xbfffb2ec, propId=1036, important=false) at WebCore/css/CSSParser.cpp:1972
#12 0x022ce7fe in WebCore::CSSParser::parseValue (this=0xbfffb2ec, propId=1036, important=false) at WebCore/css/CSSParser.cpp:618
#13 0x022b63a0 in cssyyparse (parser=0xbfffb2ec) at CSSGrammar.y:1211

Confirmed with TOT WebKit.
Comment 2 Mark Rowe (bdash) 2008-08-15 08:14:54 PDT
Comment 3 Beth Dakin 2008-09-30 16:07:06 PDT
Created attachment 23958 [details]
Comment 4 Darin Adler 2008-09-30 16:16:05 PDT
Comment on attachment 23958 [details]

Comment 5 Beth Dakin 2008-09-30 16:20:20 PDT
Fixed with r37122.