20515 – Crash upon parsing CSS: unicode-range: searchfield-cancel-buttonpt=-webkit-dashboard-region=

RESOLVED FIXED 20515

Crash upon parsing CSS: unicode-range: searchfield-cancel-buttonpt=-webkit-dashboard-region=

https://bugs.webkit.org/show_bug.cgi?id=20515

Summary Crash upon parsing CSS: unicode-range: searchfield-cancel-buttonpt=-webkit-da...

Robert Swiecki

Reported 2008-08-25 13:26:37 PDT

Webkit: 35904 Crash on the following code: <html> <style> body { unicode-range: searchfield-cancel-buttonpt=-webkit-dashboard-region= } </style> </html> Seems similar (according to the stacktrace) to https://bugs.webkit.org/show_bug.cgi?id=20513 (994.de8): Access violation - code c0000005 (!!! second chance !!!) eax=00000000 ebx=7fd225e0 ecx=00000000 edx=0012f65c esi=7fd52338 edi=00000000 eip=00b4f1c2 esp=0012f610 ebp=0012f8f4 iopl=0 nv up ei ng nz ac po cy cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000293 WebKit!WebCore::CSSStyleSelector::resolveVariablesForDeclaration+0xc3: 00b4f1c2 8b07 mov eax,dword ptr [edi] ds:0023:00000000=???????? 0:000> kb ChildEBP RetAddr Args to Child 0012f8f4 00aa2fa1 7fd22600 7fd225e0 0012f918 WebKit!WebCore::CSSStyleSelector::resolveVariablesForDeclaration+0xc3 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\css\cssstyleselector.cpp @ 547] 0012f944 00796977 7fd22600 ffffffff 7fed8780 WebKit!WebCore::CSSStyleSelector::addMatchedDeclaration+0x315141 0012f968 00797785 0012f9a8 0012f9a4 7fd4e448 WebKit!WebCore::CSSStyleSelector::matchRules+0x127 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\css\cssstyleselector.cpp @ 618] 0012f998 007902f4 7fd3f9b0 00000001 00000001 WebKit!WebCore::CSSStyleSelector::styleForElement+0x165 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\css\cssstyleselector.cpp @ 1137] 0012f9ac 00791f9c 7fd4e448 7fd3f9b0 0012fa28 WebKit!WebCore::Element::styleForRenderer+0x14 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\dom\element.cpp @ 672] 0012f9cc 00790bbb 7fe93320 7fd3f9b0 0076f0f0 WebKit!WebCore::Node::createRendererIfNeeded+0x5c [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\dom\node.cpp @ 1015] 0012f9d8 0076f0f0 7ff0b800 0000000a 7ff9005c WebKit!WebCore::Element::attach+0xb [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\dom\element.cpp @ 718] 0012fa04 00769873 00000000 0012fa28 00000000 WebKit!WebCore::ContainerNode::appendChild+0xf0 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\dom\containernode.cpp @ 574] 0012fa40 009387fd 7febf6a8 7fe91250 00938ec8 WebKit!WebCore::Document::implicitClose+0x283 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\dom\document.cpp @ 1540] 0012fa4c 00938ec8 7fe91250 7ff0b82c 007ea32b WebKit!WebCore::FrameLoader::checkCompleted+0x9d [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\loader\frameloader.cpp @ 1295] 0012fa58 007ea32b 00000000 7fd3a428 00007f1e WebKit!WebCore::FrameLoader::finishedParsing+0x28 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\loader\frameloader.cpp @ 1243] 0012fa70 007e4f27 00c49174 0000001e 00007f1e WebKit!WebCore::Document::finishedParsing+0x4b [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\dom\document.cpp @ 3779] 0012fa94 007dc65e 7fd3a428 7fef6434 7fef6400 WebKit!WebCore::HTMLParser::finished+0xc7 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\html\htmlparser.cpp @ 1538] 0012fab4 007f4a21 7fd3cc00 7febf6a8 7fe91250 WebKit!WebCore::HTMLTokenizer::end+0x12e [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\html\htmltokenizer.cpp @ 1851] 0012fb08 00938e67 7fecca00 7febf6a8 00938b2b WebKit!WebCore::HTMLTokenizer::finish+0x51 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\html\htmltokenizer.cpp @ 1889] 0012fb14 00938b2b 7ff01a00 7fecca00 0486ca50 WebKit!WebCore::FrameLoader::endIfNotLoadingMainResource+0x47 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\loader\frameloader.cpp @ 1076] 0012fb24 009f2243 7fd2c450 045abcf0 009f4e67 WebKit!WebCore::FrameLoader::finishedLoading+0x2b [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\loader\frameloader.cpp @ 2914] 0012fb30 009f4e67 00944e11 7fd2c450 045abcf0 WebKit!WebCore::MainResourceLoader::didFinishLoading+0x23 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\loader\mainresourceloader.cpp @ 321] 0012fb34 00944e11 7fd2c450 045abcf0 6a535f00 WebKit!WebCore::ResourceLoader::didFinishLoading+0x7 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\loader\resourceloader.cpp @ 399] *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Safari\CFNetwork.dll - 0012fb40 6a535f00 045abcf0 7fd2c450 0486ca50 WebKit!WebCore::didFinishLoading+0x21 [c:\cygwin\home\buildbot\slave\win32-release-archive\build\opensource\webcore\platform\network\cf\resourcehandlecfnet.cpp @ 119]

Attachments
Patch to handle invalid IDs (5.28 KB, patch) 2008-09-18 14:13 PDT, Beth Dakin	hyatt: review-	Details Formatted Diff Diff
Patch 2 (5.01 KB, patch) 2008-09-18 14:57 PDT, Beth Dakin	hyatt: review+	Details Formatted Diff Diff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

Dave Hyatt

Comment 1 2008-08-25 13:42:28 PDT

CSSParserValue::createCSSValue needs to handle unknown identifiers. It drops them on the floor right now and returns 0. Then the value list ends up with a null item. We should fix this method to actually create a CSSPrimitiveValue that can really be used. (Will probably need a new unit type like CSS_PARSER_IDENTIFIER for unknown identifiers.)

Mark Rowe (bdash)

Comment 2 2008-08-25 13:49:46 PDT

<rdar://problem/6174100>

Beth Dakin

Comment 3 2008-09-18 14:13:38 PDT

Created attachment 23537 [details] Patch to handle invalid IDs

Dave Hyatt

Comment 4 2008-09-18 14:22:42 PDT

Comment on attachment 23537 [details] Patch to handle invalid IDs All you're doing is making a value that has absolutely no contents. You need to actually store the string and implement the round-tripping like the other CSS_PARSER_*** types do. We're going to be turning CSS variables off, which means this bug isn't that high priority.

Beth Dakin

Comment 5 2008-09-18 14:57:47 PDT

Created attachment 23539 [details] Patch 2 I see. Using the other CSS_PARSER… types as a model, I think this does that.

Dave Hyatt

Comment 6 2008-09-18 15:06:46 PDT

Comment on attachment 23539 [details] Patch 2 + case CSS_PARSER_IDENTIFIER: + text = quoteStringIfNeeded(m_value.string); Add a "break;" in case we add more cases in the future. This line is wrong: + value.unit = m_type; It should set the type to CSS_IDENT. Please put the layout test under fast/css/variables, since when we turn CSS variables off, we don't want to have to look for tests in other subdirectories. Fix those two things and r=me

Beth Dakin

Comment 7 2008-09-18 15:18:37 PDT

Fixed both and moved the tests. Thanks, Dave!

Beth Dakin

Comment 8 2008-09-18 15:18:52 PDT

Oh, and r36624.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P1

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware PC

OS Windows XP

Product WebKit

Component WebKit Misc.

Assignee

Beth Dakin

Reported

2008-08-25 13:26 PDT

Modified

2008-09-18 15:18 PDT History

CC List

0 users

URL

Keywords HasReduction, InRadar

Depends on

Blocks