Bug 24172 - Reproducible crash in CSSParser::parseFillImage copying contents of this page
Summary: Reproducible crash in CSSParser::parseFillImage copying contents of this page
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: CSS (show other bugs)
Version: 528+ (Nightly build)
Hardware: Mac OS X 10.5
: P2 Normal
Assignee: Beth Dakin
URL:
Keywords: HasReduction, InRadar, Regression
Depends on:
Blocks:
 
Reported: 2009-02-25 14:21 PST by Beth Dakin
Modified: 2009-02-25 14:59 PST (History)
0 users

See Also:

Attachments
Reduction (24 bytes, text/html)
2009-02-25 14:23 PST, Beth Dakin 		no flags Details
Null-Check Patch (2.16 KB, patch)
2009-02-25 14:49 PST, Beth Dakin 		no flags Details | Formatted Diff | Diff
Null-Check Patch with ChangLogs (2.98 KB, patch)
2009-02-25 14:52 PST, Beth Dakin 		darin: review+
Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Beth Dakin 2009-02-25 14:21:54 PST 
Thread 0 Crashed (i386):
>#0   com.apple.WebCore          0x00e30235  WebCore::CSSParser::parseFillImage(WTF::RefPtr<WebCore::CSSValue>&) + 437
  #1   com.apple.WebCore          0x00e30d8f  WebCore::CSSParser::parseFillProperty(int, int&, int&, WTF::RefPtr<WebCore::CSSValue>&, WTF::RefPtr<WebCore::CSSValue>&) + 2575
  #2   com.apple.WebCore          0x00e34b2c  WebCore::CSSParser::parseValue(int, bool) + 7724
  #3   com.apple.WebCore          0x00e1a809  cssyyparse(void*) + 12953
  #4   com.apple.WebCore          0x00e2aa09  WebCore::CSSParser::parseValue(WebCore::CSSMutableStyleDeclaration*, int, WebCore::String const&, bool) + 89
  #5   com.apple.WebCore          0x00e218c5  WebCore::CSSMutableStyleDeclaration::setProperty(int, WebCore::String const&, bool, bool) + 213
  #6   com.apple.WebCore          0x014d0806  WebCore::createMarkup(WebCore::Range const*, WTF::Vector<WebCore::Node*, 0ul>*, WebCore::EAnnotateForInterchange, bool) + 7862
  #7   com.apple.WebCore          0x0127ee37  WebCore::LegacyWebArchive::createFromSelection(WebCore::Frame*) + 135
  #8   com.apple.WebCore          0x012be382  WebCore::Pasteboard::writeSelection(NSPasteboard*, WebCore::Range*, bool, WebCore::Frame*) + 1442
  #9   com.apple.WebCore          0x00f96281  WebCore::Editor::copy() + 273
  #10  com.apple.WebCore          0x00f9e879  __ZN7WebCoreL11executeCopyEPNS_5FrameEPNS_5EventENS_19EditorCommandSourceERKNS_6StringE + 25
  #11  com.apple.WebCore          0x00f9d48e  WebCore::Editor::Command::execute(WebCore::String const&, WebCore::Event*) const + 142
  #12  com.apple.WebKit           0x001c3cd1  -[WebHTMLView executeCoreCommandBySelector:] + 129
  #13  com.apple.AppKit           0x9695cb03  -[NSApplication sendAction:to:from:] + 112
  #14  com.apple.Safari           0x0002d458  -[BrowserApplication sendAction:to:from:] (/SourceCache/WebBrowser/WebBrowser-5525.20.1/mac/BrowserApplication.m:90)
  #15  com.apple.AppKit           0x96a0b540  -[NSMenu performActionForItemAtIndex:] + 493
  #16  com.apple.AppKit           0x96a0b245  -[NSCarbonMenuImpl performActionWithHighlightingForItemAtIndex:] + 220
  #17  com.apple.AppKit           0x96a0aecb  -[NSMenu performKeyEquivalent:] + 866
  #18  com.apple.AppKit           0x96a09770  -[NSApplication _handleKeyEquivalent:] + 492
  #19  com.apple.AppKit           0x96926733  -[NSApplication sendEvent:] + 3999
  #20  com.apple.Safari           0x0002b5d8  -[BrowserApplication sendEvent:] (/SourceCache/WebBrowser/WebBrowser-5525.20.1/mac/BrowserApplication.m:143)
  #21  com.apple.AppKit           0x96883d0f  -[NSApplication run] + 847
  #22  com.apple.AppKit           0x96850f14  NSApplicationMain + 574
  #23  com.apple.Safari           0x000ba4d6  start
Comment 1 Beth Dakin 2009-02-25 14:23:48 PST 
Created attachment 27984 [details]
Reduction

Here is a reduction. To reproduce the crash, load the page in tip of tree WebKit. Press Command-A to select all. Press Command-C to copy. Then you should crash.

This is clearly a null-dereference. I am going to upload a null-check patch momentarily.
Comment 2 Beth Dakin 2009-02-25 14:49:28 PST 
Created attachment 27987 [details]
Null-Check Patch
Comment 3 Beth Dakin 2009-02-25 14:50:24 PST 
This is in Radar as <rdar://problem/6487249>
Comment 4 Beth Dakin 2009-02-25 14:52:53 PST 
Created attachment 27988 [details]
Null-Check Patch with ChangLogs

Oops, forgot a layout tests changelog.
Comment 5 Darin Adler 2009-02-25 14:54:29 PST 
Comment on attachment 27988 [details]
Null-Check Patch with ChangLogs

r=me
Comment 6 Beth Dakin 2009-02-25 14:59:16 PST 
Thanks Darin! Fixed with revision 41231.