RESOLVED FIXED Bug 24172
Reproducible crash in CSSParser::parseFillImage copying contents of this page 
https://bugs.webkit.org/show_bug.cgi?id=24172
Summary Reproducible crash in CSSParser::parseFillImage copying contents of this page
Beth Dakin
Reported 2009-02-25 14:21:54 PST
Thread 0 Crashed (i386): >#0 com.apple.WebCore 0x00e30235 WebCore::CSSParser::parseFillImage(WTF::RefPtr<WebCore::CSSValue>&) + 437 #1 com.apple.WebCore 0x00e30d8f WebCore::CSSParser::parseFillProperty(int, int&, int&, WTF::RefPtr<WebCore::CSSValue>&, WTF::RefPtr<WebCore::CSSValue>&) + 2575 #2 com.apple.WebCore 0x00e34b2c WebCore::CSSParser::parseValue(int, bool) + 7724 #3 com.apple.WebCore 0x00e1a809 cssyyparse(void*) + 12953 #4 com.apple.WebCore 0x00e2aa09 WebCore::CSSParser::parseValue(WebCore::CSSMutableStyleDeclaration*, int, WebCore::String const&, bool) + 89 #5 com.apple.WebCore 0x00e218c5 WebCore::CSSMutableStyleDeclaration::setProperty(int, WebCore::String const&, bool, bool) + 213 #6 com.apple.WebCore 0x014d0806 WebCore::createMarkup(WebCore::Range const*, WTF::Vector<WebCore::Node*, 0ul>*, WebCore::EAnnotateForInterchange, bool) + 7862 #7 com.apple.WebCore 0x0127ee37 WebCore::LegacyWebArchive::createFromSelection(WebCore::Frame*) + 135 #8 com.apple.WebCore 0x012be382 WebCore::Pasteboard::writeSelection(NSPasteboard*, WebCore::Range*, bool, WebCore::Frame*) + 1442 #9 com.apple.WebCore 0x00f96281 WebCore::Editor::copy() + 273 #10 com.apple.WebCore 0x00f9e879 __ZN7WebCoreL11executeCopyEPNS_5FrameEPNS_5EventENS_19EditorCommandSourceERKNS_6StringE + 25 #11 com.apple.WebCore 0x00f9d48e WebCore::Editor::Command::execute(WebCore::String const&, WebCore::Event*) const + 142 #12 com.apple.WebKit 0x001c3cd1 -[WebHTMLView executeCoreCommandBySelector:] + 129 #13 com.apple.AppKit 0x9695cb03 -[NSApplication sendAction:to:from:] + 112 #14 com.apple.Safari 0x0002d458 -[BrowserApplication sendAction:to:from:] (/SourceCache/WebBrowser/WebBrowser-5525.20.1/mac/BrowserApplication.m:90) #15 com.apple.AppKit 0x96a0b540 -[NSMenu performActionForItemAtIndex:] + 493 #16 com.apple.AppKit 0x96a0b245 -[NSCarbonMenuImpl performActionWithHighlightingForItemAtIndex:] + 220 #17 com.apple.AppKit 0x96a0aecb -[NSMenu performKeyEquivalent:] + 866 #18 com.apple.AppKit 0x96a09770 -[NSApplication _handleKeyEquivalent:] + 492 #19 com.apple.AppKit 0x96926733 -[NSApplication sendEvent:] + 3999 #20 com.apple.Safari 0x0002b5d8 -[BrowserApplication sendEvent:] (/SourceCache/WebBrowser/WebBrowser-5525.20.1/mac/BrowserApplication.m:143) #21 com.apple.AppKit 0x96883d0f -[NSApplication run] + 847 #22 com.apple.AppKit 0x96850f14 NSApplicationMain + 574 #23 com.apple.Safari 0x000ba4d6 start
Attachments
Reduction (24 bytes, text/html)
2009-02-25 14:23 PST, Beth Dakin 		no flags
Details
Null-Check Patch (2.16 KB, patch)
2009-02-25 14:49 PST, Beth Dakin 		no flags
DetailsFormatted DiffDiff
Null-Check Patch with ChangLogs (2.98 KB, patch)
2009-02-25 14:52 PST, Beth Dakin 		darin: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Beth Dakin
Comment 1 2009-02-25 14:23:48 PST
Created attachment 27984 [details] Reduction Here is a reduction. To reproduce the crash, load the page in tip of tree WebKit. Press Command-A to select all. Press Command-C to copy. Then you should crash. This is clearly a null-dereference. I am going to upload a null-check patch momentarily.
Beth Dakin
Comment 2 2009-02-25 14:49:28 PST
Created attachment 27987 [details] Null-Check Patch
Beth Dakin
Comment 3 2009-02-25 14:50:24 PST
This is in Radar as <rdar://problem/6487249>
Beth Dakin
Comment 4 2009-02-25 14:52:53 PST
Created attachment 27988 [details] Null-Check Patch with ChangLogs Oops, forgot a layout tests changelog.
Darin Adler
Comment 5 2009-02-25 14:54:29 PST
Comment on attachment 27988 [details] Null-Check Patch with ChangLogs r=me
Beth Dakin
Comment 6 2009-02-25 14:59:16 PST
Thanks Darin! Fixed with revision 41231.
Note You need to log in before you can comment on or make changes to this bug.