Created attachment 73032 [details] reduced test case - TRIGGERS CRASH WHEN OPENED WebCore::CSSPrimitiveValue::getIdent() crashes Webkit when certain styling conditions are met. This crash can be triggered by running `getPropertyValue("background")` on a CSSStyleDeclaration object in Javascript, as long as that style declaration sets the `background` shorthand property with a minimum of two background image values and sets the `background-repeat` property to a maximum of one less value than set in the `background` property. The actual values of the two properties does not seem to matter--the `background` shorthand may contain any kind of images/image functions, and may or may not specify background-repeat or other background values itself. The source of the rule (style attribute, element, etc) does not matter, but both properties must be set within a single rule declaration. The crash can also be triggered by the Web Inspector trying to display said CSS rule in the style pane. I have attached a test case which makes the bug easy to reproduce. Simply opening it will cause the crash. Here's the top my crash log: Process: Safari [26168] Path: /Applications/Safari.app/Contents/MacOS/Safari Identifier: org.webkit.nightly.WebKit Version: r71204 (71204) Code Type: X86-64 (Native) Parent Process: launchd [355] Date/Time: 2010-11-04 20:59:02.010 -0700 OS Version: Mac OS X 10.6.4 (10F569) Report Version: 6 Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x000000000000000c Crashed Thread: 0 Dispatch queue: com.apple.main-thread Thread 0 Crashed: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x0000000100d65964 WebCore::CSSPrimitiveValue::getIdent() + 4 1 com.apple.WebCore 0x0000000100d4603a WebCore::CSSMutableStyleDeclaration::getLayeredShorthandValue(int const*, unsigned int) const + 1370 2 com.apple.WebCore 0x0000000100d47343 WebCore::CSSMutableStyleDeclaration::getPropertyValue(int) const + 1075 3 com.apple.WebCore 0x0000000100d74af0 WebCore::CSSStyleDeclaration::getPropertyValue(WTF::String const&) + 80 The next lines in the backtrace vary depending on how the bug is triggered (starting with either "WebCore::InspectorDOMAgent::shorthandValue(WebCore::CSSStyleDeclaration*, WTF::String const&) + 39", or "WebCore::jsCSSStyleDeclarationPrototypeFunctionGetPropertyValue(JSC::ExecState*) + 310") This bug also effects release Safari 5.0.2 (6533.18.5).