Created attachment 75019 [details] Repro Repro: <style> *{ -webkit-box-reflect: none !important; -webkit-box-reflect: below 0 url(x); } </style> id: chrome.dll!WebCore::CSSStyleSelector::loadPendingImages ReadAV@NULL (830f1940d708882124521ea60de442b0) description: Attempt to read from unallocated NULL pointer+0xC in chrome.dll!WebCore::CSSStyleSelector::loadPendingImages application: Chromium 9.0.596.0 stack: chrome.dll!WebCore::CSSStyleSelector::loadPendingImages chrome.dll!WebCore::CSSStyleSelector::styleForElement chrome.dll!WebCore::Element::recalcStyle chrome.dll!WebCore::Document::recalcStyle chrome.dll!WebCore::Document::styleSelectorChanged chrome.dll!WebCore::Document::removePendingSheet chrome.dll!WebCore::StyleElement::sheetLoaded chrome.dll!WebCore::SVGStyleElement::sheetLoaded chrome.dll!WebCore::CSSStyleSheet::checkLoaded chrome.dll!WebCore::StyleElement::createSheet chrome.dll!WebCore::StyleElement::process chrome.dll!WebCore::StyleElement::finishParsingChildren chrome.dll!WebCore::HTMLStyleElement::finishParsingChildren chrome.dll!WebCore::HTMLElementStack::popCommon chrome.dll!WebCore::HTMLTreeBuilder::processEndTag chrome.dll!WebCore::HTMLTreeBuilder::constructTreeFromAtomicToken chrome.dll!WebCore::HTMLTreeBuilder::constructTreeFromToken chrome.dll!WebCore::HTMLDocumentParser::pumpTokenizer chrome.dll!WebCore::HTMLDocumentParser::insert chrome.dll!WebCore::Document::write chrome.dll!WebCore::V8HTMLDocument::writeCallback chrome.dll!v8::internal::HandleApiCallHelper<...> chrome.dll!v8::internal::Builtin_HandleApiCall chrome.dll!v8::internal::Invoke chrome.dll!v8::internal::Execution::Call ...
See also: bug 46224.
<rdar://problem/8706182>
Crashes WebKit mac too.
Created attachment 75042 [details] Patch
http://trac.webkit.org/changeset/72814