The following javascript snippit will lead to a crash in WebCore::CSSBorderImageValue::cssText: var el = document.getElementById('bar'); el.style.WebkitMaskBoxImage = '-webkit-linear-gradient(red,green,blue)'; console.log(el.style); This is a regression that was introduced in r95099. The problem with the above snippit is that we are not providing a 'slice' value. Prior to r95099, CSSParser::parseBorderImage would always set a slice value if one was not provided. With the recent changes, a default slice value is no longer set. This will lead to a crash if CSSBorderImageValue::cssText() is called because it assumes m_imageSlice is valid. The simple fix may simply be to change CSSBorderImageValue::cssText() as follows: // Now the slices. if (m_imageSlice) text += m_imageSlice->cssText(); (I am not certain if the above fix is complete or if there are other side effects that may occur due to CSSBorderImageValue lacking an image slice.) Crash log: Thread 0 *CRASHED* ( EXC_BAD_ACCESS / KERN_PROTECTION_FAILURE @ 0x00000000 ) 0x01350ab8 [Google Chrome Framework - CSSBorderImageValue.cpp:50] WebCore::CSSBorderImageValue::cssText 0x0139bb23 [Google Chrome Framework - CSSProperty.cpp:32] WebCore::CSSProperty::cssText 0x013745a7 [Google Chrome Framework - CSSMutableStyleDeclaration.cpp:708] WebCore::CSSMutableStyleDeclaration::cssText 0x0115459e [Google Chrome Framework - StyledElement.cpp:116] WebCore::StyledElement::updateStyleAttribute 0x013e61b2 [Google Chrome Framework - Element.h:480] WebCore::SelectorChecker::checkOneSelector 0x013e5bf1 [Google Chrome Framework - SelectorChecker.cpp:421] WebCore::SelectorChecker::checkSelector 0x013cfc8f [Google Chrome Framework - CSSStyleSelector.cpp:1800] WebCore::CSSStyleSelector::checkSelector 0x013b8bb3 [Google Chrome Framework - CSSStyleSelector.cpp:606] WebCore::CSSStyleSelector::matchRulesForList 0x013b88b4 [Google Chrome Framework - CSSStyleSelector.cpp:536] WebCore::CSSStyleSelector::matchRules 0x013b7199 [Google Chrome Framework - CSSStyleSelector.cpp:1204] WebCore::CSSStyleSelector::styleForElement 0x0111f3e5 [Google Chrome Framework - Element.cpp:1055] WebCore::Element::recalcStyle 0x0111f7f0 [Google Chrome Framework - Element.cpp:1157] WebCore::Element::recalcStyle 0x0111f7f0 [Google Chrome Framework - Element.cpp:1157] WebCore::Element::recalcStyle 0x0111f7f0 [Google Chrome Framework - Element.cpp:1157] WebCore::Element::recalcStyle 0x0111f7f0 [Google Chrome Framework - Element.cpp:1157] WebCore::Element::recalcStyle 0x0111f7f0 [Google Chrome Framework - Element.cpp:1157] WebCore::Element::recalcStyle 0x0111f7f0 [Google Chrome Framework - Element.cpp:1157] WebCore::Element::recalcStyle 0x0111f7f0 [Google Chrome Framework - Element.cpp:1157] WebCore::Element::recalcStyle 0x0111f7f0 [Google Chrome Framework - Element.cpp:1157] WebCore::Element::recalcStyle 0x0111f7f0 [Google Chrome Framework - Element.cpp:1157] WebCore::Element::recalcStyle 0x011052a9 [Google Chrome Framework - Document.cpp:1568] WebCore::Document::recalcStyle 0x01106038 [Google Chrome Framework - Document.cpp:1625] WebCore::Document::updateStyleIfNeeded 0x01106164 [Google Chrome Framework - Document.cpp:1652] WebCore::Document::updateLayout 0x01106257 [Google Chrome Framework - Document.cpp:1688] WebCore::Document::updateLayoutIgnorePendingStylesheets 0x0111c2bb [Google Chrome Framework - Element.cpp:347] WebCore::Element::offsetHeight 0x0174056a [Google Chrome Framework - V8Element.cpp:93] WebCore::ElementInternal::offsetHeightAttrGetter 0x00d1df3c [Google Chrome Framework - objects.cc:203] v8::internal::Object::GetPropertyWithCallback 0x00d1dd38 [Google Chrome Framework - objects.cc:583] v8::internal::Object::GetProperty
<rdar://problem/10142425>
Are there any live Web sites affected by this? That information greatly affects prioritization.
Well, the New Tab Page in Chrome was affected - on every drag there was a crash because we're adding this style (http://goo.gl/jZpBZ). It was also Chrome Canary's #1 crash the day it was introduced (crbug.com/96851#c1).
Both the image source and image slice just need to be null checked.
Created attachment 107777 [details] Patch
Fixed in r95386.