Bug 68307 - Crash in WebCore::CSSBorderImageValue::cssText
Summary: Crash in WebCore::CSSBorderImageValue::cssText
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: CSS (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Major
Assignee: Dave Hyatt
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2011-09-16 22:08 PDT by Chris Silverberg
Modified: 2011-09-17 16:11 PDT (History)
3 users (show)

See Also:

Attachments
Patch (3.30 KB, patch)
2011-09-17 15:51 PDT, Dave Hyatt 		sam: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Chris Silverberg 2011-09-16 22:08:22 PDT 
The following javascript snippit will lead to a crash in WebCore::CSSBorderImageValue::cssText:

  var el = document.getElementById('bar');
  el.style.WebkitMaskBoxImage = '-webkit-linear-gradient(red,green,blue)';
  console.log(el.style);

This is a regression that was introduced in r95099.  The problem with the above snippit is that we are not providing a 'slice' value.  Prior to r95099, CSSParser::parseBorderImage would always set a slice value if one was not provided.  With the recent changes, a default slice value is no longer set.  This will lead to a crash if CSSBorderImageValue::cssText() is called because it assumes m_imageSlice is valid.

The simple fix may simply be to change CSSBorderImageValue::cssText() as follows:

    // Now the slices.
    if (m_imageSlice)
        text += m_imageSlice->cssText();

(I am not certain if the above fix is complete or if there are other side effects that may occur due to CSSBorderImageValue lacking an image slice.)

Crash log:

Thread 0 *CRASHED* ( EXC_BAD_ACCESS / KERN_PROTECTION_FAILURE @ 0x00000000 )

0x01350ab8	 [Google Chrome Framework	 - CSSBorderImageValue.cpp:50]	WebCore::CSSBorderImageValue::cssText
0x0139bb23	 [Google Chrome Framework	 - CSSProperty.cpp:32]	WebCore::CSSProperty::cssText
0x013745a7	 [Google Chrome Framework	 - CSSMutableStyleDeclaration.cpp:708]	WebCore::CSSMutableStyleDeclaration::cssText
0x0115459e	 [Google Chrome Framework	 - StyledElement.cpp:116]	WebCore::StyledElement::updateStyleAttribute
0x013e61b2	 [Google Chrome Framework	 - Element.h:480]	WebCore::SelectorChecker::checkOneSelector
0x013e5bf1	 [Google Chrome Framework	 - SelectorChecker.cpp:421]	WebCore::SelectorChecker::checkSelector
0x013cfc8f	 [Google Chrome Framework	 - CSSStyleSelector.cpp:1800]	WebCore::CSSStyleSelector::checkSelector
0x013b8bb3	 [Google Chrome Framework	 - CSSStyleSelector.cpp:606]	WebCore::CSSStyleSelector::matchRulesForList
0x013b88b4	 [Google Chrome Framework	 - CSSStyleSelector.cpp:536]	WebCore::CSSStyleSelector::matchRules
0x013b7199	 [Google Chrome Framework	 - CSSStyleSelector.cpp:1204]	WebCore::CSSStyleSelector::styleForElement
0x0111f3e5	 [Google Chrome Framework	 - Element.cpp:1055]	WebCore::Element::recalcStyle
0x0111f7f0	 [Google Chrome Framework	 - Element.cpp:1157]	WebCore::Element::recalcStyle
0x0111f7f0	 [Google Chrome Framework	 - Element.cpp:1157]	WebCore::Element::recalcStyle
0x0111f7f0	 [Google Chrome Framework	 - Element.cpp:1157]	WebCore::Element::recalcStyle
0x0111f7f0	 [Google Chrome Framework	 - Element.cpp:1157]	WebCore::Element::recalcStyle
0x0111f7f0	 [Google Chrome Framework	 - Element.cpp:1157]	WebCore::Element::recalcStyle
0x0111f7f0	 [Google Chrome Framework	 - Element.cpp:1157]	WebCore::Element::recalcStyle
0x0111f7f0	 [Google Chrome Framework	 - Element.cpp:1157]	WebCore::Element::recalcStyle
0x0111f7f0	 [Google Chrome Framework	 - Element.cpp:1157]	WebCore::Element::recalcStyle
0x0111f7f0	 [Google Chrome Framework	 - Element.cpp:1157]	WebCore::Element::recalcStyle
0x011052a9	 [Google Chrome Framework	 - Document.cpp:1568]	WebCore::Document::recalcStyle
0x01106038	 [Google Chrome Framework	 - Document.cpp:1625]	WebCore::Document::updateStyleIfNeeded
0x01106164	 [Google Chrome Framework	 - Document.cpp:1652]	WebCore::Document::updateLayout
0x01106257	 [Google Chrome Framework	 - Document.cpp:1688]	WebCore::Document::updateLayoutIgnorePendingStylesheets
0x0111c2bb	 [Google Chrome Framework	 - Element.cpp:347]	WebCore::Element::offsetHeight
0x0174056a	 [Google Chrome Framework	 - V8Element.cpp:93]	WebCore::ElementInternal::offsetHeightAttrGetter
0x00d1df3c	 [Google Chrome Framework	 - objects.cc:203]	v8::internal::Object::GetPropertyWithCallback
0x00d1dd38	 [Google Chrome Framework	 - objects.cc:583]	v8::internal::Object::GetProperty
Comment 1 Alexey Proskuryakov 2011-09-17 12:47:26 PDT 
<rdar://problem/10142425>
Comment 2 Alexey Proskuryakov 2011-09-17 12:49:00 PDT 
Are there any live Web sites affected by this? That information greatly affects prioritization.
Comment 3 Dan Beam 2011-09-17 14:00:11 PDT 
Well, the New Tab Page in Chrome was affected - on every drag there was a crash because we're adding this style (http://goo.gl/jZpBZ).  It was also Chrome Canary's #1 crash the day it was introduced (crbug.com/96851#c1).
Comment 4 Dave Hyatt 2011-09-17 14:53:07 PDT 
Both the image source and image slice just need to be null checked.
Comment 5 Dave Hyatt 2011-09-17 15:51:57 PDT 
Created attachment 107777 [details]
Patch
Comment 6 Dave Hyatt 2011-09-17 16:11:25 PDT 
Fixed in r95386.