[webkit-dev] Eliminate potential null pointer dereference?
Maciej Stachowiak
mjs at apple.com
Sat Apr 21 13:05:49 PDT 2012
On Apr 21, 2012, at 9:45 AM, Antti Koivisto wrote:
> Sat, Apr 21, 2012 at 8:13 AM, John Yani <vanuan at gmail.com> wrote:
> 2316 if (selector->relation() != CSSSelector::SubSelector)
> 2317 break;
> 2318 selector = selector->tagHistory();
> 2319 };
>
> Now selector is null and we are trying to call tagHistory():
>
> This is not possible. If selector->relation() == CSSSelector::SubSelector then there will always be a subselector in tagHistory.
>
> 2321 for (selector = selector->tagHistory(); selector; selector =
>
> Which will result in segfault.
>
> That would indicate a serious bug in CSS parser. The crash would allow us to catch and fix the bug. Now the bug is hidden. We have also lost some documentation (in form of code) on how our data structures look like. The only sensible change here would have been ASSERT(selector) for documentation purposes.
Or change the first loop to while(true) instead of while(selector) to make clear that it can't actually exit with selector being null.
- Maciej
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20120421/76ba809d/attachment.html>
More information about the webkit-dev
mailing list