[webkit-reviews] review denied: [Bug 70107] Custom written CSS lexer : [Attachment 118748] core patch

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Dec 12 13:09:49 PST 2011

Oliver Hunt <oliver at apple.com> has denied Zoltan Herczeg
<zherczeg at webkit.org>'s request for review:
Bug 70107: Custom written CSS lexer

Attachment 118748: core patch

------- Additional Comments from Oliver Hunt <oliver at apple.com>
View in context: https://bugs.webkit.org/attachment.cgi?id=118748&action=review

There seems to be a lot of code in this that assumes null-termination of all
strings passed to the lexer -- is this guaranteed?  For instance if i do var
foo = "some big string"; someElement.style=foo.substring(2, 8);  (not sure if
this exact statement is valid), we may return a StringImpl that is referencing
the middle of another string so null termination won't be guaranteed.

At the very least i'd like assertions that m_data never exceeds the buffer

> Source/WebCore/css/CSSParser.cpp:7388
> +    return chr | 0x20;

Can you add an assertion that chr is in fact an ascii letter?

> Source/WebCore/css/CSSParser.cpp:7394
> +	   || (data[0] == '\\' && isCSSEscape(data[1]));

How do we guarantee data is at least 2 characters long?

> Source/WebCore/css/CSSParser.cpp:7430
> +	   } while (isASCIIHexDigit(*data) && --length);

I'd like assertions that data doesn't extend beyond the end of the buffer.

> Source/WebCore/css/CSSParser.cpp:7533
> +	   if (UNLIKELY(*m_data == quote)) {
> +	       // String parsing is done.
> +	       ++m_data;
> +	       return;
> +	   }

What happens if we have an unterminated string? afaict we just walk off the end
of the buffer.

More information about the webkit-reviews mailing list