[Webkit-unassigned] [Bug 22357] Crash when setting className from js

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Dec 10 17:39:43 PST 2008 

https://bugs.webkit.org/show_bug.cgi?id=22357


gwilson at google.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #25932|                            |review?
               Flag|                            |




------- Comment #5 from gwilson at google.com  2008-12-10 17:39 PDT -------
Created an attachment (id=25932)
 --> (https://bugs.webkit.org/attachment.cgi?id=25932&action=view)
Potential patch for issue 22357

Here is a potential patch for this issue.

So it seems like this problem would arise when a css class is applied to an
element that has no mappedAttributes.

>From what I can tell, the issue arises in a difference in assertions between
line 640 of CSSStyleSelector and StyledElement::classNames().  Specifically,
when looking for styles to apply, CSSStyleSelector::matchRules checks that this
element has a class applied (hasClass) without checking that it has mapped
attributes set.  Typically, this isn't a problem, because the class attribute
is a mapped attribute itself!

But on line 642, when StyledElement::classNames() is called, the classNames()
method asserts that this element not only has a class set, but also has
mappedAttributes set.  This will fail (and crash) for elements that have the
class attribute set but no mappedAttributes.  In this repro case, it's an svg
ellipse created on the fly with Javascript.

So, to fix this, I added one additional check on line 640 that does not enter
this block if mappedAttributes is not set.  In essence, this changes
CSSStyleSelector::matchRules to check on the same values that
StyledElement::classNames does.

(Since m_styledElement is ASSERT'ed on the next line, it must be valid anyway,
so the call is being done early.  If anything, this makes the ASSERT on 641
redundant.  Let me know if this should be removed.)


-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list