[Webkit-unassigned] [Bug 20069] New: CSSPrimitiveValue::parserValue() returns deleted memory

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=20069

           Summary: CSSPrimitiveValue::parserValue() returns deleted memory
           Product: WebKit
           Version: 526+ (Nightly build)
          Platform: Macintosh
        OS/Version: Mac OS X 10.5
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: CSS
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: eric at webkit.org
                CC: hyatt at apple.com, mjs at apple.com


CSSParserValue CSSPrimitiveValue::parserValue() const:

        case CSS_IDENT: {
            value.id = m_value.ident;
            String name = valueOrPropertyName(m_value.ident);
            value.string.characters = const_cast<UChar*>(name.characters());
            value.string.length = name.length();
            break;
        }

This function returns the resulting "value" which has a weak pointer to the
UChar buffer which must have been freed when the String went out of scope.

I discovered this will trying to remove callers of StringImpl::characters()
(see bug 20065) so that we can play around with using different storage
techniques for StringImpl's data.


The only code which ever uses this is:
void CSSStyleSelector::addMatchedDeclaration(CSSMutableStyleDeclaration* decl)

Which I'm not sure what it even does.  It seems to be used for variable
resolution?  Maybe for dealing with inline styles?  Unclear.

Perhaps Hyatt can explain.  Once we know how this code is used, it should be
easy to produce a test case which will crash under MallocScribble.


-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.