[Webkit-unassigned] [Bug 49055] New: getPropertyValue("background") causes crash
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Nov 4 21:25:10 PDT 2010
https://bugs.webkit.org/show_bug.cgi?id=49055
Summary: getPropertyValue("background") causes crash
Product: WebKit
Version: 528+ (Nightly build)
Platform: Macintosh Intel
OS/Version: Mac OS X 10.6
Status: UNCONFIRMED
Severity: Major
Priority: P2
Component: New Bugs
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: max at terpstra.ca
Created an attachment (id=73032)
--> (https://bugs.webkit.org/attachment.cgi?id=73032&action=review)
reduced test case - TRIGGERS CRASH WHEN OPENED
WebCore::CSSPrimitiveValue::getIdent() crashes Webkit when certain styling conditions are met. This crash can be triggered by running `getPropertyValue("background")` on a CSSStyleDeclaration object in Javascript, as long as that style declaration sets the `background` shorthand property with a minimum of two background image values and sets the `background-repeat` property to a maximum of one less value than set in the `background` property. The actual values of the two properties does not seem to matter--the `background` shorthand may contain any kind of images/image functions, and may or may not specify background-repeat or other background values itself. The source of the rule (style attribute, element, etc) does not matter, but both properties must be set within a single rule declaration.
The crash can also be triggered by the Web Inspector trying to display said CSS rule in the style pane.
I have attached a test case which makes the bug easy to reproduce. Simply opening it will cause the crash.
Here's the top my crash log:
Process: Safari [26168]
Path: /Applications/Safari.app/Contents/MacOS/Safari
Identifier: org.webkit.nightly.WebKit
Version: r71204 (71204)
Code Type: X86-64 (Native)
Parent Process: launchd [355]
Date/Time: 2010-11-04 20:59:02.010 -0700
OS Version: Mac OS X 10.6.4 (10F569)
Report Version: 6
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x000000000000000c
Crashed Thread: 0 Dispatch queue: com.apple.main-thread
Thread 0 Crashed: Dispatch queue: com.apple.main-thread
0 com.apple.WebCore 0x0000000100d65964 WebCore::CSSPrimitiveValue::getIdent() + 4
1 com.apple.WebCore 0x0000000100d4603a WebCore::CSSMutableStyleDeclaration::getLayeredShorthandValue(int const*, unsigned int) const + 1370
2 com.apple.WebCore 0x0000000100d47343 WebCore::CSSMutableStyleDeclaration::getPropertyValue(int) const + 1075
3 com.apple.WebCore 0x0000000100d74af0 WebCore::CSSStyleDeclaration::getPropertyValue(WTF::String const&) + 80
The next lines in the backtrace vary depending on how the bug is triggered (starting with either "WebCore::InspectorDOMAgent::shorthandValue(WebCore::CSSStyleDeclaration*, WTF::String const&) + 39", or "WebCore::jsCSSStyleDeclarationPrototypeFunctionGetPropertyValue(JSC::ExecState*) + 310")
This bug also effects release Safari 5.0.2 (6533.18.5).
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list