[Webkit-unassigned] [Bug 49055] New: getPropertyValue("background") causes crash

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Nov 4 21:25:10 PDT 2010 

https://bugs.webkit.org/show_bug.cgi?id=49055

           Summary: getPropertyValue("background") causes crash
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Macintosh Intel
        OS/Version: Mac OS X 10.6
            Status: UNCONFIRMED
          Severity: Major
          Priority: P2
         Component: New Bugs
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: max at terpstra.ca


Created an attachment (id=73032)
 --> (https://bugs.webkit.org/attachment.cgi?id=73032&action=review)
reduced test case - TRIGGERS CRASH WHEN OPENED

WebCore::CSSPrimitiveValue::getIdent() crashes Webkit when certain styling conditions are met.  This crash can be triggered by running `getPropertyValue("background")` on a CSSStyleDeclaration object in Javascript, as long as that style declaration sets the `background` shorthand property with a minimum of two background image values and sets the `background-repeat` property to a maximum of one less value than set in the `background` property.  The actual values of the two properties does not seem to matter--the `background` shorthand may contain any kind of images/image functions, and may or may not specify background-repeat or other background values itself.  The source of the rule (style attribute, element, etc) does not matter, but both properties must be set within a single rule declaration.

The crash can also be triggered by the Web Inspector trying to display said CSS rule in the style pane.

I have attached a test case which makes the bug easy to reproduce. Simply opening it will cause the crash.

Here's the top my crash log:
  Process:         Safari [26168]
  Path:            /Applications/Safari.app/Contents/MacOS/Safari
  Identifier:      org.webkit.nightly.WebKit
  Version:         r71204 (71204)
  Code Type:       X86-64 (Native)
  Parent Process:  launchd [355]

  Date/Time:       2010-11-04 20:59:02.010 -0700
  OS Version:      Mac OS X 10.6.4 (10F569)
  Report Version:  6

  Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
  Exception Codes: KERN_INVALID_ADDRESS at 0x000000000000000c
  Crashed Thread:  0  Dispatch queue: com.apple.main-thread

  Thread 0 Crashed:  Dispatch queue: com.apple.main-thread
  0   com.apple.WebCore                 0x0000000100d65964 WebCore::CSSPrimitiveValue::getIdent() + 4
  1   com.apple.WebCore                 0x0000000100d4603a WebCore::CSSMutableStyleDeclaration::getLayeredShorthandValue(int const*, unsigned int) const + 1370
  2   com.apple.WebCore                 0x0000000100d47343 WebCore::CSSMutableStyleDeclaration::getPropertyValue(int) const + 1075
  3   com.apple.WebCore                 0x0000000100d74af0 WebCore::CSSStyleDeclaration::getPropertyValue(WTF::String const&) + 80

The next lines in the backtrace vary depending on how the bug is triggered (starting with either "WebCore::InspectorDOMAgent::shorthandValue(WebCore::CSSStyleDeclaration*, WTF::String const&) + 39", or "WebCore::jsCSSStyleDeclarationPrototypeFunctionGetPropertyValue(JSC::ExecState*) + 310")

This bug also effects release Safari 5.0.2 (6533.18.5).

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list