[Webkit-unassigned] [Bug 68307] New: Crash in WebCore::CSSBorderImageValue::cssText

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Sep 16 22:08:22 PDT 2011 

https://bugs.webkit.org/show_bug.cgi?id=68307

           Summary: Crash in WebCore::CSSBorderImageValue::cssText
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
        OS/Version: All
            Status: UNCONFIRMED
          Severity: Major
          Priority: P2
         Component: CSS
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: csilv at chromium.org
                CC: hyatt at apple.com


The following javascript snippit will lead to a crash in WebCore::CSSBorderImageValue::cssText:

  var el = document.getElementById('bar');
  el.style.WebkitMaskBoxImage = '-webkit-linear-gradient(red,green,blue)';
  console.log(el.style);

This is a regression that was introduced in r95099.  The problem with the above snippit is that we are not providing a 'slice' value.  Prior to r95099, CSSParser::parseBorderImage would always set a slice value if one was not provided.  With the recent changes, a default slice value is no longer set.  This will lead to a crash if CSSBorderImageValue::cssText() is called because it assumes m_imageSlice is valid.

The simple fix may simply be to change CSSBorderImageValue::cssText() as follows:

    // Now the slices.
    if (m_imageSlice)
        text += m_imageSlice->cssText();

(I am not certain if the above fix is complete or if there are other side effects that may occur due to CSSBorderImageValue lacking an image slice.)

Crash log:

Thread 0 *CRASHED* ( EXC_BAD_ACCESS / KERN_PROTECTION_FAILURE @ 0x00000000 )

0x01350ab8     [Google Chrome Framework     - CSSBorderImageValue.cpp:50]    WebCore::CSSBorderImageValue::cssText
0x0139bb23     [Google Chrome Framework     - CSSProperty.cpp:32]    WebCore::CSSProperty::cssText
0x013745a7     [Google Chrome Framework     - CSSMutableStyleDeclaration.cpp:708]    WebCore::CSSMutableStyleDeclaration::cssText
0x0115459e     [Google Chrome Framework     - StyledElement.cpp:116]    WebCore::StyledElement::updateStyleAttribute
0x013e61b2     [Google Chrome Framework     - Element.h:480]    WebCore::SelectorChecker::checkOneSelector
0x013e5bf1     [Google Chrome Framework     - SelectorChecker.cpp:421]    WebCore::SelectorChecker::checkSelector
0x013cfc8f     [Google Chrome Framework     - CSSStyleSelector.cpp:1800]    WebCore::CSSStyleSelector::checkSelector
0x013b8bb3     [Google Chrome Framework     - CSSStyleSelector.cpp:606]    WebCore::CSSStyleSelector::matchRulesForList
0x013b88b4     [Google Chrome Framework     - CSSStyleSelector.cpp:536]    WebCore::CSSStyleSelector::matchRules
0x013b7199     [Google Chrome Framework     - CSSStyleSelector.cpp:1204]    WebCore::CSSStyleSelector::styleForElement
0x0111f3e5     [Google Chrome Framework     - Element.cpp:1055]    WebCore::Element::recalcStyle
0x0111f7f0     [Google Chrome Framework     - Element.cpp:1157]    WebCore::Element::recalcStyle
0x0111f7f0     [Google Chrome Framework     - Element.cpp:1157]    WebCore::Element::recalcStyle
0x0111f7f0     [Google Chrome Framework     - Element.cpp:1157]    WebCore::Element::recalcStyle
0x0111f7f0     [Google Chrome Framework     - Element.cpp:1157]    WebCore::Element::recalcStyle
0x0111f7f0     [Google Chrome Framework     - Element.cpp:1157]    WebCore::Element::recalcStyle
0x0111f7f0     [Google Chrome Framework     - Element.cpp:1157]    WebCore::Element::recalcStyle
0x0111f7f0     [Google Chrome Framework     - Element.cpp:1157]    WebCore::Element::recalcStyle
0x0111f7f0     [Google Chrome Framework     - Element.cpp:1157]    WebCore::Element::recalcStyle
0x0111f7f0     [Google Chrome Framework     - Element.cpp:1157]    WebCore::Element::recalcStyle
0x011052a9     [Google Chrome Framework     - Document.cpp:1568]    WebCore::Document::recalcStyle
0x01106038     [Google Chrome Framework     - Document.cpp:1625]    WebCore::Document::updateStyleIfNeeded
0x01106164     [Google Chrome Framework     - Document.cpp:1652]    WebCore::Document::updateLayout
0x01106257     [Google Chrome Framework     - Document.cpp:1688]    WebCore::Document::updateLayoutIgnorePendingStylesheets
0x0111c2bb     [Google Chrome Framework     - Element.cpp:347]    WebCore::Element::offsetHeight
0x0174056a     [Google Chrome Framework     - V8Element.cpp:93]    WebCore::ElementInternal::offsetHeightAttrGetter
0x00d1df3c     [Google Chrome Framework     - objects.cc:203]    v8::internal::Object::GetPropertyWithCallback
0x00d1dd38     [Google Chrome Framework     - objects.cc:583]    v8::internal::Object::GetProperty

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list