Null dereference loading Blink layout test fast/css/background-repeat-null-y-crash...
authorjiewen_tan@apple.com <jiewen_tan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 3 Nov 2015 05:35:35 +0000 (05:35 +0000)
committerjiewen_tan@apple.com <jiewen_tan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 3 Nov 2015 05:35:35 +0000 (05:35 +0000)
https://bugs.webkit.org/show_bug.cgi?id=150211
<rdar://problem/23137321>

Reviewed by Alex Christensen.

Source/WebCore:

This is a merge of Blink r188842:
https://codereview.chromium.org/846933002

By setting the backgroundRepeatY property to null it can
happen that accessing that CSS value returns a null pointer.
In that case simply bail out early.

Test: fast/css/background-repeat-null-y-crash.html

* css/StyleProperties.cpp:
(WebCore::StyleProperties::getLayeredShorthandValue):

LayoutTests:

* fast/css/background-repeat-null-y-crash-expected.txt: Added.
* fast/css/background-repeat-null-y-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@191938 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/css/background-repeat-null-y-crash-expected.txt [new file with mode: 0644]
LayoutTests/fast/css/background-repeat-null-y-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/css/StyleProperties.cpp

index dada8ae584e603c4464d8d29803b613a27bd4813..96e5389da7a00bb221049b50edf62fe1634b45b9 100644 (file)
@@ -1,3 +1,14 @@
+2015-11-02  Jiewen Tan  <jiewen_tan@apple.com>
+
+        Null dereference loading Blink layout test fast/css/background-repeat-null-y-crash.html
+        https://bugs.webkit.org/show_bug.cgi?id=150211
+        <rdar://problem/23137321>
+
+        Reviewed by Alex Christensen.
+
+        * fast/css/background-repeat-null-y-crash-expected.txt: Added.
+        * fast/css/background-repeat-null-y-crash.html: Added.
+
 2015-11-02  Michael Saboff  <msaboff@apple.com>
 
         WebInspector crashed while viewing Timeline when refreshing cnn.com while it was already loading
 2015-11-02  Michael Saboff  <msaboff@apple.com>
 
         WebInspector crashed while viewing Timeline when refreshing cnn.com while it was already loading
diff --git a/LayoutTests/fast/css/background-repeat-null-y-crash-expected.txt b/LayoutTests/fast/css/background-repeat-null-y-crash-expected.txt
new file mode 100644 (file)
index 0000000..f758dc8
--- /dev/null
@@ -0,0 +1 @@
+PASS, WebKit didn't crash.
diff --git a/LayoutTests/fast/css/background-repeat-null-y-crash.html b/LayoutTests/fast/css/background-repeat-null-y-crash.html
new file mode 100644 (file)
index 0000000..53878ef
--- /dev/null
@@ -0,0 +1,12 @@
+<!DOCTYPE html>
+<body>
+<script>
+    if (window.testRunner)
+        testRunner.dumpAsText();
+
+    document.body.style.backgroundRepeat  = 'repeat';
+    document.body.style.backgroundRepeatY = '';
+    var tmp = document.body.style.background;
+    document.write("PASS, WebKit didn't crash.")
+</script>
+</body>
index 6f89dd1ef82bed8cf2f7fe3ae83adbf012469a22..175f3f4cd71de3db60bd7cf50b83f04afffa05af 100644 (file)
@@ -1,3 +1,23 @@
+2015-11-02  Jiewen Tan  <jiewen_tan@apple.com>
+
+        Null dereference loading Blink layout test fast/css/background-repeat-null-y-crash.html
+        https://bugs.webkit.org/show_bug.cgi?id=150211
+        <rdar://problem/23137321>
+
+        Reviewed by Alex Christensen.
+
+        This is a merge of Blink r188842:
+        https://codereview.chromium.org/846933002
+
+        By setting the backgroundRepeatY property to null it can
+        happen that accessing that CSS value returns a null pointer.
+        In that case simply bail out early.
+
+        Test: fast/css/background-repeat-null-y-crash.html
+
+        * css/StyleProperties.cpp:
+        (WebCore::StyleProperties::getLayeredShorthandValue):
+
 2015-11-02  Myles C. Maxfield  <mmaxfield@apple.com>
 
         [Vertical Writing Mode] Rename "vertical-right" CSS value to match spec
 2015-11-02  Myles C. Maxfield  <mmaxfield@apple.com>
 
         [Vertical Writing Mode] Rename "vertical-right" CSS value to match spec
index 1077c3ab6d1ebc48d48e142980b0a2dba0f52bcf..f273951b86ce9bd041efc390cc70151d22e0d9ac 100644 (file)
@@ -431,27 +431,29 @@ String StyleProperties::getLayeredShorthandValue(const StylePropertyShorthand& s
                     || (j < size - 1 && shorthand.properties()[j + 1] == CSSPropertyWebkitMaskRepeatY && value)) {
                     RefPtr<CSSValue> yValue;
                     RefPtr<CSSValue> nextValue = values[j + 1];
                     || (j < size - 1 && shorthand.properties()[j + 1] == CSSPropertyWebkitMaskRepeatY && value)) {
                     RefPtr<CSSValue> yValue;
                     RefPtr<CSSValue> nextValue = values[j + 1];
-                    if (is<CSSValueList>(*nextValue))
-                        yValue = downcast<CSSValueList>(*nextValue).itemWithoutBoundsCheck(i);
-                    else
-                        yValue = nextValue;
+                    if (nextValue) {
+                        if (is<CSSValueList>(*nextValue))
+                            yValue = downcast<CSSValueList>(*nextValue).itemWithoutBoundsCheck(i);
+                        else
+                            yValue = nextValue;
 
 
-                    if (!is<CSSPrimitiveValue>(*value) || !is<CSSPrimitiveValue>(*yValue))
-                        continue;
+                        if (!is<CSSPrimitiveValue>(*value) || !is<CSSPrimitiveValue>(*yValue))
+                            continue;
 
 
-                    CSSValueID xId = downcast<CSSPrimitiveValue>(*value).getValueID();
-                    CSSValueID yId = downcast<CSSPrimitiveValue>(*yValue).getValueID();
-                    if (xId != yId) {
-                        if (xId == CSSValueRepeat && yId == CSSValueNoRepeat) {
-                            useRepeatXShorthand = true;
+                        CSSValueID xId = downcast<CSSPrimitiveValue>(*value).getValueID();
+                        CSSValueID yId = downcast<CSSPrimitiveValue>(*yValue).getValueID();
+                        if (xId != yId) {
+                            if (xId == CSSValueRepeat && yId == CSSValueNoRepeat) {
+                                useRepeatXShorthand = true;
+                                ++j;
+                            } else if (xId == CSSValueNoRepeat && yId == CSSValueRepeat) {
+                                useRepeatYShorthand = true;
+                                continue;
+                            }
+                        } else {
+                            useSingleWordShorthand = true;
                             ++j;
                             ++j;
-                        } else if (xId == CSSValueNoRepeat && yId == CSSValueRepeat) {
-                            useRepeatYShorthand = true;
-                            continue;
                         }
                         }
-                    } else {
-                        useSingleWordShorthand = true;
-                        ++j;
                     }
                 }
             }
                     }
                 }
             }