New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 4 users
Status: Verified
Owner:
User never visited
Closed: May 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
Stack overflow in CSS parser caused by recursive stylesheet import
Project Member Reported by aarya@google.com, Apr 9 2012 Back to list
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=34673062

Fuzzer: Crash_url

Crash Type: UNKNOWN
Crash Address: 0x7f8a988cc620
Crash State:
  - crash stack -
  cssyyparse
  WebCore::CSSParser::parseSheet
  WebCore::CSSStyleSheet::parseString
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=119736:119777

Minimized Testcase (0.10 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94PDNy0xxhmHTH4Wi4RCXmnYkDsR4-sZceT-LjB_awTv-psTP3vlCDG3KZAdldGLbbCBKdSYao_hK-qyvOBt3bpDSRCsuKKqOSQCxg2Nu7iD9TWitS1yCAZIiV73MbeT_Hr3Xbt1H7qnf3ptIDJzPtVrljQmA
 
Cc: lafo...@chromium.org kerz@chromium.org kareng@google.com mikelawther@chromium.org
Labels: ReleaseBlock-Stable
This is coming from the dremel crash url, hit by regular users. This is one of those stack overflows which will cause OOMs in renderer and crash in weird places. This came around the end Jan time (CSS parser change by Zoltan zherczeg@webkit.org) which we suspect the time when those OOMs started.
Comment 2 by kareng@google.com, Apr 9 2012
Labels: -Pri-2 Pri-1 Mstone-18
Owner: mikelawther@chromium.org
Status: Assigned
i see this says release block but not which mstone, since u mentioned jan, i assume u meant m18 right? Mike can we have someone look at this asap?
Owner: davidbarr@chromium.org
David - can you take a look? The linked repro does Aw Snap on 20.0.1096.1 canary (MacOS).

For convenience, here's the repro:

<base href="http://www.image-in-nation.com/"><link href="templates/Imagination.css" rel="stylesheet">

Preliminary investigation has it crashing when attempting to load in the linked stylesheet.


Labels: WebKit-ID-83545
Opened upstream bug http://wkb.ug/83545 - Stack overflow in CSS parser caused by recursive stylesheet import.
Project Member Comment 5 by bugdroid1@chromium.org, Apr 10 2012
Labels: -WebKit-ID-83545 WebKit-ID-83545-ASSIGNED
https://bugs.webkit.org/show_bug.cgi?id=83545
Summary: Stack overflow in CSS parser caused by recursive stylesheet import (was: NULL)
Project Member Comment 7 by clusterf...@chromium.org, Apr 11 2012
ClusterFuzz has detected this issue as fixed in range 131591:131615.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=34673062

Fuzzer: Crash_url

Crash Type: UNKNOWN
Crash Address: 0x7f8a988cc620
Crash State:
  - crash stack -
  cssyyparse
  WebCore::CSSParser::parseSheet
  WebCore::CSSStyleSheet::parseString
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=119736:119777
Fixed: https://cluster-fuzz.appspot.com/revisions?range=131591:131615

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94PDNy0xxhmHTH4Wi4RCXmnYkDsR4-sZceT-LjB_awTv-psTP3vlCDG3KZAdldGLbbCBKdSYao_hK-qyvOBt3bpDSRCsuKKqOSQCxg2Nu7iD9TWitS1yCAZIiV73MbeT_Hr3Xbt1H7qnf3ptIDJzPtVrljQmA

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.
Upstream fix due to land any moment now.
Given the ReleaseBlock-Stable tag, I presume we'll want to merge it toward stable.
One thing that might complicate slightly that is that there'll be a conflict as:
WebCore:StyleSheetInternal::href() was renamed to originalURL() near ToT.
This conflict is resolved with a simple s/originalURL/href/ applied to the patch.
Project Member Comment 9 by bugdroid1@chromium.org, Apr 17 2012
Labels: -WebKit-ID-83545-ASSIGNED WebKit-ID-83545-RESOLVED WebKit-Rev-114350
https://bugs.webkit.org/show_bug.cgi?id=83545
http://trac.webkit.org/changeset/114350
The upstream fix has been rolled into Chromium, waiting for the next Canary build.
http://src.chromium.org/viewvc/chrome?view=rev&revision=132560
Labels: Merge-Requested
Verified in Canary:
Google Chrome: 20.0.1107.0 (Official Build 132742) canary
OS: Mac OS X
WebKit: 536.8 (@114377)

Landed in WebKit at r114350:
http://trac.webkit.org/changeset/114350
Labels: -Mstone-18 Mstone-19
Shall we start by merging to Beta, M19?
Comment 13 by laforge@google.com, Apr 19 2012
Labels: -Merge-Requested Merge-Approved
Comment 14 by hbono@chromium.org, Apr 20 2012
Labels: -Merge-Approved Merge-Merged
Greetings,

I have merged WebKit r114350 to Chrome 19 as listed in <http://trac.webkit.org/changeset/114710>.

Regards,

Hironori Bono
Manually verified in Chrome Beta:
Google Chrome: 19.0.1084.36 (Official Build 133841)
OS: Mac OS X
WebKit: 536.5 (@115069)
Labels: -Mstone-19 -Merge-Merged Mstone-18 Merge-Requested
Labels: -ReleaseBlock-Stable -Mstone-18 -Merge-Requested ReleaseBlock-Beta Mstone-19 Merge-Merged
Status: Verified
As discussed privately with kareng, impact of this bug in stable is low enough to defer to Beta and as such no merge to M18 is required.
Project Member Comment 18 by bugdroid1@chromium.org, Oct 13 2012
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member Comment 19 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Area-WebKit -Stability-AddressSanitizer -Mstone-19 Cr-Content M-19 Performance-Memory-AddressSanitizer
Project Member Comment 20 by bugdroid1@chromium.org, Mar 13 2013
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Project Member Comment 21 by bugdroid1@chromium.org, Apr 1 2013
Labels: -Performance-Memory-AddressSanitizer Stability-Memory-AddressSanitizer
Project Member Comment 22 by bugdroid1@chromium.org, Apr 6 2013
Labels: -Cr-Content Cr-Blink
Sign in to add a comment