New issue
Advanced search Search tips

Issue 671484 link

Starred by 1 user
Status: Fixed
Owner:
timloh@chromium.org
Closed: Dec 2016
Cc:
style-bugs@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug



Sign in to add a comment

Crash when using initial value of registered custom property

Project Member Reported by alancutter@chromium.org, Dec 6 2016 
Chrome Version: 6c06fc0cfddfb60ae2ab0bb1ca88b2428db70c7c
Experimental web platform features are enabled.

Test case:
<div id="target" style="background: var(--pants);">pants</div>
<script>
CSS.registerProperty({
  name: '--pants',
  syntax: '<color>',
  initialValue: 'navy',
});
</script>

Stack trace:
Received signal 11 SEGV_MAPERR 000000000010
#0 0x7f9db8adc357 base::debug::(anonymous namespace)::StackDumpSignalHandler()
#1 0x7f9dba7ec330 <unknown>
#2 0x7f9db4832a05 WTF::HashTable<>::lookup<>()
#3 0x7f9db4833c46 blink::StyleNonInheritedVariables::getVariable()
#4 0x7f9db3ebc47b blink::CSSVariableResolver::valueForCustomProperty()
#5 0x7f9db3ebcee7 blink::CSSVariableResolver::resolveVariableReference()
#6 0x7f9db3ebc30d blink::CSSVariableResolver::resolveTokenRange()
#7 0x7f9db3ebd6e7 blink::CSSVariableResolver::resolvePendingSubstitutions()
#8 0x7f9db3ebd51b blink::CSSVariableResolver::resolveVariableReferences()
#9 0x7f9db3edd3df blink::StyleBuilder::applyProperty()
#10 0x7f9db3ef2f6f blink::StyleResolver::applyProperties<>()
#11 0x7f9db3eea419 blink::StyleResolver::applyMatchedProperties<>()
#12 0x7f9db3eec6d0 blink::StyleResolver::applyMatchedStandardProperties()
#13 0x7f9db3ee8735 blink::StyleResolver::applyMatchedPropertiesAndCustomPropertyAnimations()
#14 0x7f9db3ee8051 blink::StyleResolver::styleForElement()

Comment 1 by alancutter@chromium.org, Dec 6 2016

Owner: timloh@chromium.org
Status: Assigned (was: Untriaged)
Adding "--pants: initial" prevents the crash.

Comment 2 by timloh@chromium.org, Dec 6 2016 

Probably just missing if (m_nonInheritedVariables) on line 56.

Comment 3 by mikelawther@chromium.org, Dec 6 2016

Labels: Stability-Crash
Project Member

Comment 4 by bugdroid1@chromium.org, Dec 7 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1bf1f4ca99b8ea3183c9aa358338e63d5de07b93

commit 1bf1f4ca99b8ea3183c9aa358338e63d5de07b93
Author: timloh <timloh@chromium.org>
Date: Wed Dec 07 06:45:16 2016

Fix crash when referencing a registered non-inherited custom property

This patch fixes a crash that occurs when a registered non-inherited
custom property is referenced on an element which doesn't explicitly
have any registered non-inherited custom properties set. The code was
missing a null-check for the non-inherited custom properties object.
Note that elsewhere in the file this is not needed as the object is
guaranteed to exist when we are resolving such properties.

BUG= 671484 

Review-Url: https://codereview.chromium.org/2552163002
Cr-Commit-Position: refs/heads/master@{#436880}

[add] https://crrev.com/1bf1f4ca99b8ea3183c9aa358338e63d5de07b93/third_party/WebKit/LayoutTests/custom-properties/registered-property-initial.html
[modify] https://crrev.com/1bf1f4ca99b8ea3183c9aa358338e63d5de07b93/third_party/WebKit/Source/core/css/resolver/CSSVariableResolver.cpp

Comment 5 by timloh@chromium.org, Dec 7 2016

Status: Fixed (was: Assigned)

Sign in to add a comment