Bug 13495 - REPRODUCIBLE CRASH: Referencing an undefined entity in an XHTML document
Summary: REPRODUCIBLE CRASH: Referencing an undefined entity in an XHTML document
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: XML (show other bugs)
Version: 523.x (Safari 3)
Hardware: All All
: P1 Critical
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-04-25 17:54 PDT by Matt Perry
Modified: 2007-04-26 12:42 PDT (History)
1 user (show)

See Also:

Attachments
testcase for crash (173 bytes, application/xhtml+xml)
2007-04-25 17:55 PDT, Matt Perry 		no flags Details
patch with layout test (3.72 KB, patch)
2007-04-26 11:35 PDT, Matt Perry 		ap: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Matt Perry 2007-04-25 17:54:27 PDT 
If an xhtml document contains a reference to an undefined entity, the browser will crash in XMLTokenizer.cpp getEntityHandler:
        ent = getXHTMLEntity(name);
        ent->etype = XML_INTERNAL_GENERAL_ENTITY; // CRASH: ent is NULL

See attached test case.
Comment 1 Matt Perry 2007-04-25 17:55:14 PDT 
Created attachment 14192 [details]
testcase for crash
Comment 2 David Kilzer (:ddkilzer) 2007-04-25 21:03:05 PDT 
Confirmed with a local debug build of WebKit r21103 with Safari 2.0.4 (419.3) on Mac OS X 10.4.9 (8P135).

Stack:

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_PROTECTION_FAILURE (0x0002) at 0x00000030

Thread 0 Crashed:
0   com.apple.WebCore        	0x0103bd88 WebCore::getEntityHandler(void*, unsigned char const*) + 220 (XMLTokenizer.cpp:1089)
1   libxml2.2.dylib          	0x91d68784 xmlParseEntityRef + 208
2   libxml2.2.dylib          	0x91d68020 xmlParseReference + 324
3   libxml2.2.dylib          	0x91d6d704 xmlParseDocument + 4416
4   libxml2.2.dylib          	0x91d51c0c xmlParseChunk + 424
5   com.apple.WebCore        	0x010383ac WebCore::XMLTokenizer::write(WebCore::SegmentedString const&, bool) + 416 (XMLTokenizer.cpp:569)
6   com.apple.WebCore        	0x0149364c WebCore::FrameLoader::write(char const*, int, bool) + 1212 (FrameLoader.cpp:929)
7   com.apple.WebCore        	0x014937b8 WebCore::FrameLoader::addData(char const*, int) + 320 (FrameLoader.cpp:1608)
8   com.apple.WebCore        	0x0111b0a4 -[WebCoreFrameBridge addData:] + 232 (WebCoreFrameBridge.mm:291)
9   com.apple.WebCore        	0x0111fd54 -[WebCoreFrameBridge receivedData:textEncodingName:] + 316 (WebCoreFrameBridge.mm:1477)
10  com.apple.WebKit         	0x0034396c -[WebHTMLRepresentation receivedData:withDataSource:] + 296 (WebHTMLRepresentation.mm:175)
11  com.apple.WebKit         	0x0033cc34 -[WebDataSource(WebInternal) _receivedData:] + 116 (WebDataSource.mm:178)
12  com.apple.WebKit         	0x003c6ab8 WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader*, char const*, int) + 184
13  com.apple.WebCore        	0x0148f204 WebCore::FrameLoader::committedLoad(WebCore::DocumentLoader*, char const*, int) + 92 (FrameLoader.cpp:3021)
14  com.apple.WebCore        	0x014a4290 WebCore::DocumentLoader::commitLoad(char const*, int) + 104 (DocumentLoader.cpp:347)
15  com.apple.WebCore        	0x014a4318 WebCore::DocumentLoader::receivedData(char const*, int) + 104 (DocumentLoader.cpp:360)
16  com.apple.WebCore        	0x0148df54 WebCore::FrameLoader::receivedData(char const*, int) + 60 (FrameLoader.cpp:2044)
17  com.apple.WebCore        	0x014a62ec WebCore::MainResourceLoader::addData(char const*, int, bool) + 92 (MainResourceLoader.cpp:134)
18  com.apple.WebCore        	0x014a8e08 WebCore::ResourceLoader::didReceiveData(char const*, int, long long, bool) + 104
19  com.apple.WebCore        	0x014a6698 WebCore::MainResourceLoader::didReceiveData(char const*, int, long long, bool) + 288 (MainResourceLoader.cpp:289)
20  com.apple.WebCore        	0x014a877c WebCore::ResourceLoader::didReceiveData(WebCore::ResourceHandle*, char const*, int, int) + 108
21  com.apple.WebCore        	0x0147dbbc -[WebCoreResourceHandleAsDelegate connection:didReceiveData:lengthReceived:] + 240 (ResourceHandleMac.mm:352)
22  com.apple.Foundation     	0x92c15624 -[NSURLConnection(NSURLConnectionInternal) _sendDidReceiveDataCallback] + 564
23  com.apple.Foundation     	0x92c13ac4 -[NSURLConnection(NSURLConnectionInternal) _sendCallbacks] + 488
24  com.apple.Foundation     	0x92c13860 _sendCallbacks + 156
25  com.apple.CoreFoundation 	0x907df4fc __CFRunLoopDoSources0 + 384
26  com.apple.CoreFoundation 	0x907dea2c __CFRunLoopRun + 452
27  com.apple.CoreFoundation 	0x907de4ac CFRunLoopRunSpecific + 268
28  com.apple.HIToolbox      	0x9329bb20 RunCurrentEventLoopInMode + 264
29  com.apple.HIToolbox      	0x9329b1b4 ReceiveNextEventCommon + 380
30  com.apple.HIToolbox      	0x9329b020 BlockUntilNextEventMatchingListInMode + 96
31  com.apple.AppKit         	0x937a1ae4 _DPSNextEvent + 384
32  com.apple.AppKit         	0x937a17a8 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 116
33  com.apple.Safari         	0x00006740 0x1000 + 22336
34  com.apple.AppKit         	0x9379dcec -[NSApplication run] + 472
35  com.apple.AppKit         	0x9388e87c NSApplicationMain + 452
36  com.apple.Safari         	0x0005c77c 0x1000 + 374652
37  com.apple.Safari         	0x0005c624 0x1000 + 374308
Comment 3 Matt Perry 2007-04-26 11:35:46 PDT 
Created attachment 14206 [details]
patch with layout test
Comment 4 Alexey Proskuryakov 2007-04-26 12:09:26 PDT 
Comment on attachment 14206 [details]
patch with layout test

r=me

Two comments:
- the test should go to fast/parser, as dom/ is for imported W3C tests;
- I'd prefer the test to be a text one, and not to display the error.

Going to fix these when landing the patch.
Comment 5 Alexey Proskuryakov 2007-04-26 12:42:40 PDT 
Committed revision 21118.