7137 – Crash if <table> is removed from DOM while being parsed if it contains bogus content

RESOLVED FIXED 7137

Crash if <table> is removed from DOM while being parsed if it contains bogus content

https://bugs.webkit.org/show_bug.cgi?id=7137

Summary Crash if <table> is removed from DOM while being parsed if it contains bogus ...

Ian 'Hixie' Hickson

Reported 2006-02-07 13:48:38 PST

STEPS TO REPRODUCE 1. <table> 2. Remove the table from the DOM. 3. <div> (bogus element in this context, parser tries to move it outside the table) ACTUAL RESULTS Crash. EXPECTED RESULTS Content should be placed where the table used to be in the DOM. I'm not yet sure exactly what this means if other content is moved around in the DOM. I think if the <table> is no longer inside its original parent, then it should just append the bogus content to the parent.

Attachments
Fixes crash (3.47 KB, patch) 2006-04-25 01:44 PDT, Eric Seidel (no email)	mjs: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Alexey Proskuryakov

Comment 1 2006-04-24 21:31:26 PDT

Reproducible crash -> P1. Thread 0 Crashed: 0 com.apple.WebCore 0x01b4c778 WebCore::TreeShared<WebCore::Node>::parent() const + 20 (Shared.h:57) 1 com.apple.WebCore 0x01b4c7b0 WebCore::Node::parentNode() const + 36 (Node.h:89) 2 com.apple.WebCore 0x017a9a20 WebCore::HTMLParser::handleError(WebCore::Node*, bool, WebCore::AtomicString const&, int) + 6404 (HTMLParser.cpp:490) 3 com.apple.WebCore 0x017aa760 WebCore::HTMLParser::insertNode(WebCore::Node*, bool) + 912 (HTMLParser.cpp:281) 4 com.apple.WebCore 0x017ac178 WebCore::HTMLParser::parseToken(WebCore::Token*) + 1388 (HTMLParser.cpp:208) 5 com.apple.WebCore 0x017b006c WebCore::HTMLTokenizer::processToken() + 564 (HTMLTokenizer.cpp:1628) 6 com.apple.WebCore 0x017b37c0 WebCore::HTMLTokenizer::parseTag(WebCore::SegmentedString&, WebCore::HTMLTokenizer::State) + 7376 (HTMLTokenizer.cpp:1206) 7 com.apple.WebCore 0x017b43ec WebCore::HTMLTokenizer::write(WebCore::SegmentedString const&, bool) + 1744 (HTMLTokenizer.cpp:1432) 8 com.apple.WebCore 0x018a1728 WebCore::Frame::write(char const*, int) + 952 (Frame.cpp:654)

Eric Seidel (no email)

Comment 2 2006-04-25 01:44:09 PDT

Thanks for the bug. I chose not to make it match your test case for now (since both FireFox and IE fail your test), but I did fix the crash.

Eric Seidel (no email)

Comment 3 2006-04-25 01:44:39 PDT

Created attachment 7953 [details] Fixes crash

Maciej Stachowiak

Comment 4 2006-04-25 01:46:06 PDT

Comment on attachment 7953 [details] Fixes crash r=me

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P1

Severity Normal

Classification Unclassified

Version 420+

Hardware PC

OS Linux

Product WebKit

Component Tables

Assignee

Eric Seidel (no email)

Reported

2006-02-07 13:48 PST

Modified

2006-04-25 01:47 PDT History

CC List

0 users

URL

http://www.hixie.ch/tests/adhoc/html/parsing/error-handling/034.html

Keywords

Depends on

Blocks