25694 2009-05-11 08:09:47 -0700 Crash in HTMLParser::createHead() when writing a <body> into a detached node 2009-05-12 09:23:37 -0700 1 1 1 Unclassified WebKit DOM 528+ (Nightly build) PC Windows Vista RESOLVED FIXED http://skypher.com/SkyLined/Repro/WebKit/Bug%2025694%20-%20HTMLParsercreateHead()%20ASSERT/repro.html GoogleBug, Regression P1 Normal --- 1 skylined ap eric skylined oldest_to_newest 120664 0 skylined 2009-05-11 08:09:47 -0700 The following code seems to destroy the "Document" element and then cause the code to access it regardless, causing a NULL ptr. This is detected by an ASSERT in debug builds. <SCRIPT> setTimeout(function () { node = document.createElement("M"); document.open(); node.innerHTML = "<body>"; }, 1); </SCRIPT> 120665 1 skylined 2009-05-11 08:11:53 -0700 Here's some info from my FuzzFramework: CdbFatalExceptionInfo(ReadAV [NULL]@chrome!WebCore::HTMLParser::createHead+0xeb (Stack:WebCore::HTMLParser::createHead+0xEB,WebCore::HTMLParser::bodyCreateErrorCheck+0x14,WebCore::HTMLParser::getNode+0xE74,WebCore::HTMLParser::parseToken+0x21D,WebCore::HTMLTokenizer::processToken+0x13B,WebCore::HTMLTokenizer::parseTag+0x1056,WebCore::HTMLTokenizer::write+0x40E,WebCore::parseHTMLDocumentFragment+0x50,WebCore::HTMLElement::createContextualFragment+0xC2,WebCore::HTMLElement::setInnerHTML+0x17,WebCore::HTMLElementInternal::innerHTMLAttrSetter+0x51,v8::internal::JSObject::SetPropertyWithCallback+0x205,v8::internal::JSObject::SetProperty+0x233,v8::internal::JSObject::SetProperty+0x3C,v8::internal::StoreIC::Store+0x138,v8::internal::StoreIC_Miss+0x6D,v8::internal::Invoke+0x81,v8::internal::Execution::Call+0x25,v8::Function::Call+0x8C,WebCore::V8Proxy::CallFunction+0x34,WebCore::ScheduledAction::execute+0x9A,WebCore::DOMTimer::fired+0x81,WebCore::ThreadTimers::fireTimers+0x74,WebCore::ThreadTimers::sharedTimerFiredInternal+0x4F,MessageLoop::RunTask+0x7E,MessageLoop::DoWork+0x1EA,base::MessagePumpDefault::Run+0x111,MessageLoop::RunInternal+0xB7,MessageLoop::RunHandler+0xA0,MessageLoop::Run+0x3D,base::Thread::ThreadMain+0x8A,`anonymous namespace'::ThreadFunc+0xD,BaseThreadInitThunk+0x12,RtlInitializeExceptionChain+0x63,RtlInitializeExceptionChain+0x36)) (18% reproducable after 11 attempts, reducing) Attempt to read from a NULL pointer, instruction: 6a29f4ab 8b01 mov eax,dword ptr [ecx] Registers: eax=032ca040 ebx=00000000 ecx=00000000 edx=01f8e918 esi=032cad40 edi=016e7000 esp=01f8e918 ebp=01f8e938 eip=6a29f4ab Stack: ChildEBP RetAddr 01f8e938 6a2a15e4 chrome_69bb0000!WebCore::HTMLParser::createHead(void)+0xeb 01f8e940 6a2a2a84 chrome_69bb0000!WebCore::HTMLParser::bodyCreateErrorCheck(struct WebCore::Token * __formal = 0x01f8e9c0, class WTF::RefPtr<WebCore::Node> * __formal = 0x016dde20)+0x14 01f8e98c 6a2a2e0d chrome_69bb0000!WebCore::HTMLParser::getNode(struct WebCore::Token * t = 0x016dde20)+0xe74 01f8e9b4 6a1ced2b chrome_69bb0000!WebCore::HTMLParser::parseToken(struct WebCore::Token * t = 0x01f8ebb8)+0x21d 01f8e9d8 6a1d26d6 chrome_69bb0000!WebCore::HTMLTokenizer::processToken(void)+0x13b 01f8eacc 6a1d2e5e chrome_69bb0000!WebCore::HTMLTokenizer::parseTag(class WebCore::SegmentedString * src = 0x00000000, class WebCore::HTMLTokenizer::State state = class WebCore::HTMLTokenizer::State)+0x1056 01f8eb60 6a1d3050 chrome_69bb0000!WebCore::HTMLTokenizer::write(class WebCore::SegmentedString * str = 0x01f8eb74, bool appendData = true)+0x40e 01f8f53c 6a0b0e52 chrome_69bb0000!WebCore::parseHTMLDocumentFragment(class WebCore::String * source = 0x01f8f5b0, class WebCore::DocumentFragment * fragment = 0x032e04b0)+0x50 01f8f568 6a0b11c7 chrome_69bb0000!WebCore::HTMLElement::createContextualFragment(class WebCore::String * html = 0x01f8f5b0)+0xc2 01f8f584 6a303b91 chrome_69bb0000!WebCore::HTMLElement::setInnerHTML(class WebCore::String * html = 0x01f8f5b0, int * ec = 0x01f8f59c)+0x17 01f8f5a0 6a3aede5 chrome_69bb0000!WebCore::HTMLElementInternal::innerHTMLAttrSetter(class v8::Local<v8::String> name = class v8::Local<v8::String>, class v8::Local<v8::Value> value = class v8::Local<v8::Value>, class v8::AccessorInfo * info = 0x032df840)+0x51 01f8f5e0 6a3bac73 chrome_69bb0000!v8::internal::JSObject::SetPropertyWithCallback(class v8::internal::Object * structure = 0x029d5e8d, class v8::internal::String * name = 0x029c8135, class v8::internal::Object * value = 0x02e93ec0, class v8::internal::JSObject * holder = 0x0287b159)+0x205 01f8f618 6a3bb3ec chrome_69bb0000!v8::internal::JSObject::SetProperty(class v8::internal::LookupResult * result = <Memory access error>, class v8::internal::String * name = <Memory access error>, class v8::internal::Object * value = <Memory access error>, PropertyAttributes attributes = <Memory access error>)+0x233 01f8f648 6a423138 chrome_69bb0000!v8::internal::JSObject::SetProperty(class v8::internal::String * name = 0x029d5e8d, class v8::internal::Object * value = 0x029a0849, PropertyAttributes attributes = 43649097 (No matching enumerant))+0x3c 01f8f688 6a42357d chrome_69bb0000!v8::internal::StoreIC::Store(v8::internal::InlineCacheState state = 43867789 (No matching enumerant), class v8::internal::Handle<v8::internal::Object> object = class v8::internal::Handle<v8::internal::Object>, class v8::internal::Handle<v8::internal::String> name = class v8::internal::Handle<v8::internal::String>, class v8::internal::Handle<v8::internal::Object> value = class v8::internal::Handle<v8::internal::Object>)+0x138 01f8f79c 6a3c1fb1 chrome_69bb0000!v8::internal::StoreIC_Miss(class v8::internal::Arguments args = class v8::internal::Arguments)+0x6d 01f8f7d8 6a3c2095 chrome_69bb0000!v8::internal::Invoke(bool construct = true, class v8::internal::Handle<v8::internal::JSFunction> func = class v8::internal::Handle<v8::internal::JSFunction>, class v8::internal::Handle<v8::internal::Object> receiver = class v8::internal::Handle<v8::internal::Object>, int argc = 43649097, class v8::internal::Object *** args = 0x029a0849, bool * has_pending_exception = 0x029c8135)+0x81 01f8f7f8 6a39ed4c chrome_69bb0000!v8::internal::Execution::Call(class v8::internal::Handle<v8::internal::JSFunction> func = class v8::internal::Handle<v8::internal::JSFunction>, class v8::internal::Handle<v8::internal::Object> receiver = class v8::internal::Handle<v8::internal::Object>, int argc = 24436740, class v8::internal::Object *** args = 0x00000000, bool * pending_exception = 0x00000000)+0x25 01f8f830 6a0d9ae4 chrome_69bb0000!v8::Function::Call(class v8::Handle<v8::Object> recv = class v8::Handle<v8::Object>, int argc = 53344448, class v8::Handle<v8::Value> * argv = 0x0174e004)+0x8c 01f8f850 6a2120ca chrome_69bb0000!WebCore::V8Proxy::CallFunction(class v8::Handle<v8::Function> function = class v8::Handle<v8::Function>, class v8::Handle<v8::Object> receiver = class v8::Handle<v8::Object>, int argc = 0, class v8::Handle<v8::Value> * args = 0x00000000)+0x34 01f8f894 6a1a1531 chrome_69bb0000!WebCore::ScheduledAction::execute(class WebCore::ScriptExecutionContext * context = 0x0174e004)+0x9a 01f8f8a8 6a20ec94 chrome_69bb0000!WebCore::DOMTimer::fired(void)+0x81 01f8f8c8 6a20ed8f chrome_69bb0000!WebCore::ThreadTimers::fireTimers(double fireTime = 1241871163.5501339, class WTF::Vector<WebCore::TimerBase *,0> * firingTimers = 0x01f8f8e4)+0x74 01f8f8f8 69bcd51e chrome_69bb0000!WebCore::ThreadTimers::sharedTimerFiredInternal(void)+0x4f 01f8f99c 69bce59a chrome_69bb0000!MessageLoop::RunTask(class Task * task = 0x032dd740)+0x7e 01f8f9ec 69be2751 chrome_69bb0000!MessageLoop::DoWork(void)+0x1ea 01f8fa9c 69bcdb27 chrome_69bb0000!base::MessagePumpDefault::Run(class base::MessagePump::Delegate * delegate = 0x01f8fba4)+0x111 01f8fb40 69bcdf50 chrome_69bb0000!MessageLoop::RunInternal(void)+0xb7 01f8fb74 69bce25d chrome_69bb0000!MessageLoop::RunHandler(void)+0xa0 01f8fb90 6a0246fa chrome_69bb0000!MessageLoop::Run(void)+0x3d 01f8fc60 69bd699d chrome_69bb0000!base::Thread::ThreadMain(void)+0x8a 01f8fc68 76884911 chrome_69bb0000!`anonymous namespace'::ThreadFunc(void * closure = 0x016d800c)+0xd WARNING: Stack unwind information not available. Following frames may be wrong. 01f8fc74 778ee4b6 kernel32!BaseThreadInitThunk+0x12 01f8fcb4 778ee489 ntdll!RtlInitializeExceptionChain+0x63 01f8fccc 00000000 ntdll!RtlInitializeExceptionChain+0x36 120821 2 ap 2009-05-12 03:25:47 -0700 Likely caused by my recent change to insert <head> automagically. 120832 3 30225 ap 2009-05-12 06:31:17 -0700 Created attachment 30225 proposed fix 120835 4 eric 2009-05-12 06:52:52 -0700 I wonder how related this is to bug 25567? 120837 5 ap 2009-05-12 07:05:47 -0700 It's not related - that one isn't even a regression from 3.2.1. 120841 6 30225 darin 2009-05-12 07:34:27 -0700 Comment on attachment 30225 proposed fix A simpler test for parsing a fragment is m_isParsingFragment -- is there a reason you're not doing that? r=me 120874 7 ap 2009-05-12 09:23:37 -0700 No, there wasn't any reason - changed to use m_isParsingFragment. Committed <http://trac.webkit.org/changeset/43568>. 30225 2009-05-12 06:31:17 -0700 2009-05-12 07:34:27 -0700 proposed fix ImplicitHeadInFragment.txt text/plain 4088 ap SW5kZXg6IFdlYkNvcmUvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFdlYkNvcmUvQ2hhbmdlTG9n CShyZXZpc2lvbiA0MzU2NSkKKysrIFdlYkNvcmUvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBA IC0xLDMgKzEsMTYgQEAKKzIwMDktMDUtMTIgIEFsZXhleSBQcm9za3VyeWFrb3YgIDxhcEB3ZWJr aXQub3JnPgorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAg IGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0yNTY5NAorICAgICAgICBI VE1MUGFyc2VyOjpjcmVhdGVIZWFkKCkgQVNTRVJUOiBDcmVhdGluZyBhbiBlbGVtZW50LCBjYWxs aW5nICBkb2N1bWVudC5vcGVuKCkgYW5kIHdyaXRpbmcKKyAgICAgICAgdG8gdGhlIGRvY3VtZW50 IE5VTEwgcHRyCisKKyAgICAgICAgVGVzdDogZmFzdC9wYXJzZXIvaW1wbGljaXQtaGVhZC1pbi1m cmFnbWVudC1jcmFzaC5odG1sCisKKyAgICAgICAgKiBodG1sL0hUTUxQYXJzZXIuY3BwOiAoV2Vi Q29yZTo6SFRNTFBhcnNlcjo6Ym9keUNyZWF0ZUVycm9yQ2hlY2spOiBEbyBub3QgdHJ5IHRvIGlt cGxpY2l0bHkKKyAgICAgICAgY3JlYXRlIDxoZWFkPiB3aGVuIHBhcnNpbmcgYSBmcmFnbWVudC4K KwogMjAwOS0wNS0xMSAgWWFlbCBBaGFyb24gIDx5YWVsLmFoYXJvbkBub2tpYS5jb20+CiAKICAg ICAgICAgUmV2aWV3ZWQgYnkgSG9sZ2VyIEZyZXl0aGVyLgpJbmRleDogV2ViQ29yZS9odG1sL0hU TUxQYXJzZXIuY3BwCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFdlYkNvcmUvaHRtbC9IVE1MUGFyc2VyLmNwcAko cmV2aXNpb24gNDM1NjApCisrKyBXZWJDb3JlL2h0bWwvSFRNTFBhcnNlci5jcHAJKHdvcmtpbmcg Y29weSkKQEAgLTcxNyw5ICs3MTcsOSBAQCBib29sIEhUTUxQYXJzZXI6OmJvZHlDcmVhdGVFcnJv ckNoZWNrKFRvCiAgICAgaWYgKG1faGF2ZUZyYW1lU2V0KQogICAgICAgICByZXR1cm4gZmFsc2U7 CiAgICAgCi0gICAgLy8gRW5zdXJlIHRoYXQgaGVhZCBleGlzdHMuCisgICAgLy8gRW5zdXJlIHRo YXQgaGVhZCBleGlzdHMgKHVubGVzcyBwYXJzaW5nIGEgZnJhZ21lbnQpLgogICAgIC8vIEJ1dCBu b3QgZm9yIG9sZGVyIHZlcnNpb25zIG9mIE1haWwsIHdoZXJlIHRoZSBpbXBsaWNpdCA8aGVhZD4g aXNuJ3QgZXhwZWN0ZWQgLSA8cmRhcjovL3Byb2JsZW0vNjg2Mzc5NT4KLSAgICBpZiAoc2hvdWxk Q3JlYXRlSW1wbGljaXRIZWFkKG1fZG9jdW1lbnQpKQorICAgIGlmICgobV9jdXJyZW50ID09IG1f ZG9jdW1lbnQgfHwgbV9jdXJyZW50ID09IG1fZG9jdW1lbnQtPmRvY3VtZW50RWxlbWVudCgpKSAm JiBzaG91bGRDcmVhdGVJbXBsaWNpdEhlYWQobV9kb2N1bWVudCkpCiAgICAgICAgIGNyZWF0ZUhl YWQoKTsKICAgICAKICAgICBwb3BCbG9jayhoZWFkVGFnKTsKSW5kZXg6IExheW91dFRlc3RzL0No YW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09Ci0tLSBMYXlvdXRUZXN0cy9DaGFuZ2VMb2cJKHJldmlzaW9uIDQz NTY1KQorKysgTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBAIC0xLDMgKzEs MTQgQEAKKzIwMDktMDUtMTIgIEFsZXhleSBQcm9za3VyeWFrb3YgIDxhcEB3ZWJraXQub3JnPgor CisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIGh0dHBzOi8v YnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0yNTY5NAorICAgICAgICBIVE1MUGFyc2Vy OjpjcmVhdGVIZWFkKCkgQVNTRVJUOiBDcmVhdGluZyBhbiBlbGVtZW50LCBjYWxsaW5nICBkb2N1 bWVudC5vcGVuKCkgYW5kIHdyaXRpbmcKKyAgICAgICAgdG8gdGhlIGRvY3VtZW50IE5VTEwgcHRy CisKKyAgICAgICAgKiBmYXN0L3BhcnNlci9pbXBsaWNpdC1oZWFkLWluLWZyYWdtZW50LWNyYXNo LWV4cGVjdGVkLnR4dDogQWRkZWQuCisgICAgICAgICogZmFzdC9wYXJzZXIvaW1wbGljaXQtaGVh ZC1pbi1mcmFnbWVudC1jcmFzaC5odG1sOiBBZGRlZC4KKwogMjAwOS0wNS0xMiAgQXJpeWEgSGlk YXlhdCAgPGFyaXlhLmhpZGF5YXRAbm9raWEuY29tPgogCiAgICAgICAgIFJ1YmJlci1zdGFtcGVk IGJ5IFNpbW9uIEhhdXNtYW5uLgpJbmRleDogTGF5b3V0VGVzdHMvZmFzdC9wYXJzZXIvaW1wbGlj aXQtaGVhZC1pbi1mcmFnbWVudC1jcmFzaC1leHBlY3RlZC50eHQKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gTGF5 b3V0VGVzdHMvZmFzdC9wYXJzZXIvaW1wbGljaXQtaGVhZC1pbi1mcmFnbWVudC1jcmFzaC1leHBl Y3RlZC50eHQJKHJldmlzaW9uIDApCisrKyBMYXlvdXRUZXN0cy9mYXN0L3BhcnNlci9pbXBsaWNp dC1oZWFkLWluLWZyYWdtZW50LWNyYXNoLWV4cGVjdGVkLnR4dAkocmV2aXNpb24gMCkKQEAgLTAs MCArMSwyIEBACitidWcgMjU2OTQKK1BBU1MKClByb3BlcnR5IGNoYW5nZXMgb246IExheW91dFRl c3RzL2Zhc3QvcGFyc2VyL2ltcGxpY2l0LWhlYWQtaW4tZnJhZ21lbnQtY3Jhc2gtZXhwZWN0ZWQu dHh0Cl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX18KTmFtZTogc3ZuOm1pbWUtdHlwZQogICArIHRleHQvcGxhaW4KTmFtZTog c3ZuOmVvbC1zdHlsZQogICArIG5hdGl2ZQoKSW5kZXg6IExheW91dFRlc3RzL2Zhc3QvcGFyc2Vy L2ltcGxpY2l0LWhlYWQtaW4tZnJhZ21lbnQtY3Jhc2guaHRtbAo9PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBMYXlv dXRUZXN0cy9mYXN0L3BhcnNlci9pbXBsaWNpdC1oZWFkLWluLWZyYWdtZW50LWNyYXNoLmh0bWwJ KHJldmlzaW9uIDApCisrKyBMYXlvdXRUZXN0cy9mYXN0L3BhcnNlci9pbXBsaWNpdC1oZWFkLWlu LWZyYWdtZW50LWNyYXNoLmh0bWwJKHJldmlzaW9uIDApCkBAIC0wLDAgKzEsMjQgQEAKKzxTQ1JJ UFQ+CisgIGlmICh3aW5kb3cubGF5b3V0VGVzdENvbnRyb2xsZXIpIHsKKyAgICBsYXlvdXRUZXN0 Q29udHJvbGxlci5kdW1wQXNUZXh0KCk7CisgICAgbGF5b3V0VGVzdENvbnRyb2xsZXIud2FpdFVu dGlsRG9uZSgpOworICB9CisgIHNldFRpbWVvdXQoZnVuY3Rpb24gKCkgeworICAgIG5vZGUgPSBk b2N1bWVudC5jcmVhdGVFbGVtZW50KCJNIik7CisgICAgZG9jdW1lbnQub3BlbigpOworICAgIG5v ZGUuaW5uZXJIVE1MID0gIjxib2R5PiI7CisgICAgbm9kZS5pbm5lckhUTUwgPSAiPHA+IjsKKwor ICAgIG5vZGUgPSBkb2N1bWVudC5jcmVhdGVEb2N1bWVudEZyYWdtZW50KCk7CisgICAgZG9jdW1l bnQub3BlbigpOworICAgIG5vZGUuaW5uZXJIVE1MID0gIjxib2R5PiI7CisgICAgbm9kZS5pbm5l ckhUTUwgPSAiPHA+IjsKKworICAgIHZhciBiID0gZG9jdW1lbnQuYm9keTsKKyAgICBkb2N1bWVu dC53cml0ZSgiPGEgaHJlZj0naHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lk PTI1Njk0Jz5idWcgMjU2OTQ8L2E+PGJyPiIpOworICAgIGRvY3VtZW50LndyaXRlKGIgPyAiRkFJ TDogZG9jdW1lbnQuYm9keSBpcyBub3QgbnVsbCAoYnV0IGF0IGxlYXN0IHdlIGRpZG4ndCBjcmFz aCkiIDogIlBBU1MiKTsKKyAgICBkb2N1bWVudC5jbG9zZSgpOworICAgIGlmICh3aW5kb3cubGF5 b3V0VGVzdENvbnRyb2xsZXIpCisgICAgICBsYXlvdXRUZXN0Q29udHJvbGxlci5ub3RpZnlEb25l KCk7CisgIH0sIDApOworPC9TQ1JJUFQ+CgpQcm9wZXJ0eSBjaGFuZ2VzIG9uOiBMYXlvdXRUZXN0 cy9mYXN0L3BhcnNlci9pbXBsaWNpdC1oZWFkLWluLWZyYWdtZW50LWNyYXNoLmh0bWwKX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fXwpOYW1lOiBzdm46bWltZS10eXBlCiAgICsgdGV4dC9odG1sCgo=