29313 2009-09-16 14:11:31 -0700 Fix hard-to-reproduce crash in HTMLTokenizer by avoiding a rare fastRealloc edge case 2009-10-19 09:18:31 -0700 1 1 1 Unclassified WebKit WebCore Misc. 528+ (Nightly build) PC OS X 10.5 RESOLVED FIXED P2 Normal --- 1 dglazkov webkit-unassigned ap commit-queue darin eric mbelshe oldest_to_newest 147615 0 dglazkov 2009-09-16 14:11:31 -0700 From bug 29026: " .. I found a case in WebKit which attempts to realloc(ptr, 0): WTF::fastRealloc+0x10 WebCore::HTMLTokenizer::enlargeScriptBuffer+0x41 WebCore::HTMLTokenizer::parseComment+0x2a WebCore::HTMLTokenizer::parseTag+0x1141 WebCore::HTMLTokenizer::write+0x414 WebCore::FrameLoader::write+0x36b WebCore::FrameLoader::addData+0x12 To get here, we have to read data input off the socket which contains a partial page ending with "<!--". It's a little hard to reproduce. " 147617 1 39660 dglazkov 2009-09-16 14:14:25 -0700 Created attachment 39660 Fix HTMLTokenizer crash, v1. WebCore/ChangeLog | 15 +++++++++++++++ WebCore/html/HTMLTokenizer.cpp | 8 ++++++++ 2 files changed, 23 insertions(+), 0 deletions(-) 147619 2 darin 2009-09-16 14:17:04 -0700 We have other test cases like this done with HTTP tests that deliver text slowly. Can we make a regression test case? 147621 3 dglazkov 2009-09-16 14:20:11 -0700 (In reply to comment #2) > We have other test cases like this done with HTTP tests that deliver text > slowly. Can we make a regression test case? Mike (the original finder of the problem), what do you think? 147629 4 ap 2009-09-16 14:40:37 -0700 + // If we allow fastRealloc(ptr, 0), it will call CRASH(). Given bug 29026, this may be too strong a statement. Will this change even be needed if bug 29026 is fixed the way we seem to have consensus on? 152376 5 eric 2009-10-05 11:07:42 -0700 Ping? 155708 6 39660 yong.li.webkit 2009-10-19 08:52:28 -0700 Comment on attachment 39660 Fix HTMLTokenizer crash, v1. Let commit bot land it 155728 7 39660 commit-queue 2009-10-19 09:18:26 -0700 Comment on attachment 39660 Fix HTMLTokenizer crash, v1. Clearing flags on attachment: 39660 Committed r49788: <http://trac.webkit.org/changeset/49788> 155729 8 commit-queue 2009-10-19 09:18:31 -0700 All reviewed patches have been landed. Closing bug. 39660 2009-09-16 14:14:25 -0700 2009-10-19 09:18:26 -0700 Fix HTMLTokenizer crash, v1. Fix-HTMLTokenizer-crash-v1..patch text/plain 1540 dglazkov NTAxZjc4NjAyM2E0NjkzZmQ4NGM3ODQxYTZlMjk3NWUyOGNhMTkxYwpkaWZmIC0tZ2l0IGEvV2Vi Q29yZS9DaGFuZ2VMb2cgYi9XZWJDb3JlL0NoYW5nZUxvZwppbmRleCBmYTNiYzk0Li5hY2I3ODQ1 IDEwMDY0NAotLS0gYS9XZWJDb3JlL0NoYW5nZUxvZworKysgYi9XZWJDb3JlL0NoYW5nZUxvZwpA QCAtMSwzICsxLDE4IEBACisyMDA5LTA5LTEwICBEaW1pdHJpIEdsYXprb3YgIDxkZ2xhemtvdkBj aHJvbWl1bS5vcmc+CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAg ICAgICAgRml4IGhhcmQtdG8tcmVwcm9kdWNlIGNyYXNoIGluIEhUTUxUb2tlbml6ZXIgYnkgYXZv aWRpbmcgYSByYXJlCisgICAgICAgIGZhc3RSZWFsbG9jIGVkZ2UgY2FzZS4KKyAgICAgICAgaHR0 cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTI5MzEzCisKKyAgICAgICAgTm8g dGVzdCwgdGhlIGNyYXNoIHNob3dzIHVwIG9jY2FzaW9uYWxseSBpbiBjcmFzaCBkdW1wcywgd2Ug d2VyZW4ndCBhYmxlCisgICAgICAgIHRvIHJlcHJvZHVjZSBpdCBsb2NhbGx5LgorCisgICAgICAg ICogaHRtbC9IVE1MVG9rZW5pemVyLmNwcDoKKyAgICAgICAgKFdlYkNvcmU6OkhUTUxUb2tlbml6 ZXI6OmVubGFyZ2VTY3JpcHRCdWZmZXIpOiBBZGRlZCBhbiBlYXJseSBleGl0IHRvCisgICAgICAg ICAgICBhdm9pZCBjYWxsaW5nIGZhc3RSZWFsbG9jIHdpdGggdGhlIHNpemUgb2YgMC4KKwogMjAw OS0wOS0xNiAgQ2Fyb2wgU3phYm8gIDxjYXJvbC5zemFib0Bub2tpYS5jb20+CiAKICAgICAgICAg UmV2aWV3ZWQgYnkgQWxleGV5IFByb3NrdXJ5YWtvdi4KZGlmZiAtLWdpdCBhL1dlYkNvcmUvaHRt bC9IVE1MVG9rZW5pemVyLmNwcCBiL1dlYkNvcmUvaHRtbC9IVE1MVG9rZW5pemVyLmNwcAppbmRl eCA3MWZhYWMwLi41MWU3NTg0IDEwMDY0NAotLS0gYS9XZWJDb3JlL2h0bWwvSFRNTFRva2VuaXpl ci5jcHAKKysrIGIvV2ViQ29yZS9odG1sL0hUTUxUb2tlbml6ZXIuY3BwCkBAIC0xOTgwLDYgKzE5 ODAsMTQgQEAgdm9pZCBIVE1MVG9rZW5pemVyOjplbmxhcmdlU2NyaXB0QnVmZmVyKGludCBsZW4p CiAgICAgICAgIENSQVNIKCk7CiAKICAgICBpbnQgbmV3U2l6ZSA9IG1fc2NyaXB0Q29kZUNhcGFj aXR5ICsgZGVsdGE7CisgICAgLy8gSWYgd2UgYWxsb3cgZmFzdFJlYWxsb2MocHRyLCAwKSwgaXQg d2lsbCBjYWxsIENSQVNIKCkuIFdlIHJ1biBpbnRvIHRoaXMKKyAgICAvLyBjYXNlIGlmIHRoZSBI VE1MIGJlaW5nIHBhcnNlZCBiZWdpbnMgd2l0aCAiPCEtLSIgYW5kIHRoZXJlJ3MgbW9yZSBkYXRh CisgICAgLy8gY29taW5nLgorICAgIGlmICghbmV3U2l6ZSkgeworICAgICAgICBBU1NFUlQoIW1f c2NyaXB0Q29kZSk7CisgICAgICAgIHJldHVybjsKKyAgICB9CisKICAgICBtX3NjcmlwdENvZGUg PSBzdGF0aWNfY2FzdDxVQ2hhcio+KGZhc3RSZWFsbG9jKG1fc2NyaXB0Q29kZSwgbmV3U2l6ZSAq IHNpemVvZihVQ2hhcikpKTsKICAgICBtX3NjcmlwdENvZGVDYXBhY2l0eSA9IG5ld1NpemU7CiB9 Cg==