43672 2010-08-07 08:46:53 -0700 Regression: Memory corruption in tree builder 2010-08-09 14:22:08 -0700 1 1 1 Unclassified WebKit DOM 528+ (Nightly build) All All RESOLVED FIXED InRadar P2 Normal --- 1 inferno webkit-unassigned abarth eric jamesr oldest_to_newest 261726 0 63818 inferno 2010-08-07 08:46:53 -0700 Created attachment 63818 Testcase credit: aohelin reported in: http://code.google.com/p/chromium/issues/detail?id=51476 Did not crash on 6.0.486.0 (55032) trunk, v5 stable for windows. But does tab crash on chrome canary 6.0.487.0 (same version Aki is using). A very recent regression It look like a tree builder issue. it first hits the assert if (furthestBlockElement->attached()) { ASSERT(!newElement->attached()); in HTMLTreeBuilder.cpp after moving through couple of asserts, Corruption happens here with trying to cast a text node to renderbox. > chrome.dll!WebCore::toRenderBox(WebCore::RenderObject * object=0x153b100c) Line 380 + 0x31 bytes C++ chrome.dll!WebCore::RenderBox::nextSiblingBox() Line 400 + 0xe bytes C++ chrome.dll!WebCore::RenderBlock::layoutBlockChildren(bool relayoutChildren=true, int & maxFloatBottom=0) Line 1731 + 0x8 bytes C++ chrome.dll!WebCore::RenderBlock::layoutBlock(bool relayoutChildren=true) Line 1197 C++ chrome.dll!WebCore::RenderBlock::layout() Line 1116 + 0x14 bytes C++ chrome.dll!WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox * child=0x005b4f3c, WebCore::RenderBlock::MarginInfo & marginInfo={...}, int & previousFloatBottom=0, int & maxFloatBottom=0) Line 1809 + 0x12 bytes C++ chrome.dll!WebCore::RenderBlock::layoutBlockChildren(bool relayoutChildren=true, int & maxFloatBottom=0) Line 1753 C++ Adam, Eric, can you please take a look. 261732 1 abarth 2010-08-07 10:38:30 -0700 No need to be in the security component. This code just landed yesterday. I don't think anyone's shipped it. 261733 2 63820 abarth 2010-08-07 10:41:53 -0700 Created attachment 63820 Patch 261734 3 63820 dglazkov 2010-08-07 10:43:08 -0700 Comment on attachment 63820 Patch ok. 261736 4 abarth 2010-08-07 10:45:39 -0700 *** Bug 43663 has been marked as a duplicate of this bug. *** 261740 5 63820 abarth 2010-08-07 10:52:31 -0700 Comment on attachment 63820 Patch Clearing flags on attachment: 63820 Committed r64913: <http://trac.webkit.org/changeset/64913> 261741 6 abarth 2010-08-07 10:52:36 -0700 All reviewed patches have been landed. Closing bug. 262319 7 ddkilzer 2010-08-09 14:22:08 -0700 <rdar://problem/8289082> 63818 2010-08-07 08:46:53 -0700 2010-08-07 08:46:53 -0700 Testcase bug51476.html text/html 44 inferno PGE+IDxkaXY+IDxzdHlsZT4gPC9zdHlsZT4gPGFkZHJlc3M+IDxhPg0KDQo= 63820 2010-08-07 10:41:53 -0700 2010-08-07 10:52:31 -0700 Patch bug-43672-20100807104152.patch text/plain 4213 abarth ZGlmZiAtLWdpdCBhL0xheW91dFRlc3RzL0NoYW5nZUxvZyBiL0xheW91dFRlc3RzL0NoYW5nZUxv ZwppbmRleCBiMmUzNzlmYTY4ZjE1ZThjMDNmZDdlNDFmYTljODZhNDYyNGY4YjgxLi5mODI3ZDBj NmJiNTYwZjA1NWRkOTRhYzlkZTE5Mzk1MTcyY2U4YjU2IDEwMDY0NAotLS0gYS9MYXlvdXRUZXN0 cy9DaGFuZ2VMb2cKKysrIGIvTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCkBAIC0xLDMgKzEsMTQgQEAK KzIwMTAtMDgtMDcgIEFkYW0gQmFydGggIDxhYmFydGhAd2Via2l0Lm9yZz4KKworICAgICAgICBS ZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBSZWdyZXNzaW9uOiBNZW1vcnkg Y29ycnVwdGlvbiBpbiB0cmVlIGJ1aWxkZXIKKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5v cmcvc2hvd19idWcuY2dpP2lkPTQzNjcyCisKKyAgICAgICAgKiBodG1sNWxpYi9yZXNvdXJjZXMv YWRvcHRpb24wMi5kYXQ6CisgICAgICAgICogaHRtbDVsaWIvcnVubmVyLWV4cGVjdGVkLWh0bWw1 LnR4dDoKKyAgICAgICAgKiBodG1sNWxpYi9ydW5uZXItZXhwZWN0ZWQudHh0OgorCiAyMDEwLTA4 LTA2ICBBbGV4IE5pY29sYW91ICA8YW5pY29sYW9AY2hyb21pdW0ub3JnPgogCiAgICAgICAgIFJl dmlld2VkIGJ5IERhcmluIEFkbGVyLgpkaWZmIC0tZ2l0IGEvTGF5b3V0VGVzdHMvaHRtbDVsaWIv cmVzb3VyY2VzL2Fkb3B0aW9uMDIuZGF0IGIvTGF5b3V0VGVzdHMvaHRtbDVsaWIvcmVzb3VyY2Vz L2Fkb3B0aW9uMDIuZGF0CmluZGV4IDIxMjFlMzEyMDVhZGQ5M2YzZDI1NGVhYWM5Y2MwYzY5YTE1 MzU5ZTAuLmU2ZTY4MjY3MTNiMjUyMDliNTI3NWJjNTE4NGM5NjkyYjFkMTBkZmMgMTAwNjQ0Ci0t LSBhL0xheW91dFRlc3RzL2h0bWw1bGliL3Jlc291cmNlcy9hZG9wdGlvbjAyLmRhdAorKysgYi9M YXlvdXRUZXN0cy9odG1sNWxpYi9yZXNvdXJjZXMvYWRvcHRpb24wMi5kYXQKQEAgLTM3LDMgKzM3 LDE4IEBACiB8ICAgICAgICAgICA8c2NyaXB0PgogfCAgICAgICAgICAgICAiZG9jdW1lbnQuZ2V0 RWxlbWVudEJ5SWQoImIiKS5pZCA9ICJjIjtkb2N1bWVudC5nZXRFbGVtZW50QnlJZCgiaSIpLmlk ID0gImoiIgogfCAgICAgICAgICI0IgorCisjZGF0YQorPGE+PGRpdj48c3R5bGU+PC9zdHlsZT48 YWRkcmVzcz48YT4KKyNlcnJvcnMKKyNkb2N1bWVudAorfCA8aHRtbD4KK3wgICA8aGVhZD4KK3wg ICA8Ym9keT4KK3wgICAgIDxhPgorfCAgICAgPGRpdj4KK3wgICAgICAgPGE+Cit8ICAgICAgICAg PHN0eWxlPgorfCAgICAgICA8YWRkcmVzcz4KK3wgICAgICAgICA8YT4KK3wgICAgICAgICA8YT4K ZGlmZiAtLWdpdCBhL0xheW91dFRlc3RzL2h0bWw1bGliL3J1bm5lci1leHBlY3RlZC1odG1sNS50 eHQgYi9MYXlvdXRUZXN0cy9odG1sNWxpYi9ydW5uZXItZXhwZWN0ZWQtaHRtbDUudHh0CmluZGV4 IDAzZTc4NjMxZGY2NWM5ODFiMTI2YTAwZThhMGU5NzcyMGQ5OThhZWMuLmFjMDE5ZmYyOTMyOTE1 Njc3NzY4YzVjYmNkMGIxMDI1Yjc5Njc3MjMgMTAwNjQ0Ci0tLSBhL0xheW91dFRlc3RzL2h0bWw1 bGliL3J1bm5lci1leHBlY3RlZC1odG1sNS50eHQKKysrIGIvTGF5b3V0VGVzdHMvaHRtbDVsaWIv cnVubmVyLWV4cGVjdGVkLWh0bWw1LnR4dApAQCAtMzMyLDcgKzMzMiw3IEBAIEV4cGVjdGVkOgog cmVzb3VyY2VzL2Fkb3B0aW9uMDIuZGF0OgogMgogCi1UZXN0IDIgb2YgMiBpbiByZXNvdXJjZXMv YWRvcHRpb24wMi5kYXQgZmFpbGVkLiBJbnB1dDoKK1Rlc3QgMiBvZiAzIGluIHJlc291cmNlcy9h ZG9wdGlvbjAyLmRhdCBmYWlsZWQuIElucHV0OgogPGIgaWQ9ImIiPjE8aSBpZD0iaSI+MjxwPjM8 c2NyaXB0PmRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCJiIikuaWQgPSAiYyI7ZG9jdW1lbnQuZ2V0 RWxlbWVudEJ5SWQoImkiKS5pZCA9ICJqIjwvc2NyaXB0PjwvYj40CiBHb3Q6CiB8IDxodG1sPgpk aWZmIC0tZ2l0IGEvTGF5b3V0VGVzdHMvaHRtbDVsaWIvcnVubmVyLWV4cGVjdGVkLnR4dCBiL0xh eW91dFRlc3RzL2h0bWw1bGliL3J1bm5lci1leHBlY3RlZC50eHQKaW5kZXggM2QyMDhmOWRhODg4 NjQxNjIyMWU0NWVjMjdmMTM2MzRkZWFhMDRhNS4uMTRkM2VhNTcxZDlmODAxYzEwYmVkNTY3ZmVj NWMyN2IxMmNhYWY4OSAxMDA2NDQKLS0tIGEvTGF5b3V0VGVzdHMvaHRtbDVsaWIvcnVubmVyLWV4 cGVjdGVkLnR4dAorKysgYi9MYXlvdXRUZXN0cy9odG1sNWxpYi9ydW5uZXItZXhwZWN0ZWQudHh0 CkBAIC0zMzEsNyArMzMxLDcgQEAgRXhwZWN0ZWQ6CiByZXNvdXJjZXMvYWRvcHRpb24wMi5kYXQ6 CiAyCiAKLVRlc3QgMiBvZiAyIGluIHJlc291cmNlcy9hZG9wdGlvbjAyLmRhdCBmYWlsZWQuIElu cHV0OgorVGVzdCAyIG9mIDMgaW4gcmVzb3VyY2VzL2Fkb3B0aW9uMDIuZGF0IGZhaWxlZC4gSW5w dXQ6CiA8YiBpZD0iYiI+MTxpIGlkPSJpIj4yPHA+MzxzY3JpcHQ+ZG9jdW1lbnQuZ2V0RWxlbWVu dEJ5SWQoImIiKS5pZCA9ICJjIjtkb2N1bWVudC5nZXRFbGVtZW50QnlJZCgiaSIpLmlkID0gImoi PC9zY3JpcHQ+PC9iPjQKIEdvdDoKIHwgPGh0bWw+CmRpZmYgLS1naXQgYS9XZWJDb3JlL0NoYW5n ZUxvZyBiL1dlYkNvcmUvQ2hhbmdlTG9nCmluZGV4IDg5MGUwMGIyYjU1YTkxOTEwMDM3MDFlMTRh ZTJkZjhjYzZjM2I2MTMuLmQ5YTVjYzAwYjRiYThmZGYwZWEwYmU4ZjA2Yjk3YTE3YmIxMzlmZjYg MTAwNjQ0Ci0tLSBhL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1dlYkNvcmUvQ2hhbmdlTG9nCkBA IC0xLDMgKzEsMTYgQEAKKzIwMTAtMDgtMDcgIEFkYW0gQmFydGggIDxhYmFydGhAd2Via2l0Lm9y Zz4KKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBSZWdy ZXNzaW9uOiBNZW1vcnkgY29ycnVwdGlvbiBpbiB0cmVlIGJ1aWxkZXIKKyAgICAgICAgaHR0cHM6 Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTQzNjcyCisKKyAgICAgICAgVHVybnMg b3V0IHRoaXMgQVNTRVJUIHdhcyB3cm9uZyBhbmQgd2UgbmVlZCB0aGUgYnJhbmNoLiAgWWF5IGZv cgorICAgICAgICB0ZXN0LWRyaXZlbiBkZXZlbG9wbWVudC4KKworICAgICAgICAqIGh0bWwvSFRN TFRyZWVCdWlsZGVyLmNwcDoKKyAgICAgICAgKFdlYkNvcmU6OkhUTUxUcmVlQnVpbGRlcjo6Y2Fs bFRoZUFkb3B0aW9uQWdlbmN5KToKKwogMjAxMC0wOC0wNiAgQWRhbSBCYXJ0aCAgPGFiYXJ0aEB3 ZWJraXQub3JnPgogCiAgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgpkaWZmIC0t Z2l0IGEvV2ViQ29yZS9odG1sL0hUTUxUcmVlQnVpbGRlci5jcHAgYi9XZWJDb3JlL2h0bWwvSFRN TFRyZWVCdWlsZGVyLmNwcAppbmRleCA4M2Y0OWZlMTgyOTc2MzgxYmRkOWE3OTMwMTI1ZmEyNDNk MjQ1OGE4Li4yMTcxNmUzZDg3YjRlNGY3NjRkMTMzNDNkODcwNjc4NzdlZjAyZDU0IDEwMDY0NAot LS0gYS9XZWJDb3JlL2h0bWwvSFRNTFRyZWVCdWlsZGVyLmNwcAorKysgYi9XZWJDb3JlL2h0bWwv SFRNTFRyZWVCdWlsZGVyLmNwcApAQCAtMTc0NCw4ICsxNzQ0LDkgQEAgdm9pZCBIVE1MVHJlZUJ1 aWxkZXI6OmNhbGxUaGVBZG9wdGlvbkFnZW5jeShBdG9taWNIVE1MVG9rZW4mIHRva2VuKQogICAg ICAgICAvLyAgICAgICAgYmUgaW4gSFRNTENvbnN0cnVjdGlvblNpdGUuICBNeSBndWVzcyBpcyB0 aGF0IHN0ZXBzIDgtLTEyCiAgICAgICAgIC8vICAgICAgICBzaG91bGQgYWxsIGJlIGluIHNvbWUg SFRNTENvbnN0cnVjdGlvblNpdGUgZnVuY3Rpb24uCiAgICAgICAgIGZ1cnRoZXN0QmxvY2tFbGVt ZW50LT5wYXJzZXJBZGRDaGlsZChuZXdFbGVtZW50KTsKLSAgICAgICAgaWYgKGZ1cnRoZXN0Qmxv Y2tFbGVtZW50LT5hdHRhY2hlZCgpKSB7Ci0gICAgICAgICAgICBBU1NFUlQoIW5ld0VsZW1lbnQt PmF0dGFjaGVkKCkpOworICAgICAgICBpZiAoZnVydGhlc3RCbG9ja0VsZW1lbnQtPmF0dGFjaGVk KCkgJiYgIW5ld0VsZW1lbnQtPmF0dGFjaGVkKCkpIHsKKyAgICAgICAgICAgIC8vIE5vdGljZSB0 aGF0IG5ld0VsZW1lbnQgbWlnaHQgYWxyZWFkeSBiZSBhdHRhY2hlZCBpZiwgZm9yIGV4YW1wbGUs IG9uZSBvZiB0aGUgcmVwYXJlbnRlZAorICAgICAgICAgICAgLy8gY2hpbGRyZW4gaXMgYSBzdHls ZSBlbGVtZW50LCB3aGljaCBhdHRhY2hlcyBpdHNlbGYgYXV0b21hdGljYWxseS4KICAgICAgICAg ICAgIG5ld0VsZW1lbnQtPmF0dGFjaCgpOwogICAgICAgICB9CiAgICAgICAgIC8vIDExCg==