47190 2010-10-05 10:15:30 -0700 Issue in treebuilder parsing related to table tags 2010-10-05 20:04:34 -0700 1 1 1 Unclassified WebKit WebCore Misc. 528+ (Nightly build) All All RESOLVED FIXED P2 Normal --- 1 inferno webkit-unassigned abarth commit-queue eric oldest_to_newest 289708 0 inferno 2010-10-05 10:15:30 -0700 These issues don't look security related, but filing just as a precaution. Adam, Eric, can you please take a look. If you think they can have any security consequence, then i will file a bug on chromium repository to track this correctly. Otherwise, we can remove the security tags. Testcase: <table> <td></tfoot> Stack: ASSERTION FAILED: isParsingFragment() (..\html\parser\HTMLTreeBuilder.cpp:1852 WebCore::HTMLTreeBuilder::processEndTagForInCell) (b48.1884): Break instruction exception - code 80000003 (first chance) *** WARNING: Unable to verify checksum for D:\chromium\src\chrome\Debug\chrome.dll ExceptionAddress: 59f2ff42 (chrome_57e50000!WebCore::HTMLTreeBuilder::processEndTagForInCell+0x00000202) ExceptionCode: 80000003 (Break instruction exception) ExceptionFlags: 00000000 NumberParameters: 1 Parameter[0]: 00000000 ChildEBP RetAddr 0584edbc 59f314f1 chrome_57e50000!WebCore::HTMLTreeBuilder::processEndTagForInCell( class WebCore::AtomicHTMLToken * token = 0x0584ee44)+0x202 0584ee08 59f29c5a chrome_57e50000!WebCore::HTMLTreeBuilder::processEndTag( class WebCore::AtomicHTMLToken * token = 0x0584ee44)+0x721 0584ee1c 59f29a53 chrome_57e50000!WebCore::HTMLTreeBuilder::processToken( class WebCore::AtomicHTMLToken * token = 0x0584ee44)+0x7a 0584ee30 59f29483 chrome_57e50000!WebCore::HTMLTreeBuilder::constructTreeFromAtomicToken( class WebCore::AtomicHTMLToken * token = 0x0584ee44)+0x23 0584ee68 59ee8324 chrome_57e50000!WebCore::HTMLTreeBuilder::constructTreeFromToken( class WebCore::HTMLToken * rawToken = 0x0554d05c)+0x33 0584eea4 59ee7f0f chrome_57e50000!WebCore::HTMLDocumentParser::pumpTokenizer( WebCore::HTMLDocumentParser::SynchronousMode mode = AllowYield (0))+0x174 0584eeb4 59ee8aa8 chrome_57e50000!WebCore::HTMLDocumentParser::pumpTokenizerIfPossible( WebCore::HTMLDocumentParser::SynchronousMode mode = AllowYield (0))+0x7f 0584eedc 59aaceb7 chrome_57e50000!WebCore::HTMLDocumentParser::append( class WebCore::SegmentedString * source = 0x0584eef0)+0xb8 0584ef3c 5986ad47 chrome_57e50000!WebCore::DecodedDataDocumentParser::appendBytes( class WebCore::DocumentWriter * writer = 0x0557518c, char * data = 0x00000000 "", int length = 0, bool shouldFlush = true)+0xb7 Testcase 2: <table><isindex action='1'> Stack: ASSERTION FAILED: m_tree.currentElement()->hasTagName(formTag) (..\html\parser\HTMLTreeBuilder.cpp:546 WebCore::HTMLTreeBuilder::processIsindexStartTagForInBody) (1360.13ec): Break instruction exception - code 80000003 (first chance) *** WARNING: Unable to verify checksum for D:\chromium\src\chrome\Debug\chrome.dll ExceptionAddress: 59f2a50c (chrome_57e50000!WebCore::HTMLTreeBuilder::processIsindexStartTagForInBody+0x0000015c) ExceptionCode: 80000003 (Break instruction exception) ExceptionFlags: 00000000 NumberParameters: 1 Parameter[0]: 00000000 ChildEBP RetAddr 056dea2c 59f2bd73 chrome_57e50000!WebCore::HTMLTreeBuilder::processIsindexStartTagForInBody( class WebCore::AtomicHTMLToken * token = 0x056dec20)+0x15c 056dea84 59f2c99c chrome_57e50000!WebCore::HTMLTreeBuilder::processStartTagForInBody( class WebCore::AtomicHTMLToken * token = 0x056dec20)+0xe03 056deab0 59f2d141 chrome_57e50000!WebCore::HTMLTreeBuilder::processStartTagForInTable( class WebCore::AtomicHTMLToken * token = 0x056dec20)+0x3fc 056debe4 59f29c4c chrome_57e50000!WebCore::HTMLTreeBuilder::processStartTag( class WebCore::AtomicHTMLToken * token = 0x056dec20)+0x541 056debf8 59f29a53 chrome_57e50000!WebCore::HTMLTreeBuilder::processToken( class WebCore::AtomicHTMLToken * token = 0x056dec20)+0x6c 056dec0c 59f29483 chrome_57e50000!WebCore::HTMLTreeBuilder::constructTreeFromAtomicToken( class WebCore::AtomicHTMLToken * token = 0x056dec20)+0x23 056dec44 59ee8324 chrome_57e50000!WebCore::HTMLTreeBuilder::constructTreeFromToken( class WebCore::HTMLToken * rawToken = 0x0570e05c)+0x33 056dec80 59ee7f0f chrome_57e50000!WebCore::HTMLDocumentParser::pumpTokenizer( WebCore::HTMLDocumentParser::SynchronousMode mode = AllowYield (0))+0x174 056dec90 59ee8aa8 chrome_57e50000!WebCore::HTMLDocumentParser::pumpTokenizerIfPossible( WebCore::HTMLDocumentParser::SynchronousMode mode = AllowYield (0))+0x7f 056decb8 59aaceb7 chrome_57e50000!WebCore::HTMLDocumentParser::append( class WebCore::SegmentedString * source = 0x056deccc)+0xb8 056ded18 5986ad47 chrome_57e50000!WebCore::DecodedDataDocumentParser::appendBytes( class WebCore::DocumentWriter * writer = 0x0573618c, char * data = 0x00000000 "", int length = 0, bool shouldFlush = true)+0xb7 056ded3c 5986ae0c chrome_57e50000!WebCore::DocumentWriter::addData( char * str = 0x00000000 "", int len = 0, bool flush = true)+0x67 289766 1 abarth 2010-10-05 11:21:03 -0700 Yessir. Will look today. 289776 2 inferno 2010-10-05 11:37:50 -0700 Thanks a lot Adam. 289798 3 abarth 2010-10-05 12:08:30 -0700 The ASSERT is wrong. Our behavior is correct. 289799 4 inferno 2010-10-05 12:10:08 -0700 Thanks Adam for the quick response. One less security bug :) 289808 5 69827 abarth 2010-10-05 12:19:39 -0700 Created attachment 69827 Patch 290053 6 69827 commit-queue 2010-10-05 20:04:29 -0700 Comment on attachment 69827 Patch Clearing flags on attachment: 69827 Committed r69170: <http://trac.webkit.org/changeset/69170> 290054 7 commit-queue 2010-10-05 20:04:34 -0700 All reviewed patches have been landed. Closing bug. 69827 2010-10-05 12:19:39 -0700 2010-10-05 20:04:29 -0700 Patch bug-47190-20101005121938.patch text/plain 2844 abarth SW5kZXg6IFdlYkNvcmUvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFdlYkNvcmUvQ2hhbmdlTG9n CShyZXZpc2lvbiA2OTEzNSkKKysrIFdlYkNvcmUvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBA IC0xLDMgKzEsMTUgQEAKKzIwMTAtMTAtMDUgIEFkYW0gQmFydGggIDxhYmFydGhAd2Via2l0Lm9y Zz4KKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBJc3N1 ZSBpbiB0cmVlYnVpbGRlciBwYXJzaW5nIHJlbGF0ZWQgdG8gdGFibGUgdGFncworICAgICAgICBo dHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9NDcxOTAKKworICAgICAgICBV cGRhdGUgQVNTRVJUIHRvIG1hdGNoIHRoZSBzcGVjIGFuZCBvdXIgYmVoYXZpb3IuCisKKyAgICAg ICAgKiBodG1sL3BhcnNlci9IVE1MVHJlZUJ1aWxkZXIuY3BwOgorICAgICAgICAoV2ViQ29yZTo6 SFRNTFRyZWVCdWlsZGVyOjpwcm9jZXNzRW5kVGFnRm9ySW5DZWxsKToKKwogMjAxMC0xMC0wNSAg S2ltbW8gS2lubnVuZW4gIDxraW1tby50Lmtpbm51bmVuQG5va2lhLmNvbT4KIAogICAgICAgICBS ZXZpZXdlZCBieSBLZW5uZXRoIFJvaGRlIENocmlzdGlhbnNlbi4KSW5kZXg6IFdlYkNvcmUvaHRt bC9wYXJzZXIvSFRNTFRyZWVCdWlsZGVyLmNwcAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBXZWJDb3JlL2h0bWwv cGFyc2VyL0hUTUxUcmVlQnVpbGRlci5jcHAJKHJldmlzaW9uIDY5MTI3KQorKysgV2ViQ29yZS9o dG1sL3BhcnNlci9IVE1MVHJlZUJ1aWxkZXIuY3BwCSh3b3JraW5nIGNvcHkpCkBAIC0xODQ5LDcg KzE4NDksNyBAQCB2b2lkIEhUTUxUcmVlQnVpbGRlcjo6cHJvY2Vzc0VuZFRhZ0ZvckluCiAgICAg ICAgIHx8IHRva2VuLm5hbWUoKSA9PSB0clRhZwogICAgICAgICB8fCBpc1RhYmxlQm9keUNvbnRl eHRUYWcodG9rZW4ubmFtZSgpKSkgewogICAgICAgICBpZiAoIW1fdHJlZS5vcGVuRWxlbWVudHMo KS0+aW5UYWJsZVNjb3BlKHRva2VuLm5hbWUoKSkpIHsKLSAgICAgICAgICAgIEFTU0VSVChpc1Bh cnNpbmdGcmFnbWVudCgpKTsKKyAgICAgICAgICAgIEFTU0VSVChpc1RhYmxlQm9keUNvbnRleHRU YWcodG9rZW4ubmFtZSgpKSB8fCBpc1BhcnNpbmdGcmFnbWVudCgpKTsKICAgICAgICAgICAgIHBh cnNlRXJyb3IodG9rZW4pOwogICAgICAgICAgICAgcmV0dXJuOwogICAgICAgICB9CkluZGV4OiBM YXlvdXRUZXN0cy9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gTGF5b3V0VGVzdHMvQ2hhbmdlTG9n CShyZXZpc2lvbiA2OTEzNSkKKysrIExheW91dFRlc3RzL0NoYW5nZUxvZwkod29ya2luZyBjb3B5 KQpAQCAtMSwzICsxLDE0IEBACisyMDEwLTEwLTA1ICBBZGFtIEJhcnRoICA8YWJhcnRoQHdlYmtp dC5vcmc+CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAg SXNzdWUgaW4gdHJlZWJ1aWxkZXIgcGFyc2luZyByZWxhdGVkIHRvIHRhYmxlIHRhZ3MKKyAgICAg ICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTQ3MTkwCisKKyAgICAg ICAgQWRkIHRlc3QgY292ZXJhZ2UuCisKKyAgICAgICAgKiBodG1sNWxpYi9yZXNvdXJjZXMvd2Vi a2l0MDIuZGF0OgorCiAyMDEwLTEwLTA1ICBSb2JlcnQgSG9nYW4gIDxyb2JlcnRAd2Via2l0Lm9y Zz4KIAogICAgICAgICBSZXZpZXdlZCBieSBBbmRyZWFzIEtsaW5nLgpJbmRleDogTGF5b3V0VGVz dHMvaHRtbDVsaWIvcmVzb3VyY2VzL3dlYmtpdDAyLmRhdAo9PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBMYXlvdXRU ZXN0cy9odG1sNWxpYi9yZXNvdXJjZXMvd2Via2l0MDIuZGF0CShyZXZpc2lvbiA2OTEyNykKKysr IExheW91dFRlc3RzL2h0bWw1bGliL3Jlc291cmNlcy93ZWJraXQwMi5kYXQJKHdvcmtpbmcgY29w eSkKQEAgLTQwLDMgKzQwLDU1IEBACiB8IDxodG1sPgogfCAgIDxoZWFkPgogfCAgIDxib2R5Pgor CisjZGF0YQorPHRhYmxlPjx0ZD48L3Rib2R5PkEKKyNlcnJvcnMKKyNkb2N1bWVudAorfCA8aHRt bD4KK3wgICA8aGVhZD4KK3wgICA8Ym9keT4KK3wgICAgICJBIgorfCAgICAgPHRhYmxlPgorfCAg ICAgICA8dGJvZHk+Cit8ICAgICAgICAgPHRyPgorfCAgICAgICAgICAgPHRkPgorCisjZGF0YQor PHRhYmxlPjx0ZD48L3RoZWFkPkEKKyNlcnJvcnMKKyNkb2N1bWVudAorfCA8aHRtbD4KK3wgICA8 aGVhZD4KK3wgICA8Ym9keT4KK3wgICAgIDx0YWJsZT4KK3wgICAgICAgPHRib2R5PgorfCAgICAg ICAgIDx0cj4KK3wgICAgICAgICAgIDx0ZD4KK3wgICAgICAgICAgICAgIkEiCisKKyNkYXRhCis8 dGFibGU+PHRkPjwvdGZvb3Q+QQorI2Vycm9ycworI2RvY3VtZW50Cit8IDxodG1sPgorfCAgIDxo ZWFkPgorfCAgIDxib2R5PgorfCAgICAgPHRhYmxlPgorfCAgICAgICA8dGJvZHk+Cit8ICAgICAg ICAgPHRyPgorfCAgICAgICAgICAgPHRkPgorfCAgICAgICAgICAgICAiQSIKKworI2RhdGEKKzx0 YWJsZT48dGhlYWQ+PHRkPjwvdGJvZHk+QQorI2Vycm9ycworI2RvY3VtZW50Cit8IDxodG1sPgor fCAgIDxoZWFkPgorfCAgIDxib2R5PgorfCAgICAgPHRhYmxlPgorfCAgICAgICA8dGhlYWQ+Cit8 ICAgICAgICAgPHRyPgorfCAgICAgICAgICAgPHRkPgorfCAgICAgICAgICAgICAiQSIK