Bug 113016

Summary: HTMLStackItem should include <template> as a special tag
Product: WebKit Reporter: Takashi Sakamoto <tasak>
Component: DOMAssignee: Rafael Weinstein <rafaelw>
Status: RESOLVED FIXED    
Severity: Normal CC: abarth, adamk, eric, esprehn+autocc, inferno, ojan.autocc, rafaelw, webkit.review.bot
Priority: P1    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
repro.html
none
Patch none

Takashi Sakamoto
Reported 2013-03-22 01:00:39 PDT
Timestamp 2013-03-14 03:00:22 Fuzzer Dstockwell-css-fuzzer Job Type Linux_asan_drt Crash type UNKNOWN Crash address 0x000000000000 Crash state - crash stack - WebCore::HTMLStackItem::HTMLStackItem WebCore::HTMLTreeBuilder::resetInsertionModeAppropriately WebCore::HTMLTreeBuilder::processTemplateEndTag Redzone 32 bytes https://cluster-fuzz.appspot.com/testcase?key=171557060
Attachments
repro.html (46 bytes, text/html)
2013-03-22 01:02 PDT, Takashi Sakamoto 		no flags
Details
Patch (2.54 KB, patch)
2013-03-22 09:46 PDT, Rafael Weinstein 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Takashi Sakamoto
Comment 1 2013-03-22 01:02:08 PDT
Created attachment 194463 [details] repro.html
Takashi Sakamoto
Comment 2 2013-03-22 01:04:47 PDT
I guess, the crash reason would be that HTMLTreeBuilder::processAnyOtherEndTagForInBody checks items out of <template>.
Takashi Sakamoto
Comment 3 2013-03-22 01:09:59 PDT
When token type is end and toke name is dummy (c.f. repro.html), processAnyOtherEndTagForInBody(dummy), mode(7) HTMLStackItem(span) HTMLStackItem(template) HTMLStackItem(dummy) <---- this dummy will be removed, but this is not a child of <template>.
Rafael Weinstein
Comment 4 2013-03-22 09:45:25 PDT
This is an oversight in the implementation of template element. Note the spec instructs that <template> should be considered a "special" tag: https://dvcs.w3.org/hg/webcomponents/raw-file/tip/spec/templates/index.html#parsing
Rafael Weinstein
Comment 5 2013-03-22 09:46:46 PDT
Created attachment 194575 [details] Patch
Rafael Weinstein
Comment 6 2013-03-24 15:49:16 PDT
ping.
Eric Seidel (no email)
Comment 7 2013-03-26 10:21:11 PDT
Comment on attachment 194575 [details] Patch Thanks.
WebKit Review Bot
Comment 8 2013-03-26 10:26:33 PDT
Comment on attachment 194575 [details] Patch Clearing flags on attachment: 194575 Committed r146904: <http://trac.webkit.org/changeset/146904>
WebKit Review Bot
Comment 9 2013-03-26 10:26:36 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.