Bug 13942

Summary:

ASSERTION FAILED: !attrName.contains('/') in HTMLTokenizer.cpp:132 when loading http://bamanzi.blogeden.cn/

Product:

WebKit

Reporter:

Anders Carlsson <andersca>

Component:

Page Loading

Assignee:

Julien Chaffraix <jchaffraix>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

ddkilzer, eric, jchaffraix

Priority:

Version:

523.x (Safari 3)

Hardware:

Mac

OS:

OS X 10.4

Attachments:

Description	Flags
Check for '/' when assigning value to attribute to avoid triggering the assertion	darin: review+

Description Anders Carlsson 2007-05-30 16:36:04 PDT

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0xbbadbeef
0x01392b92 in WebCore::Token::addAttribute (this=0x212c014, doc=0x212b600, attrName=@0x212c03c, v=@0x14dbff0, viewSourceMode=false) at /Volumes/Shared/WebKit/OpenSource/WebCore/html/HTMLTokenizer.cpp:132
132             ASSERT(!attrName.contains('/'));
(gdb) print attrName.m_string.ascii()
$3 = {
  m_size = 12, 
  m_impl = {
    m_buffer = 0x16fdef20 "(??\"/?????\"", 
    m_capacity = 16
  }
}

Comment 1 David Kilzer (:ddkilzer) 2007-10-09 07:05:41 PDT

More sites that trip this assertion failure:

http://www.allaboutolive.com.au/   [per Bug 14620 Comment #3]
http://students.hamilton.edu/rugby/
http://www.gameres.com/
http://www.tf1.fr/

Comment 2 David Kilzer (:ddkilzer) 2007-10-09 08:11:41 PDT

(In reply to comment #1)
> http://www.allaboutolive.com.au/   [per Bug 14620 Comment #3]

Many instances of:

<href ='http://www.allaboutolive.com.au/wp-content/uploads/2007/10/didnt-hear-again.jpg' title='didnt-hear-again.jpg'>

> http://students.hamilton.edu/rugby/

<td ALIGN=CENTER VALIGN=CENTER WIDTH="9%" HEIGHT="50%" ="http://students.hamilton.edu/rugby/rugby_ball.gif">

> http://www.gameres.com/

I can't figure out where the string below is located in the document, but it appears to be within gb2312-encoded text.

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0xbbadbeef
0x016136f0 in WebCore::Token::addAttribute (this=0x2822818, doc=0x2844400, attrName=@0x2822848, v=@0x18fa3e8, viewSourceMode=false) at /Users/ddkilzer/Projects/Cocoa/WebKit/WebCore/html/HTMLTokenizer.cpp:133
133             ASSERT(!attrName.contains('/'));
(gdb) p attrName.m_string.ascii()
$1 = {
  m_size = 21, 
  m_impl = {
    m_buffer = 0x2436bd0 "express/??(microsoft", 
    m_capacity = 21
  }
}
Current language:  auto; currently c++

> http://www.tf1.fr/

<style ="text/css">

Comment 3 mitz 2008-03-06 10:11:38 PST

*** Bug 17695 has been marked as a duplicate of this bug. ***

Comment 4 David Kilzer (:ddkilzer) 2008-03-06 10:51:04 PST

*** Bug 14620 has been marked as a duplicate of this bug. ***

Comment 5 Julien Chaffraix 2008-04-20 14:07:24 PDT

Created attachment 20706 [details]
Check for '/' when assigning value to attribute to avoid triggering the assertion

Comment 6 Darin Adler 2008-04-27 23:42:56 PDT

Comment on attachment 20706 [details]
Check for '/' when assigning value to attribute to avoid triggering the assertion

Is the "/" character the only bad character for an attribute name?

This change seems fine as far as it goes, but I'm surprised that this is the only character that is allowed in attribute values but can cause us trouble in attribute names. Maybe ":"?

r=me, but lets consider further testing with other characters

Comment 7 Julien Chaffraix 2008-05-15 13:03:51 PDT

(In reply to comment #6)
> (From update of attachment 20706 [details] [edit])
> Is the "/" character the only bad character for an attribute name?

No.
 
> This change seems fine as far as it goes, but I'm surprised that this is the
> only character that is allowed in attribute values but can cause us trouble in
> attribute names. Maybe ":"?
> r=me, but lets consider further testing with other characters

Filed Bug 19084 to cover the other wrong characters (FYI ':' is not a problem according to HTML5).

Committed in r33492.