Bug 176061

Summary: Assertion failure when opening a file with a missing tag closing bracket
Product: WebKit Reporter: Said Abou-Hallawa <sabouhallawa>
Component: New BugsAssignee: Said Abou-Hallawa <sabouhallawa>
Status: RESOLVED FIXED    
Severity: Normal CC: buildbot, cdumez, commit-queue, darin, esprehn+autocc, gyuyoung.kim, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch none

Said Abou-Hallawa
Reported 2017-08-29 11:31:21 PDT
Open the following page in WebKit: <!DOCTYPE html> <html> <body> <script> </script </body> </html> Notice the "</script" does not have a closing bracket. Result: Assertion failure with the following call stack: #1 0x00000001c8d61f39 in WebCore::SegmentedString::advancePastNonNewline() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/platform/text/SegmentedString.h:242 #2 0x00000001c8e4ebc9 in WebCore::HTMLTokenizer::commitToPartialEndTag(WebCore::SegmentedString&, unsigned short, WebCore::HTMLTokenizer::State) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/html/parser/HTMLTokenizer.cpp:162 #3 0x00000001c8e50d4d in WebCore::HTMLTokenizer::processToken(WebCore::SegmentedString&) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/html/parser/HTMLTokenizer.cpp:469 #4 0x00000001c8d42a9f in WebCore::HTMLTokenizer::nextToken(WebCore::SegmentedString&) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/html/parser/HTMLTokenizer.h:284 #5 0x00000001c8df7711 in WebCore::HTMLMetaCharsetParser::checkForMetaCharset(char const*, unsigned long) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/html/parser/HTMLMetaCharsetParser.cpp:158 #6 0x00000001cabb2198 in WebCore::TextResourceDecoder::checkForMetaCharset(char const*, unsigned long) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/loader/TextResourceDecoder.cpp:559 #7 0x00000001cabb2100 in WebCore::TextResourceDecoder::checkForHeadCharset(char const*, unsigned long, bool&) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/loader/TextResourceDecoder.cpp:554 #8 0x00000001cabb2a6a in WebCore::TextResourceDecoder::decode(char const*, unsigned long) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/loader/TextResourceDecoder.cpp:617 #9 0x00000001c8719cad in WebCore::DecodedDataDocumentParser::appendBytes(WebCore::DocumentWriter&, char const*, unsigned long) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/dom/DecodedDataDocumentParser.cpp:45 #10 0x00000001c885e879 in WebCore::DocumentWriter::addData(char const*, unsigned long) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/loader/DocumentWriter.cpp:253 #11 0x00000001c88155af in WebCore::DocumentLoader::commitData(char const*, unsigned long) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/loader/DocumentLoader.cpp:914 #12 0x00000001094606af in WebKit::WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader*, char const*, int) at /Volumes/Data/WebKit/OpenSource/Source/WebKit/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:975 #13 0x00000001c88182cd in WebCore::DocumentLoader::commitLoad(char const*, int) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/loader/DocumentLoader.cpp:832 #14 0x00000001c88181ef in WebCore::DocumentLoader::dataReceived(char const*, int) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/loader/DocumentLoader.cpp:947 #15 0x00000001c8818924 in WebCore::DocumentLoader::dataReceived(WebCore::CachedResource&, char const*, int) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/loader/DocumentLoader.cpp:920 #16 0x00000001c8290e98 in WebCore::CachedRawResource::notifyClientsDataWasReceived(char const*, unsigned int) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/loader/cache/CachedRawResource.cpp:115 #17 0x00000001c8290cfd in WebCore::CachedRawResource::addDataBuffer(WebCore::SharedBuffer&) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/loader/cache/CachedRawResource.cpp:64 #18 0x00000001ca9dbd3a in WebCore::SubresourceLoader::didReceiveDataOrBuffer(char const*, int, WTF::RefPtr<WebCore::SharedBuffer>&&, long long, WebCore::DataPayloadType) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/loader/SubresourceLoader.cpp:406 #19 0x00000001ca9dbb02 in WebCore::SubresourceLoader::didReceiveData(char const*, unsigned int, long long, WebCore::DataPayloadType) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/loader/SubresourceLoader.cpp:374 #20 0x000000010983f014 in WebKit::WebResourceLoader::didReceiveData(IPC::DataReference const&, long long) at /Volumes/Data/WebKit/OpenSource/Source/WebKit/WebProcess/Network/WebResourceLoader.cpp:135 #21 0x00000001098429f0 in void IPC::callMemberFunctionImpl<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(IPC::DataReference const&, long long), std::__1::tuple<IPC::DataReference, long long>, 0ul, 1ul>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(IPC::DataReference const&, long long), std::__1::tuple<IPC::DataReference, long long>&&, std::__1::integer_sequence<unsigned long, 0ul, 1ul>) at /Volumes/Data/WebKit/OpenSource/Source/WebKit/Platform/IPC/HandleMessage.h:40 #22 0x00000001098427c0 in void IPC::callMemberFunction<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(IPC::DataReference const&, long long), std::__1::tuple<IPC::DataReference, long long>, std::__1::integer_sequence<unsigned long, 0ul, 1ul> >(std::__1::tuple<IPC::DataReference, long long>&&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(IPC::DataReference const&, long long)) at /Volumes/Data/WebKit/OpenSource/Source/WebKit/Platform/IPC/HandleMessage.h:46 #23 0x0000000109841c11 in void IPC::handleMessage<Messages::WebResourceLoader::DidReceiveData, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(IPC::DataReference const&, long long)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(IPC::DataReference const&, long long)) at /Volumes/Data/WebKit/OpenSource/Source/WebKit/Platform/IPC/HandleMessage.h:126 #24 0x00000001098413d6 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) at /volumes/Data/WebKit/OpenSource/WebKitBuild/Debug/DerivedSources/WebKit2/WebResourceLoaderMessageReceiver.cpp:61 #25 0x0000000108f975a9 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) at /Volumes/Data/WebKit/OpenSource/Source/WebKit/WebProcess/Network/NetworkProcessConnection.cpp:68 #26 0x0000000108d33983 in IPC::Connection::dispatchMessage(IPC::Decoder&) at /Volumes/Data/WebKit/OpenSource/Source/WebKit/Platform/IPC/Connection.cpp:901 #27 0x0000000108d28ea8 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) at /Volumes/Data/WebKit/OpenSource/Source/WebKit/Platform/IPC/Connection.cpp:928 #28 0x0000000108d33f8a in IPC::Connection::dispatchOneMessage() at /Volumes/Data/WebKit/OpenSource/Source/WebKit/Platform/IPC/Connection.cpp:959 #29 0x0000000108d4c4bd in IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_14::operator()() at /Volumes/Data/WebKit/OpenSource/Source/WebKit/Platform/IPC/Connection.cpp:895 #30 0x0000000108d4c419 in WTF::Function<void ()>::CallableWrapper<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_14>::call() at /volumes/Data/WebKit/OpenSource/WebKitBuild/Debug/usr/local/include/wtf/Function.h:101 #31 0x00000001d60efe2b in WTF::Function<void ()>::operator()() const at /volumes/Data/WebKit/OpenSource/WebKitBuild/Debug/usr/local/include/wtf/Function.h:56 #32 0x00000001d61112e3 in WTF::RunLoop::performWork() at /Volumes/Data/WebKit/OpenSource/Source/WTF/wtf/RunLoop.cpp:106 #33 0x00000001d6111b64 in WTF::RunLoop::performWork(void*) at /Volumes/Data/WebKit/OpenSource/Source/WTF/wtf/cf/RunLoopCF.cpp:38
Attachments
Patch (3.08 KB, patch)
2017-08-29 17:12 PDT, Said Abou-Hallawa 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2017-08-29 11:31:51 PDT
<rdar://problem/34137537>
Darin Adler
Comment 2 2017-08-29 16:08:14 PDT
The bug here is in HTMLTokenizer::commitToPartialEndTag, which calls SegmentedString ::advancePastNonNewline, but instead it needs to call SegmentedString::advance. That's all it will take to fix this; just call advance instead of advancePastNonNewline.
Said Abou-Hallawa
Comment 3 2017-08-29 17:12:46 PDT
Created attachment 319313 [details] Patch
WebKit Commit Bot
Comment 4 2017-08-29 19:26:46 PDT
Comment on attachment 319313 [details] Patch Clearing flags on attachment: 319313 Committed r221335: <http://trac.webkit.org/changeset/221335>
WebKit Commit Bot
Comment 5 2017-08-29 19:26:48 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.