Bug 25694

Summary: Crash in HTMLParser::createHead() when writing a <body> into a detached node
Product: WebKit Reporter: Berend-Jan Wever <skylined>
Component: DOMAssignee: Alexey Proskuryakov <ap>
Status: RESOLVED FIXED    
Severity: Normal CC: eric, skylined
Priority: P1 Keywords: GoogleBug, Regression
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Windows Vista   
URL: http://skypher.com/SkyLined/Repro/WebKit/Bug%2025694%20-%20HTMLParsercreateHead()%20ASSERT/repro.html
Attachments:
Description Flags
proposed fix darin: review+

Berend-Jan Wever
Reported 2009-05-11 08:09:47 PDT
The following code seems to destroy the "Document" element and then cause the code to access it regardless, causing a NULL ptr. This is detected by an ASSERT in debug builds. <SCRIPT> setTimeout(function () { node = document.createElement("M"); document.open(); node.innerHTML = "<body>"; }, 1); </SCRIPT>
Attachments
proposed fix (3.99 KB, patch)
2009-05-12 06:31 PDT, Alexey Proskuryakov 		darin: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Berend-Jan Wever
Comment 1 2009-05-11 08:11:53 PDT
Here's some info from my FuzzFramework: CdbFatalExceptionInfo(ReadAV [NULL]@chrome!WebCore::HTMLParser::createHead+0xeb (Stack:WebCore::HTMLParser::createHead+0xEB,WebCore::HTMLParser::bodyCreateErrorCheck+0x14,WebCore::HTMLParser::getNode+0xE74,WebCore::HTMLParser::parseToken+0x21D,WebCore::HTMLTokenizer::processToken+0x13B,WebCore::HTMLTokenizer::parseTag+0x1056,WebCore::HTMLTokenizer::write+0x40E,WebCore::parseHTMLDocumentFragment+0x50,WebCore::HTMLElement::createContextualFragment+0xC2,WebCore::HTMLElement::setInnerHTML+0x17,WebCore::HTMLElementInternal::innerHTMLAttrSetter+0x51,v8::internal::JSObject::SetPropertyWithCallback+0x205,v8::internal::JSObject::SetProperty+0x233,v8::internal::JSObject::SetProperty+0x3C,v8::internal::StoreIC::Store+0x138,v8::internal::StoreIC_Miss+0x6D,v8::internal::Invoke+0x81,v8::internal::Execution::Call+0x25,v8::Function::Call+0x8C,WebCore::V8Proxy::CallFunction+0x34,WebCore::ScheduledAction::execute+0x9A,WebCore::DOMTimer::fired+0x81,WebCore::ThreadTimers::fireTimers+0x74,WebCore::ThreadTimers::sharedTimerFiredInternal+0x4F,MessageLoop::RunTask+0x7E,MessageLoop::DoWork+0x1EA,base::MessagePumpDefault::Run+0x111,MessageLoop::RunInternal+0xB7,MessageLoop::RunHandler+0xA0,MessageLoop::Run+0x3D,base::Thread::ThreadMain+0x8A,`anonymous namespace'::ThreadFunc+0xD,BaseThreadInitThunk+0x12,RtlInitializeExceptionChain+0x63,RtlInitializeExceptionChain+0x36)) (18% reproducable after 11 attempts, reducing) Attempt to read from a NULL pointer, instruction: 6a29f4ab 8b01 mov eax,dword ptr [ecx] Registers: eax=032ca040 ebx=00000000 ecx=00000000 edx=01f8e918 esi=032cad40 edi=016e7000 esp=01f8e918 ebp=01f8e938 eip=6a29f4ab Stack: ChildEBP RetAddr 01f8e938 6a2a15e4 chrome_69bb0000!WebCore::HTMLParser::createHead(void)+0xeb 01f8e940 6a2a2a84 chrome_69bb0000!WebCore::HTMLParser::bodyCreateErrorCheck(struct WebCore::Token * __formal = 0x01f8e9c0, class WTF::RefPtr<WebCore::Node> * __formal = 0x016dde20)+0x14 01f8e98c 6a2a2e0d chrome_69bb0000!WebCore::HTMLParser::getNode(struct WebCore::Token * t = 0x016dde20)+0xe74 01f8e9b4 6a1ced2b chrome_69bb0000!WebCore::HTMLParser::parseToken(struct WebCore::Token * t = 0x01f8ebb8)+0x21d 01f8e9d8 6a1d26d6 chrome_69bb0000!WebCore::HTMLTokenizer::processToken(void)+0x13b 01f8eacc 6a1d2e5e chrome_69bb0000!WebCore::HTMLTokenizer::parseTag(class WebCore::SegmentedString * src = 0x00000000, class WebCore::HTMLTokenizer::State state = class WebCore::HTMLTokenizer::State)+0x1056 01f8eb60 6a1d3050 chrome_69bb0000!WebCore::HTMLTokenizer::write(class WebCore::SegmentedString * str = 0x01f8eb74, bool appendData = true)+0x40e 01f8f53c 6a0b0e52 chrome_69bb0000!WebCore::parseHTMLDocumentFragment(class WebCore::String * source = 0x01f8f5b0, class WebCore::DocumentFragment * fragment = 0x032e04b0)+0x50 01f8f568 6a0b11c7 chrome_69bb0000!WebCore::HTMLElement::createContextualFragment(class WebCore::String * html = 0x01f8f5b0)+0xc2 01f8f584 6a303b91 chrome_69bb0000!WebCore::HTMLElement::setInnerHTML(class WebCore::String * html = 0x01f8f5b0, int * ec = 0x01f8f59c)+0x17 01f8f5a0 6a3aede5 chrome_69bb0000!WebCore::HTMLElementInternal::innerHTMLAttrSetter(class v8::Local<v8::String> name = class v8::Local<v8::String>, class v8::Local<v8::Value> value = class v8::Local<v8::Value>, class v8::AccessorInfo * info = 0x032df840)+0x51 01f8f5e0 6a3bac73 chrome_69bb0000!v8::internal::JSObject::SetPropertyWithCallback(class v8::internal::Object * structure = 0x029d5e8d, class v8::internal::String * name = 0x029c8135, class v8::internal::Object * value = 0x02e93ec0, class v8::internal::JSObject * holder = 0x0287b159)+0x205 01f8f618 6a3bb3ec chrome_69bb0000!v8::internal::JSObject::SetProperty(class v8::internal::LookupResult * result = <Memory access error>, class v8::internal::String * name = <Memory access error>, class v8::internal::Object * value = <Memory access error>, PropertyAttributes attributes = <Memory access error>)+0x233 01f8f648 6a423138 chrome_69bb0000!v8::internal::JSObject::SetProperty(class v8::internal::String * name = 0x029d5e8d, class v8::internal::Object * value = 0x029a0849, PropertyAttributes attributes = 43649097 (No matching enumerant))+0x3c 01f8f688 6a42357d chrome_69bb0000!v8::internal::StoreIC::Store(v8::internal::InlineCacheState state = 43867789 (No matching enumerant), class v8::internal::Handle<v8::internal::Object> object = class v8::internal::Handle<v8::internal::Object>, class v8::internal::Handle<v8::internal::String> name = class v8::internal::Handle<v8::internal::String>, class v8::internal::Handle<v8::internal::Object> value = class v8::internal::Handle<v8::internal::Object>)+0x138 01f8f79c 6a3c1fb1 chrome_69bb0000!v8::internal::StoreIC_Miss(class v8::internal::Arguments args = class v8::internal::Arguments)+0x6d 01f8f7d8 6a3c2095 chrome_69bb0000!v8::internal::Invoke(bool construct = true, class v8::internal::Handle<v8::internal::JSFunction> func = class v8::internal::Handle<v8::internal::JSFunction>, class v8::internal::Handle<v8::internal::Object> receiver = class v8::internal::Handle<v8::internal::Object>, int argc = 43649097, class v8::internal::Object *** args = 0x029a0849, bool * has_pending_exception = 0x029c8135)+0x81 01f8f7f8 6a39ed4c chrome_69bb0000!v8::internal::Execution::Call(class v8::internal::Handle<v8::internal::JSFunction> func = class v8::internal::Handle<v8::internal::JSFunction>, class v8::internal::Handle<v8::internal::Object> receiver = class v8::internal::Handle<v8::internal::Object>, int argc = 24436740, class v8::internal::Object *** args = 0x00000000, bool * pending_exception = 0x00000000)+0x25 01f8f830 6a0d9ae4 chrome_69bb0000!v8::Function::Call(class v8::Handle<v8::Object> recv = class v8::Handle<v8::Object>, int argc = 53344448, class v8::Handle<v8::Value> * argv = 0x0174e004)+0x8c 01f8f850 6a2120ca chrome_69bb0000!WebCore::V8Proxy::CallFunction(class v8::Handle<v8::Function> function = class v8::Handle<v8::Function>, class v8::Handle<v8::Object> receiver = class v8::Handle<v8::Object>, int argc = 0, class v8::Handle<v8::Value> * args = 0x00000000)+0x34 01f8f894 6a1a1531 chrome_69bb0000!WebCore::ScheduledAction::execute(class WebCore::ScriptExecutionContext * context = 0x0174e004)+0x9a 01f8f8a8 6a20ec94 chrome_69bb0000!WebCore::DOMTimer::fired(void)+0x81 01f8f8c8 6a20ed8f chrome_69bb0000!WebCore::ThreadTimers::fireTimers(double fireTime = 1241871163.5501339, class WTF::Vector<WebCore::TimerBase *,0> * firingTimers = 0x01f8f8e4)+0x74 01f8f8f8 69bcd51e chrome_69bb0000!WebCore::ThreadTimers::sharedTimerFiredInternal(void)+0x4f 01f8f99c 69bce59a chrome_69bb0000!MessageLoop::RunTask(class Task * task = 0x032dd740)+0x7e 01f8f9ec 69be2751 chrome_69bb0000!MessageLoop::DoWork(void)+0x1ea 01f8fa9c 69bcdb27 chrome_69bb0000!base::MessagePumpDefault::Run(class base::MessagePump::Delegate * delegate = 0x01f8fba4)+0x111 01f8fb40 69bcdf50 chrome_69bb0000!MessageLoop::RunInternal(void)+0xb7 01f8fb74 69bce25d chrome_69bb0000!MessageLoop::RunHandler(void)+0xa0 01f8fb90 6a0246fa chrome_69bb0000!MessageLoop::Run(void)+0x3d 01f8fc60 69bd699d chrome_69bb0000!base::Thread::ThreadMain(void)+0x8a 01f8fc68 76884911 chrome_69bb0000!`anonymous namespace'::ThreadFunc(void * closure = 0x016d800c)+0xd WARNING: Stack unwind information not available. Following frames may be wrong. 01f8fc74 778ee4b6 kernel32!BaseThreadInitThunk+0x12 01f8fcb4 778ee489 ntdll!RtlInitializeExceptionChain+0x63 01f8fccc 00000000 ntdll!RtlInitializeExceptionChain+0x36
Alexey Proskuryakov
Comment 2 2009-05-12 03:25:47 PDT
Likely caused by my recent change to insert <head> automagically.
Alexey Proskuryakov
Comment 3 2009-05-12 06:31:17 PDT
Created attachment 30225 [details] proposed fix
Eric Seidel (no email)
Comment 4 2009-05-12 06:52:52 PDT
I wonder how related this is to bug 25567?
Alexey Proskuryakov
Comment 5 2009-05-12 07:05:47 PDT
It's not related - that one isn't even a regression from 3.2.1.
Darin Adler
Comment 6 2009-05-12 07:34:27 PDT
Comment on attachment 30225 [details] proposed fix A simpler test for parsing a fragment is m_isParsingFragment -- is there a reason you're not doing that? r=me
Alexey Proskuryakov
Comment 7 2009-05-12 09:23:37 PDT
No, there wasn't any reason - changed to use m_isParsingFragment. Committed <http://trac.webkit.org/changeset/43568>.
Note You need to log in before you can comment on or make changes to this bug.