Bug 43663

Summary:	html5 tree builder crash in adoption agency
Product:	WebKit	Reporter:	James Robinson <jamesr>
Component:	DOM	Assignee:	Nobody <webkit-unassigned>
Status:	RESOLVED DUPLICATE
Severity:	Normal	CC:	abarth, eric, tonyg
Priority:	P2
Version:	528+ (Nightly build)
Hardware:	PC
OS:	OS X 10.5

Description James Robinson 2010-08-06 19:09:09 PDT

Seen on chromium reliability bots:

Stack trace:
chrome_2580000!WebCore::RenderBlock::addChildIgnoringAnonymousColumnBlocks+0x143 [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\rendering\renderblock.cpp @ 682]
chrome_2580000!WebCore::RenderBlock::addChildIgnoringContinuation+0xa6 [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\rendering\renderblock.cpp @ 761]
chrome_2580000!WebCore::RenderBlock::addChild+0x5b [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\rendering\renderblock.cpp @ 754]
chrome_2580000!WebCore::Node::createRendererIfNeeded+0x108 [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\dom\node.cpp @ 1418]
chrome_2580000!WebCore::Element::attach+0x14 [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\dom\element.cpp @ 816]
chrome_2580000!WebCore::HTMLImageElement::attach+0x8 [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\html\htmlimageelement.cpp @ 193]
chrome_2580000!WebCore::ContainerNode::attach+0x1c [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\dom\containernode.cpp @ 638]
chrome_2580000!WebCore::Element::attach+0x1b [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\dom\element.cpp @ 817]
chrome_2580000!WebCore::ContainerNode::attach+0x1c [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\dom\containernode.cpp @ 638]
chrome_2580000!WebCore::Element::attach+0x1b [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\dom\element.cpp @ 817]
chrome_2580000!WebCore::HTMLTreeBuilder::callTheAdoptionAgency+0x280 [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\html\htmltreebuilder.cpp @ 1752]
chrome_2580000!WebCore::HTMLTreeBuilder::processEndTagForInBody+0x3ca [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\html\htmltreebuilder.cpp @ 2077]
chrome_2580000!WebCore::HTMLTreeBuilder::processEndTag+0x1d0 [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\html\htmltreebuilder.cpp @ 2402]
chrome_2580000!WebCore::HTMLTreeBuilder::constructTreeFromToken+0x37 [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\html\htmltreebuilder.cpp @ 516]
chrome_2580000!WebCore::HTMLDocumentParser::pumpTokenizer+0x9d [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\html\htmldocumentparser.cpp @ 173]
chrome_2580000!WebCore::HTMLDocumentParser::resumeParsingAfterScriptExecution+0x59 [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\html\htmldocumentparser.cpp @ 352]
chrome_2580000!WebCore::Document::removePendingSheet+0x39 [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\dom\document.cpp @ 2692]
chrome_2580000!WebCore::HTMLLinkElement::sheetLoaded+0x3d [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\html\htmllinkelement.cpp @ 372]
chrome_2580000!WebCore::CSSStyleSheet::checkLoaded+0x30 [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\css\cssstylesheet.cpp @ 219]
chrome_2580000!WebCore::HTMLLinkElement::setCSSStyleSheet+0x31f [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\html\htmllinkelement.cpp @ 357]
chrome_2580000!WebCore::CachedCSSStyleSheet::checkNotify+0x70 [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\loader\cachedcssstylesheet.cpp @ 116]
chrome_2580000!WebCore::CachedCSSStyleSheet::data+0x114 [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\loader\cachedcssstylesheet.cpp @ 106]
chrome_2580000!WebCore::Loader::Host::didFinishLoading+0xad [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\loader\loader.cpp @ 416]
chrome_2580000!WebCore::SubresourceLoader::didFinishLoading+0x26 [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\loader\subresourceloader.cpp @ 185]
chrome_2580000!WebCore::ResourceLoader::didFinishLoading+0x7 [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\loader\resourceloader.cpp @ 444]


Repro URL is http://www.sonystyle.com.br/br/site/catalog/LeafCategory.jsp.  This was running WebKit r64865

Comment 1 Adam Barth 2010-08-06 19:44:41 PDT

Hum... The site doesn't crash when I load it directly.

Comment 2 Adam Barth 2010-08-06 19:47:20 PDT

Is there a way to see what HTML the bot is trying to parse?  The page at that URL is really simple.  I don't think it hits the adoption agency at all.

Comment 3 Adam Barth 2010-08-06 19:51:18 PDT

Yeah, I set an break point in HTMLTreeBuilder::callTheAdoptionAgency and it doesn't get hit.  Not sure how to make progress on this bug.

Comment 4 Eric Seidel (no email) 2010-08-06 20:09:09 PDT

The parser is resuming after being blocked on a stylesheet. That's an nonstandard case and obey which might have bugs. I also saw a use after free crash when writing the document fragment parsing case which might be a more general crash related to this. Who knows. :)

Comment 5 Adam Barth 2010-08-07 00:01:33 PDT

http://code.google.com/p/chromium/issues/detail?id=51458

Comment 6 Adam Barth 2010-08-07 10:45:39 PDT


*** This bug has been marked as a duplicate of bug 43672 ***