Bug 43663

Summary:	html5 tree builder crash in adoption agency
Product:	WebKit	Reporter:	James Robinson <jamesr>
Component:	DOM	Assignee:	Nobody <webkit-unassigned>
Status:	RESOLVED DUPLICATE
Severity:	Normal	CC:	abarth, eric, tonyg
Priority:	P2
Version:	528+ (Nightly build)
Hardware:	PC
OS:	OS X 10.5

James Robinson

Reported 2010-08-06 19:09:09 PDT

Seen on chromium reliability bots: Stack trace: chrome_2580000!WebCore::RenderBlock::addChildIgnoringAnonymousColumnBlocks+0x143 [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\rendering\renderblock.cpp @ 682] chrome_2580000!WebCore::RenderBlock::addChildIgnoringContinuation+0xa6 [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\rendering\renderblock.cpp @ 761] chrome_2580000!WebCore::RenderBlock::addChild+0x5b [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\rendering\renderblock.cpp @ 754] chrome_2580000!WebCore::Node::createRendererIfNeeded+0x108 [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\dom\node.cpp @ 1418] chrome_2580000!WebCore::Element::attach+0x14 [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\dom\element.cpp @ 816] chrome_2580000!WebCore::HTMLImageElement::attach+0x8 [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\html\htmlimageelement.cpp @ 193] chrome_2580000!WebCore::ContainerNode::attach+0x1c [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\dom\containernode.cpp @ 638] chrome_2580000!WebCore::Element::attach+0x1b [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\dom\element.cpp @ 817] chrome_2580000!WebCore::ContainerNode::attach+0x1c [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\dom\containernode.cpp @ 638] chrome_2580000!WebCore::Element::attach+0x1b [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\dom\element.cpp @ 817] chrome_2580000!WebCore::HTMLTreeBuilder::callTheAdoptionAgency+0x280 [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\html\htmltreebuilder.cpp @ 1752] chrome_2580000!WebCore::HTMLTreeBuilder::processEndTagForInBody+0x3ca [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\html\htmltreebuilder.cpp @ 2077] chrome_2580000!WebCore::HTMLTreeBuilder::processEndTag+0x1d0 [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\html\htmltreebuilder.cpp @ 2402] chrome_2580000!WebCore::HTMLTreeBuilder::constructTreeFromToken+0x37 [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\html\htmltreebuilder.cpp @ 516] chrome_2580000!WebCore::HTMLDocumentParser::pumpTokenizer+0x9d [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\html\htmldocumentparser.cpp @ 173] chrome_2580000!WebCore::HTMLDocumentParser::resumeParsingAfterScriptExecution+0x59 [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\html\htmldocumentparser.cpp @ 352] chrome_2580000!WebCore::Document::removePendingSheet+0x39 [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\dom\document.cpp @ 2692] chrome_2580000!WebCore::HTMLLinkElement::sheetLoaded+0x3d [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\html\htmllinkelement.cpp @ 372] chrome_2580000!WebCore::CSSStyleSheet::checkLoaded+0x30 [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\css\cssstylesheet.cpp @ 219] chrome_2580000!WebCore::HTMLLinkElement::setCSSStyleSheet+0x31f [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\html\htmllinkelement.cpp @ 357] chrome_2580000!WebCore::CachedCSSStyleSheet::checkNotify+0x70 [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\loader\cachedcssstylesheet.cpp @ 116] chrome_2580000!WebCore::CachedCSSStyleSheet::data+0x114 [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\loader\cachedcssstylesheet.cpp @ 106] chrome_2580000!WebCore::Loader::Host::didFinishLoading+0xad [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\loader\loader.cpp @ 416] chrome_2580000!WebCore::SubresourceLoader::didFinishLoading+0x26 [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\loader\subresourceloader.cpp @ 185] chrome_2580000!WebCore::ResourceLoader::didFinishLoading+0x7 [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\loader\resourceloader.cpp @ 444] Repro URL is http://www.sonystyle.com.br/br/site/catalog/LeafCategory.jsp. This was running WebKit r64865

Attachments
Add attachment proposed patch, testcase, etc.

Adam Barth

Comment 1 2010-08-06 19:44:41 PDT

Hum... The site doesn't crash when I load it directly.

Adam Barth

Comment 2 2010-08-06 19:47:20 PDT

Is there a way to see what HTML the bot is trying to parse? The page at that URL is really simple. I don't think it hits the adoption agency at all.

Adam Barth

Comment 3 2010-08-06 19:51:18 PDT

Yeah, I set an break point in HTMLTreeBuilder::callTheAdoptionAgency and it doesn't get hit. Not sure how to make progress on this bug.

Eric Seidel (no email)

Comment 4 2010-08-06 20:09:09 PDT

The parser is resuming after being blocked on a stylesheet. That's an nonstandard case and obey which might have bugs. I also saw a use after free crash when writing the document fragment parsing case which might be a more general crash related to this. Who knows. :)

Adam Barth

Comment 5 2010-08-07 00:01:33 PDT

http://code.google.com/p/chromium/issues/detail?id=51458

Adam Barth

Comment 6 2010-08-07 10:45:39 PDT

*** This bug has been marked as a duplicate of bug 43672 ***

Note You need to log in before you can comment on or make changes to this bug.