Bug 43672

Summary:

Regression: Memory corruption in tree builder

Product:

WebKit

Reporter:

Abhishek Arya <inferno>

Component:

DOM

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

abarth, eric, jamesr

Priority:

Keywords:

InRadar

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Attachments:

Description	Flags
Testcase	none
Patch	none

Description Abhishek Arya 2010-08-07 08:46:53 PDT

Created attachment 63818 [details]
Testcase

credit: aohelin
reported in: http://code.google.com/p/chromium/issues/detail?id=51476
Did not crash on 6.0.486.0 (55032) trunk, v5 stable for windows. But does tab crash on chrome canary 6.0.487.0 (same version Aki is using). A very recent regression

It look like a tree builder issue. it first hits the assert
        if (furthestBlockElement->attached()) {
            ASSERT(!newElement->attached());
in HTMLTreeBuilder.cpp

after moving through couple of asserts,

Corruption happens here with trying to cast a text node to renderbox.
>	chrome.dll!WebCore::toRenderBox(WebCore::RenderObject * object=0x153b100c)  Line 380 + 0x31 bytes	C++
 	chrome.dll!WebCore::RenderBox::nextSiblingBox()  Line 400 + 0xe bytes	C++
 	chrome.dll!WebCore::RenderBlock::layoutBlockChildren(bool relayoutChildren=true, int & maxFloatBottom=0)  Line 1731 + 0x8 bytes	C++
 	chrome.dll!WebCore::RenderBlock::layoutBlock(bool relayoutChildren=true)  Line 1197	C++
 	chrome.dll!WebCore::RenderBlock::layout()  Line 1116 + 0x14 bytes	C++
 	chrome.dll!WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox * child=0x005b4f3c, WebCore::RenderBlock::MarginInfo & marginInfo={...}, int & previousFloatBottom=0, int & maxFloatBottom=0)  Line 1809 + 0x12 bytes	C++
 	chrome.dll!WebCore::RenderBlock::layoutBlockChildren(bool relayoutChildren=true, int & maxFloatBottom=0)  Line 1753	C++

Adam, Eric, can you please take a look.

Comment 1 Adam Barth 2010-08-07 10:38:30 PDT

No need to be in the security component.  This code just landed yesterday.  I don't think anyone's shipped it.

Comment 2 Adam Barth 2010-08-07 10:41:53 PDT

Created attachment 63820 [details]
Patch

Comment 3 Dimitri Glazkov (Google) 2010-08-07 10:43:08 PDT

Comment on attachment 63820 [details]
Patch

ok.

Comment 4 Adam Barth 2010-08-07 10:45:39 PDT

*** Bug 43663 has been marked as a duplicate of this bug. ***

Comment 5 Adam Barth 2010-08-07 10:52:31 PDT

Comment on attachment 63820 [details]
Patch

Clearing flags on attachment: 63820

Committed r64913: <http://trac.webkit.org/changeset/64913>

Comment 6 Adam Barth 2010-08-07 10:52:36 PDT

All reviewed patches have been landed.  Closing bug.

Comment 7 David Kilzer (:ddkilzer) 2010-08-09 14:22:08 PDT

<rdar://problem/8289082>