Bug 43672

Summary: Regression: Memory corruption in tree builder
Product: WebKit Reporter: Abhishek Arya <inferno>
Component: DOMAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: abarth, eric, jamesr
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Attachments:
Description Flags
Testcase
none
Patch none

Abhishek Arya
Reported 2010-08-07 08:46:53 PDT
Created attachment 63818 [details] Testcase credit: aohelin reported in: http://code.google.com/p/chromium/issues/detail?id=51476 Did not crash on 6.0.486.0 (55032) trunk, v5 stable for windows. But does tab crash on chrome canary 6.0.487.0 (same version Aki is using). A very recent regression It look like a tree builder issue. it first hits the assert if (furthestBlockElement->attached()) { ASSERT(!newElement->attached()); in HTMLTreeBuilder.cpp after moving through couple of asserts, Corruption happens here with trying to cast a text node to renderbox. > chrome.dll!WebCore::toRenderBox(WebCore::RenderObject * object=0x153b100c) Line 380 + 0x31 bytes C++ chrome.dll!WebCore::RenderBox::nextSiblingBox() Line 400 + 0xe bytes C++ chrome.dll!WebCore::RenderBlock::layoutBlockChildren(bool relayoutChildren=true, int & maxFloatBottom=0) Line 1731 + 0x8 bytes C++ chrome.dll!WebCore::RenderBlock::layoutBlock(bool relayoutChildren=true) Line 1197 C++ chrome.dll!WebCore::RenderBlock::layout() Line 1116 + 0x14 bytes C++ chrome.dll!WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox * child=0x005b4f3c, WebCore::RenderBlock::MarginInfo & marginInfo={...}, int & previousFloatBottom=0, int & maxFloatBottom=0) Line 1809 + 0x12 bytes C++ chrome.dll!WebCore::RenderBlock::layoutBlockChildren(bool relayoutChildren=true, int & maxFloatBottom=0) Line 1753 C++ Adam, Eric, can you please take a look.
Attachments
Testcase (44 bytes, text/html)
2010-08-07 08:46 PDT, Abhishek Arya 		no flags
Details
Patch (4.11 KB, patch)
2010-08-07 10:41 PDT, Adam Barth 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Adam Barth
Comment 1 2010-08-07 10:38:30 PDT
No need to be in the security component. This code just landed yesterday. I don't think anyone's shipped it.
Adam Barth
Comment 2 2010-08-07 10:41:53 PDT
Created attachment 63820 [details] Patch
Dimitri Glazkov (Google)
Comment 3 2010-08-07 10:43:08 PDT
Comment on attachment 63820 [details] Patch ok.
Adam Barth
Comment 4 2010-08-07 10:45:39 PDT
*** Bug 43663 has been marked as a duplicate of this bug. ***
Adam Barth
Comment 5 2010-08-07 10:52:31 PDT
Comment on attachment 63820 [details] Patch Clearing flags on attachment: 63820 Committed r64913: <http://trac.webkit.org/changeset/64913>
Adam Barth
Comment 6 2010-08-07 10:52:36 PDT
All reviewed patches have been landed. Closing bug.
David Kilzer (:ddkilzer)
Comment 7 2010-08-09 14:22:08 PDT
<rdar://problem/8289082>
Note You need to log in before you can comment on or make changes to this bug.