Bug 47190

Summary: Issue in treebuilder parsing related to table tags
Product: WebKit Reporter: Abhishek Arya <inferno>
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: abarth, commit-queue, eric
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Attachments:
Description Flags
Patch none

Description Abhishek Arya 2010-10-05 10:15:30 PDT
These issues don't look security related, but filing just as a precaution. Adam, Eric, can you please take a look. If you think they can have any security consequence, then i will file a bug on chromium repository to track this correctly. Otherwise, we can remove the security tags.

Testcase:
<table>
<td></tfoot>

Stack:
ASSERTION FAILED: isParsingFragment()
(..\html\parser\HTMLTreeBuilder.cpp:1852 WebCore::HTMLTreeBuilder::processEndTagForInCell)
(b48.1884): Break instruction exception - code 80000003 (first chance)
*** WARNING: Unable to verify checksum for D:\chromium\src\chrome\Debug\chrome.dll
ExceptionAddress: 59f2ff42 (chrome_57e50000!WebCore::HTMLTreeBuilder::processEndTagForInCell+0x00000202)
   ExceptionCode: 80000003 (Break instruction exception)
  ExceptionFlags: 00000000
NumberParameters: 1
   Parameter[0]: 00000000
ChildEBP RetAddr  
0584edbc 59f314f1 chrome_57e50000!WebCore::HTMLTreeBuilder::processEndTagForInCell(
			class WebCore::AtomicHTMLToken * token = 0x0584ee44)+0x202
0584ee08 59f29c5a chrome_57e50000!WebCore::HTMLTreeBuilder::processEndTag(
			class WebCore::AtomicHTMLToken * token = 0x0584ee44)+0x721
0584ee1c 59f29a53 chrome_57e50000!WebCore::HTMLTreeBuilder::processToken(
			class WebCore::AtomicHTMLToken * token = 0x0584ee44)+0x7a
0584ee30 59f29483 chrome_57e50000!WebCore::HTMLTreeBuilder::constructTreeFromAtomicToken(
			class WebCore::AtomicHTMLToken * token = 0x0584ee44)+0x23
0584ee68 59ee8324 chrome_57e50000!WebCore::HTMLTreeBuilder::constructTreeFromToken(
			class WebCore::HTMLToken * rawToken = 0x0554d05c)+0x33
0584eea4 59ee7f0f chrome_57e50000!WebCore::HTMLDocumentParser::pumpTokenizer(
			WebCore::HTMLDocumentParser::SynchronousMode mode = AllowYield (0))+0x174
0584eeb4 59ee8aa8 chrome_57e50000!WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(
			WebCore::HTMLDocumentParser::SynchronousMode mode = AllowYield (0))+0x7f
0584eedc 59aaceb7 chrome_57e50000!WebCore::HTMLDocumentParser::append(
			class WebCore::SegmentedString * source = 0x0584eef0)+0xb8
0584ef3c 5986ad47 chrome_57e50000!WebCore::DecodedDataDocumentParser::appendBytes(
			class WebCore::DocumentWriter * writer = 0x0557518c, 
			char * data = 0x00000000 "", 
			int length = 0, 
			bool shouldFlush = true)+0xb7

Testcase 2:
<table><isindex action='1'>

Stack:
ASSERTION FAILED: m_tree.currentElement()->hasTagName(formTag)
(..\html\parser\HTMLTreeBuilder.cpp:546 WebCore::HTMLTreeBuilder::processIsindexStartTagForInBody)
(1360.13ec): Break instruction exception - code 80000003 (first chance)
*** WARNING: Unable to verify checksum for D:\chromium\src\chrome\Debug\chrome.dll
ExceptionAddress: 59f2a50c (chrome_57e50000!WebCore::HTMLTreeBuilder::processIsindexStartTagForInBody+0x0000015c)
   ExceptionCode: 80000003 (Break instruction exception)
  ExceptionFlags: 00000000
NumberParameters: 1
   Parameter[0]: 00000000
ChildEBP RetAddr  
056dea2c 59f2bd73 chrome_57e50000!WebCore::HTMLTreeBuilder::processIsindexStartTagForInBody(
			class WebCore::AtomicHTMLToken * token = 0x056dec20)+0x15c
056dea84 59f2c99c chrome_57e50000!WebCore::HTMLTreeBuilder::processStartTagForInBody(
			class WebCore::AtomicHTMLToken * token = 0x056dec20)+0xe03
056deab0 59f2d141 chrome_57e50000!WebCore::HTMLTreeBuilder::processStartTagForInTable(
			class WebCore::AtomicHTMLToken * token = 0x056dec20)+0x3fc
056debe4 59f29c4c chrome_57e50000!WebCore::HTMLTreeBuilder::processStartTag(
			class WebCore::AtomicHTMLToken * token = 0x056dec20)+0x541
056debf8 59f29a53 chrome_57e50000!WebCore::HTMLTreeBuilder::processToken(
			class WebCore::AtomicHTMLToken * token = 0x056dec20)+0x6c
056dec0c 59f29483 chrome_57e50000!WebCore::HTMLTreeBuilder::constructTreeFromAtomicToken(
			class WebCore::AtomicHTMLToken * token = 0x056dec20)+0x23
056dec44 59ee8324 chrome_57e50000!WebCore::HTMLTreeBuilder::constructTreeFromToken(
			class WebCore::HTMLToken * rawToken = 0x0570e05c)+0x33
056dec80 59ee7f0f chrome_57e50000!WebCore::HTMLDocumentParser::pumpTokenizer(
			WebCore::HTMLDocumentParser::SynchronousMode mode = AllowYield (0))+0x174
056dec90 59ee8aa8 chrome_57e50000!WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(
			WebCore::HTMLDocumentParser::SynchronousMode mode = AllowYield (0))+0x7f
056decb8 59aaceb7 chrome_57e50000!WebCore::HTMLDocumentParser::append(
			class WebCore::SegmentedString * source = 0x056deccc)+0xb8
056ded18 5986ad47 chrome_57e50000!WebCore::DecodedDataDocumentParser::appendBytes(
			class WebCore::DocumentWriter * writer = 0x0573618c, 
			char * data = 0x00000000 "", 
			int length = 0, 
			bool shouldFlush = true)+0xb7
056ded3c 5986ae0c chrome_57e50000!WebCore::DocumentWriter::addData(
			char * str = 0x00000000 "", 
			int len = 0, 
			bool flush = true)+0x67
Comment 1 Adam Barth 2010-10-05 11:21:03 PDT
Yessir.  Will look today.
Comment 2 Abhishek Arya 2010-10-05 11:37:50 PDT
Thanks a lot Adam.
Comment 3 Adam Barth 2010-10-05 12:08:30 PDT
The ASSERT is wrong.  Our behavior is correct.
Comment 4 Abhishek Arya 2010-10-05 12:10:08 PDT
Thanks Adam for the quick response. One less security bug :)
Comment 5 Adam Barth 2010-10-05 12:19:39 PDT
Created attachment 69827 [details]
Patch
Comment 6 WebKit Commit Bot 2010-10-05 20:04:29 PDT
Comment on attachment 69827 [details]
Patch

Clearing flags on attachment: 69827

Committed r69170: <http://trac.webkit.org/changeset/69170>
Comment 7 WebKit Commit Bot 2010-10-05 20:04:34 PDT
All reviewed patches have been landed.  Closing bug.