Bug 56773

Summary: REGRESSION(81035): crash in RenderDetails::removeChild
Product: WebKit Reporter: James Robinson <jamesr>
Component: Layout and RenderingAssignee: Luiz Agostini <luiz>
Status: RESOLVED FIXED    
Severity: Normal CC: cmarcelo, commit-queue, dglazkov, hyatt, inferno, luiz, mitz, mrobinson, simon.fraser, webkit.review.bot
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: PC   
OS: OS X 10.5   
URL: http://runescape.wikia.com/wiki/Special:Search
Bug Depends on: 51071    
Bug Blocks:    
Attachments:
Description Flags
patch
none
patch
jamesr: review-
patch none

Description James Robinson 2011-03-21 15:34:54 PDT
The URL above crashes after r81035.  stack:

#0  0x00000000016e2e3f in WebCore::RenderDetails::removeChild (this=0x7fffc0b2c6d8, oldChild=0x7fffc1306018)
    at third_party/WebKit/Source/WebCore/rendering/RenderDetails.cpp:94
#1  0x0000000000c032db in WebCore::RenderObject::remove (this=0x7fffc1306018) at third_party/WebKit/Source/WebCore/rendering/RenderObject.h:752
#2  0x000000000164cef2 in WebCore::RenderObject::destroy (this=0x7fffc1306018) at third_party/WebKit/Source/WebCore/rendering/RenderObject.cpp:2187
#3  0x00000000015e31a9 in WebCore::RenderBoxModelObject::destroy (this=0x7fffc1306018)
    at third_party/WebKit/Source/WebCore/rendering/RenderBoxModelObject.cpp:277
#4  0x00000000015d11a1 in WebCore::RenderBox::destroy (this=0x7fffc1306018) at third_party/WebKit/Source/WebCore/rendering/RenderBox.cpp:211
#5  0x0000000001589f54 in WebCore::RenderBlock::destroy (this=0x7fffc1306018) at third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:193
#6  0x000000000164f884 in WebCore::RenderObjectChildList::destroyLeftoverChildren (this=0x7fffc0b2c768)
    at third_party/WebKit/Source/WebCore/rendering/RenderObjectChildList.cpp:59
#7  0x0000000001589dcc in WebCore::RenderBlock::destroy (this=0x7fffc0b2c6d8) at third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:158
#8  0x00000000016e2c27 in WebCore::RenderDetails::destroy (this=0x7fffc0b2c6d8) at third_party/WebKit/Source/WebCore/rendering/RenderDetails.cpp:52
#9  0x0000000000c55d15 in WebCore::Node::detach (this=0x7fffc0b2bb40) at third_party/WebKit/Source/WebCore/dom/Node.cpp:1306
#10 0x0000000000be0cc9 in WebCore::ContainerNode::detach (this=0x7fffc0b2bb40) at third_party/WebKit/Source/WebCore/dom/ContainerNode.cpp:731
#11 0x0000000000c36981 in WebCore::Element::detach (this=0x7fffc0b2bb40) at third_party/WebKit/Source/WebCore/dom/Element.cpp:987
#12 0x0000000000be02af in WebCore::ContainerNode::removeChildren (this=0x7fffc1309990)
    at third_party/WebKit/Source/WebCore/dom/ContainerNode.cpp:536
#13 0x000000000170126a in WebCore::replaceChildrenWithFragment (element=0x7fffc1309990, fragment=..., ec=@0x7fffffffb5cc)
    at third_party/WebKit/Source/WebCore/html/HTMLElement.cpp:322
#14 0x0000000001701602 in WebCore::HTMLElement::setInnerHTML (this=0x7fffc1309990, html=..., ec=@0x7fffffffb5cc)
    at third_party/WebKit/Source/WebCore/html/HTMLElement.cpp:368
Comment 1 James Robinson 2011-03-21 15:36:20 PDT
innerHTML is being set on a <section> that contains a <details> element. Here's the showTree() output for the node that innerHTML is being set on immediately before the crash:

*			SECTION	0x7fffc0e783f0 CLASS=WikiaPagesOnWikiModule module
				#text	0x7fffc0e7bf50 "\n	"
				H1	0x7fffc0e78360
					#text	0x7fffc0e7bee0 "Pages on RuneScape Wiki"
				#text	0x7fffc0e7be70 "\n	"
				A	0x7fffc1f5f000 CLASS=wikia-button createpage
					IMG	0x7fffc0e7ec40 CLASS=sprite new
					#text	0x7fffc1473a80 "Add a Page"
				#text	0x7fffc1473a10 "	"
				DETAILS	0x7fffc1474f00 CLASS=tally
					#text	0x7fffc1473770 "\n		"
					EM	0x7fffc0e78240
						#text	0x7fffc1473700 "17,135"
					SPAN	0x7fffc0e781b0 CLASS=fixedwidth
						#text	0x7fffc1473620 "pages on this wiki"
					#text	0x7fffc14735b0 "	"
				#text	0x7fffc1473540 "\n"
Comment 2 Abhishek Arya 2011-03-22 09:10:21 PDT
This introduced multiple security regressions including this one and another one in acccessibility code. See testcase in http://trac.webkit.org/changeset/81648 in Chrome.

Luiz, can you please take a look.
Comment 3 Luiz Agostini 2011-03-22 09:21:46 PDT
(In reply to comment #2)
> This introduced multiple security regressions including this one and another one in acccessibility code. See testcase in http://trac.webkit.org/changeset/81648 in Chrome.
> 
> Luiz, can you please take a look.

Looking.
Comment 4 Alexey Proskuryakov 2011-03-22 10:25:12 PDT
<rdar://problem/9169211>
Comment 5 Luiz Agostini 2011-03-22 10:52:18 PDT
Created attachment 86477 [details]
patch
Comment 6 Luiz Agostini 2011-03-22 11:28:18 PDT
Created attachment 86485 [details]
patch

bad spelling in changelog.
Comment 7 James Robinson 2011-03-22 11:39:44 PDT
Comment on attachment 86485 [details]
patch

This needs at least one test
Comment 8 Luiz Agostini 2011-03-22 13:48:43 PDT
Created attachment 86499 [details]
patch
Comment 9 Dave Hyatt 2011-03-23 12:01:38 PDT
Comment on attachment 86499 [details]
patch

r=me
Comment 10 WebKit Commit Bot 2011-03-23 15:04:31 PDT
Comment on attachment 86499 [details]
patch

Clearing flags on attachment: 86499

Committed r81812: <http://trac.webkit.org/changeset/81812>
Comment 11 WebKit Commit Bot 2011-03-23 15:04:36 PDT
All reviewed patches have been landed.  Closing bug.