Bug 56773

Summary: REGRESSION(81035): crash in RenderDetails::removeChild
Product: WebKit Reporter: James Robinson <jamesr>
Component: Layout and RenderingAssignee: Luiz Agostini <luiz>
Status: RESOLVED FIXED    
Severity: Normal CC: cmarcelo, commit-queue, dglazkov, hyatt, inferno, luiz, mitz, mrobinson, simon.fraser, webkit.review.bot
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: PC   
OS: OS X 10.5   
URL: http://runescape.wikia.com/wiki/Special:Search
Bug Depends on: 51071    
Bug Blocks:    
Attachments:
Description Flags
patch
none
patch
jamesr: review-
patch none

James Robinson
Reported 2011-03-21 15:34:54 PDT
The URL above crashes after r81035. stack: #0 0x00000000016e2e3f in WebCore::RenderDetails::removeChild (this=0x7fffc0b2c6d8, oldChild=0x7fffc1306018) at third_party/WebKit/Source/WebCore/rendering/RenderDetails.cpp:94 #1 0x0000000000c032db in WebCore::RenderObject::remove (this=0x7fffc1306018) at third_party/WebKit/Source/WebCore/rendering/RenderObject.h:752 #2 0x000000000164cef2 in WebCore::RenderObject::destroy (this=0x7fffc1306018) at third_party/WebKit/Source/WebCore/rendering/RenderObject.cpp:2187 #3 0x00000000015e31a9 in WebCore::RenderBoxModelObject::destroy (this=0x7fffc1306018) at third_party/WebKit/Source/WebCore/rendering/RenderBoxModelObject.cpp:277 #4 0x00000000015d11a1 in WebCore::RenderBox::destroy (this=0x7fffc1306018) at third_party/WebKit/Source/WebCore/rendering/RenderBox.cpp:211 #5 0x0000000001589f54 in WebCore::RenderBlock::destroy (this=0x7fffc1306018) at third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:193 #6 0x000000000164f884 in WebCore::RenderObjectChildList::destroyLeftoverChildren (this=0x7fffc0b2c768) at third_party/WebKit/Source/WebCore/rendering/RenderObjectChildList.cpp:59 #7 0x0000000001589dcc in WebCore::RenderBlock::destroy (this=0x7fffc0b2c6d8) at third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:158 #8 0x00000000016e2c27 in WebCore::RenderDetails::destroy (this=0x7fffc0b2c6d8) at third_party/WebKit/Source/WebCore/rendering/RenderDetails.cpp:52 #9 0x0000000000c55d15 in WebCore::Node::detach (this=0x7fffc0b2bb40) at third_party/WebKit/Source/WebCore/dom/Node.cpp:1306 #10 0x0000000000be0cc9 in WebCore::ContainerNode::detach (this=0x7fffc0b2bb40) at third_party/WebKit/Source/WebCore/dom/ContainerNode.cpp:731 #11 0x0000000000c36981 in WebCore::Element::detach (this=0x7fffc0b2bb40) at third_party/WebKit/Source/WebCore/dom/Element.cpp:987 #12 0x0000000000be02af in WebCore::ContainerNode::removeChildren (this=0x7fffc1309990) at third_party/WebKit/Source/WebCore/dom/ContainerNode.cpp:536 #13 0x000000000170126a in WebCore::replaceChildrenWithFragment (element=0x7fffc1309990, fragment=..., ec=@0x7fffffffb5cc) at third_party/WebKit/Source/WebCore/html/HTMLElement.cpp:322 #14 0x0000000001701602 in WebCore::HTMLElement::setInnerHTML (this=0x7fffc1309990, html=..., ec=@0x7fffffffb5cc) at third_party/WebKit/Source/WebCore/html/HTMLElement.cpp:368
Attachments
patch (3.65 KB, patch)
2011-03-22 10:52 PDT, Luiz Agostini 		no flags
DetailsFormatted DiffDiff
patch (3.65 KB, patch)
2011-03-22 11:28 PDT, Luiz Agostini 		jamesr: review-
DetailsFormatted DiffDiff
patch (6.11 KB, patch)
2011-03-22 13:48 PDT, Luiz Agostini 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
James Robinson
Comment 1 2011-03-21 15:36:20 PDT
innerHTML is being set on a <section> that contains a <details> element. Here's the showTree() output for the node that innerHTML is being set on immediately before the crash: * SECTION 0x7fffc0e783f0 CLASS=WikiaPagesOnWikiModule module #text 0x7fffc0e7bf50 "\n " H1 0x7fffc0e78360 #text 0x7fffc0e7bee0 "Pages on RuneScape Wiki" #text 0x7fffc0e7be70 "\n " A 0x7fffc1f5f000 CLASS=wikia-button createpage IMG 0x7fffc0e7ec40 CLASS=sprite new #text 0x7fffc1473a80 "Add a Page" #text 0x7fffc1473a10 " " DETAILS 0x7fffc1474f00 CLASS=tally #text 0x7fffc1473770 "\n " EM 0x7fffc0e78240 #text 0x7fffc1473700 "17,135" SPAN 0x7fffc0e781b0 CLASS=fixedwidth #text 0x7fffc1473620 "pages on this wiki" #text 0x7fffc14735b0 " " #text 0x7fffc1473540 "\n"
Abhishek Arya
Comment 2 2011-03-22 09:10:21 PDT
This introduced multiple security regressions including this one and another one in acccessibility code. See testcase in http://trac.webkit.org/changeset/81648 in Chrome. Luiz, can you please take a look.
Luiz Agostini
Comment 3 2011-03-22 09:21:46 PDT
(In reply to comment #2) > This introduced multiple security regressions including this one and another one in acccessibility code. See testcase in http://trac.webkit.org/changeset/81648 in Chrome. > > Luiz, can you please take a look. Looking.
Alexey Proskuryakov
Comment 4 2011-03-22 10:25:12 PDT
<rdar://problem/9169211>
Luiz Agostini
Comment 5 2011-03-22 10:52:18 PDT
Created attachment 86477 [details] patch
Luiz Agostini
Comment 6 2011-03-22 11:28:18 PDT
Created attachment 86485 [details] patch bad spelling in changelog.
James Robinson
Comment 7 2011-03-22 11:39:44 PDT
Comment on attachment 86485 [details] patch This needs at least one test
Luiz Agostini
Comment 8 2011-03-22 13:48:43 PDT
Created attachment 86499 [details] patch
Dave Hyatt
Comment 9 2011-03-23 12:01:38 PDT
Comment on attachment 86499 [details] patch r=me
WebKit Commit Bot
Comment 10 2011-03-23 15:04:31 PDT
Comment on attachment 86499 [details] patch Clearing flags on attachment: 86499 Committed r81812: <http://trac.webkit.org/changeset/81812>
WebKit Commit Bot
Comment 11 2011-03-23 15:04:36 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.