Bug 61774

Summary: ASSERT in WebCore::HTMLToken::appendToAttributeName when visiting www.nba.com
Product: WebKit Reporter: Sergio Villar Senin <svillar>
Component: DOMAssignee: Adam Barth <abarth>
Status: RESOLVED FIXED    
Severity: Critical CC: abarth, ap, eric, etring, naiem.shaik, webkit.review.bot
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
URL: http://www.nba.com
Attachments:
Description Flags
Patch
none
Patch for landing none

Sergio Villar Senin
Reported 2011-05-31 02:14:48 PDT
ASSERTION FAILED: m_currentAttribute->m_nameRange.m_start ../../Source/WebCore/html/parser/HTMLToken.h(211) : void WebCore::HTMLToken::appendToAttributeName(UChar) Program received signal SIGSEGV, Segmentation fault. 0x00007ffff3b56561 in WebCore::HTMLToken::appendToAttributeName (this=0x18de740, character=60) at ../../Source/WebCore/html/parser/HTMLToken.h:211 211 ASSERT(m_currentAttribute->m_nameRange.m_start); (gdb) bt #0 0x00007ffff3b56561 in WebCore::HTMLToken::appendToAttributeName (this=0x18de740, character=60) at ../../Source/WebCore/html/parser/HTMLToken.h:211 #1 0x00007ffff3b501e5 in WebCore::HTMLTokenizer::nextToken (this=0x18e18a0, source=..., token=...) at ../../Source/WebCore/html/parser/HTMLTokenizer.cpp:898 #2 0x00007ffff3b3d372 in WebCore::HTMLDocumentParser::pumpTokenizer (this=0x18de690, mode=WebCore::HTMLDocumentParser::AllowYield) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:265 #3 0x00007ffff3b3ce1c in WebCore::HTMLDocumentParser::pumpTokenizerIfPossible (this=0x18de690, mode= WebCore::HTMLDocumentParser::AllowYield) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:175 #4 0x00007ffff3b3de87 in WebCore::HTMLDocumentParser::resumeParsingAfterScriptExecution (this=0x18de690) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:479 #5 0x00007ffff3b3e199 in WebCore::HTMLDocumentParser::notifyFinished (this=0x18de690, cachedResource=0x1de9a90) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:524 #6 0x00007ffff3c3d296 in WebCore::CachedResource::checkNotify (this=0x1de9a90) at ../../Source/WebCore/loader/cache/CachedResource.cpp:151 #7 0x00007ffff3c4fbed in WebCore::CachedScript::data (this=0x1de9a90, data=..., allDataReceived=true) at ../../Source/WebCore/loader/cache/CachedScript.cpp:104 #8 0x00007ffff3c4e835 in WebCore::CachedResourceRequest::didFinishLoading (this=0x1de9620, loader=0x1dec080) at ../../Source/WebCore/loader/cache/CachedResourceRequest.cpp:164 #9 0x00007ffff3cb3fc0 in WebCore::SubresourceLoader::didFinishLoading (this=0x1dec080, finishTime=0) at ../../Source/WebCore/loader/SubresourceLoader.cpp:197 #10 0x00007ffff3cab23f in WebCore::ResourceLoader::didFinishLoading (this=0x1dec080, finishTime=0) at ../../Source/WebCore/loader/ResourceLoader.cpp:449 #11 0x00007ffff41e224a in WebCore::readCallback (source=0x1651900, asyncResult=0x7fffd80121e0, data=0x0) at ../../Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp:792 #12 0x00007ffff08b2b3f in async_ready_callback_wrapper (source_object=0x1651900, res=0x7fffd80121e0, user_data=0x0) at ginputstream.c:470 #13 0x00007ffff08c7d75 in g_simple_async_result_complete (simple=0x7fffd80121e0) at gsimpleasyncresult.c:747 #14 0x00007ffff7f94e80 in read_async_done (stream=0x1651900) at soup-http-input-stream.c:723 #15 0x00007ffff7f93fe3 in soup_http_input_stream_finished (msg=0x16171c0, stream=0x1651900) at soup-http-input-stream.c:310 ---Type <return> to continue, or q <return> to quit--- #16 0x00007fffefb2c03b in g_cclosure_marshal_VOID__VOID (closure=0x1dee100, return_value=0x0, n_param_values=1, param_values=0x13ea540, invocation_hint=0x7fffffffc2d0, marshal_data=0x0) at gmarshal.c:79 #17 0x00007fffefb1216f in g_closure_invoke (closure=0x1dee100, return_value=0x0, n_param_values=1, param_values=0x13ea540, invocation_hint=0x7fffffffc2d0) at gclosure.c:767 #18 0x00007fffefb2b741 in signal_emit_unlocked_R (node=0x128e0f0, detail=0, instance=0x16171c0, emission_return=0x0, instance_and_params= 0x13ea540) at gsignal.c:3252 #19 0x00007fffefb2a686 in g_signal_emit_valist (instance=0x16171c0, signal_id=470, detail=0, var_args=0x7fffffffc560) at gsignal.c:2983 #20 0x00007fffefb2ac19 in g_signal_emit (instance=0x16171c0, signal_id=470, detail=0) at gsignal.c:3040 #21 0x00007ffff7f9834a in soup_message_finished (msg=0x16171c0) at soup-message.c:1086 #22 0x00007ffff7fad503 in process_queue_item (item=0x132c230, should_prune=0x7fffffffc6d4, loop=1) at soup-session-async.c:376 #23 0x00007ffff7fad6a4 in run_queue (sa=0x6daed0) at soup-session-async.c:418 #24 0x00007ffff7fad74b in idle_run_queue (sa=0x6daed0) at soup-session-async.c:441 #25 0x00007fffeeffd953 in g_idle_dispatch (source=0x14f7890, callback=0x7ffff7fad70d <idle_run_queue>, user_data=0x6daed0) at gmain.c:4545 #26 0x00007fffeeff9aec in g_main_dispatch (context=0x52d270) at gmain.c:2440 #27 0x00007fffeeffb07c in g_main_context_dispatch (context=0x52d270) at gmain.c:3013 #28 0x00007fffeeffb542 in g_main_context_iterate (context=0x52d270, block=1, dispatch=1, self=0x4f9880) at gmain.c:3091 #29 0x00007fffeeffbcd9 in g_main_loop_run (loop=0x5c0d80) at gmain.c:3299 #30 0x00007ffff2706755 in gtk_main () at gtkmain.c:1358 #31 0x00000000004348e1 in main (argc=1, argv=0x7fffffffdac8) at ephy-main.c:747
Attachments
Patch (3.96 KB, patch)
2011-06-20 02:51 PDT, Adam Barth 		no flags
DetailsFormatted DiffDiff
Patch for landing (4.01 KB, patch)
2011-06-20 10:08 PDT, Adam Barth 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Naiem
Comment 1 2011-06-01 03:56:03 PDT
Hi, is anybody looking into this?
Alexey Proskuryakov
Comment 2 2011-06-19 22:41:28 PDT
Same as bug 62958?
Eric Seidel (no email)
Comment 3 2011-06-19 23:33:27 PDT
Is this a recent regression?
Adam Barth
Comment 4 2011-06-20 00:22:57 PDT
Does this crash in release builds, or is this just an ASSERT?
Adam Barth
Comment 5 2011-06-20 01:06:32 PDT
*** Bug 62958 has been marked as a duplicate of this bug. ***
Alexey Proskuryakov
Comment 6 2011-06-20 01:21:23 PDT
Bug 62958 has analysis in it: ------------------------- if there is a attribute in the end tag of script, like this: <script class="value"> ... </script class="value"> function appendToAttributeName in file HTMLToken.h assert when debug -------------------------
Adam Barth
Comment 7 2011-06-20 02:51:49 PDT
Created attachment 97770 [details] Patch
Alexey Proskuryakov
Comment 8 2011-06-20 09:07:25 PDT
Comment on attachment 97770 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=97770&action=review > LayoutTests/fast/parser/attributes-on-close-script.html:2 > +<script class="value"> Do we actually need the attribute on opening tag? It makes the test slightly confusing (does it matter that the opening tag has an attribute? does it need to be the same on opening and closing tags?) > LayoutTests/fast/parser/attributes-on-close-script.html:3 > +alert('PASS'); This is testing for an assertion failure, so test content or output should explain that ("PASS if no assertion failure occurred" would be sufficient).
Adam Barth
Comment 9 2011-06-20 10:03:46 PDT
(In reply to comment #8) > (From update of attachment 97770 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=97770&action=review > > > LayoutTests/fast/parser/attributes-on-close-script.html:2 > > +<script class="value"> > > Do we actually need the attribute on opening tag? It makes the test slightly confusing (does it matter that the opening tag has an attribute? does it need to be the same on opening and closing tags?) It's not needed. I'll remove it. > > LayoutTests/fast/parser/attributes-on-close-script.html:3 > > +alert('PASS'); > > This is testing for an assertion failure, so test content or output should explain that ("PASS if no assertion failure occurred" would be sufficient). Will do. Thanks!
Adam Barth
Comment 10 2011-06-20 10:08:44 PDT
Created attachment 97818 [details] Patch for landing
WebKit Review Bot
Comment 11 2011-06-20 10:51:53 PDT
Comment on attachment 97818 [details] Patch for landing Clearing flags on attachment: 97818 Committed r89258: <http://trac.webkit.org/changeset/89258>
WebKit Review Bot
Comment 12 2011-06-20 10:51:58 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.