Bug 61774

Summary: ASSERT in WebCore::HTMLToken::appendToAttributeName when visiting www.nba.com
Product: WebKit Reporter: Sergio Villar Senin <svillar>
Component: DOMAssignee: Adam Barth <abarth>
Status: RESOLVED FIXED    
Severity: Critical CC: abarth, ap, eric, etring, naiem.shaik, webkit.review.bot
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
URL: http://www.nba.com
Attachments:
Description Flags
Patch
none
Patch for landing none

Description Sergio Villar Senin 2011-05-31 02:14:48 PDT 
ASSERTION FAILED: m_currentAttribute->m_nameRange.m_start
../../Source/WebCore/html/parser/HTMLToken.h(211) : void WebCore::HTMLToken::appendToAttributeName(UChar)

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff3b56561 in WebCore::HTMLToken::appendToAttributeName (this=0x18de740, character=60)
    at ../../Source/WebCore/html/parser/HTMLToken.h:211
211	        ASSERT(m_currentAttribute->m_nameRange.m_start);
(gdb) bt
#0  0x00007ffff3b56561 in WebCore::HTMLToken::appendToAttributeName (this=0x18de740, character=60)
    at ../../Source/WebCore/html/parser/HTMLToken.h:211
#1  0x00007ffff3b501e5 in WebCore::HTMLTokenizer::nextToken (this=0x18e18a0, source=..., token=...)
    at ../../Source/WebCore/html/parser/HTMLTokenizer.cpp:898
#2  0x00007ffff3b3d372 in WebCore::HTMLDocumentParser::pumpTokenizer (this=0x18de690, mode=WebCore::HTMLDocumentParser::AllowYield)
    at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:265
#3  0x00007ffff3b3ce1c in WebCore::HTMLDocumentParser::pumpTokenizerIfPossible (this=0x18de690, mode=
    WebCore::HTMLDocumentParser::AllowYield) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:175
#4  0x00007ffff3b3de87 in WebCore::HTMLDocumentParser::resumeParsingAfterScriptExecution (this=0x18de690)
    at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:479
#5  0x00007ffff3b3e199 in WebCore::HTMLDocumentParser::notifyFinished (this=0x18de690, cachedResource=0x1de9a90)
    at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:524
#6  0x00007ffff3c3d296 in WebCore::CachedResource::checkNotify (this=0x1de9a90)
    at ../../Source/WebCore/loader/cache/CachedResource.cpp:151
#7  0x00007ffff3c4fbed in WebCore::CachedScript::data (this=0x1de9a90, data=..., allDataReceived=true)
    at ../../Source/WebCore/loader/cache/CachedScript.cpp:104
#8  0x00007ffff3c4e835 in WebCore::CachedResourceRequest::didFinishLoading (this=0x1de9620, loader=0x1dec080)
    at ../../Source/WebCore/loader/cache/CachedResourceRequest.cpp:164
#9  0x00007ffff3cb3fc0 in WebCore::SubresourceLoader::didFinishLoading (this=0x1dec080, finishTime=0)
    at ../../Source/WebCore/loader/SubresourceLoader.cpp:197
#10 0x00007ffff3cab23f in WebCore::ResourceLoader::didFinishLoading (this=0x1dec080, finishTime=0)
    at ../../Source/WebCore/loader/ResourceLoader.cpp:449
#11 0x00007ffff41e224a in WebCore::readCallback (source=0x1651900, asyncResult=0x7fffd80121e0, data=0x0)
    at ../../Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp:792
#12 0x00007ffff08b2b3f in async_ready_callback_wrapper (source_object=0x1651900, res=0x7fffd80121e0, user_data=0x0) at ginputstream.c:470
#13 0x00007ffff08c7d75 in g_simple_async_result_complete (simple=0x7fffd80121e0) at gsimpleasyncresult.c:747
#14 0x00007ffff7f94e80 in read_async_done (stream=0x1651900) at soup-http-input-stream.c:723
#15 0x00007ffff7f93fe3 in soup_http_input_stream_finished (msg=0x16171c0, stream=0x1651900) at soup-http-input-stream.c:310
---Type <return> to continue, or q <return> to quit---
#16 0x00007fffefb2c03b in g_cclosure_marshal_VOID__VOID (closure=0x1dee100, return_value=0x0, n_param_values=1, param_values=0x13ea540, 
    invocation_hint=0x7fffffffc2d0, marshal_data=0x0) at gmarshal.c:79
#17 0x00007fffefb1216f in g_closure_invoke (closure=0x1dee100, return_value=0x0, n_param_values=1, param_values=0x13ea540, 
    invocation_hint=0x7fffffffc2d0) at gclosure.c:767
#18 0x00007fffefb2b741 in signal_emit_unlocked_R (node=0x128e0f0, detail=0, instance=0x16171c0, emission_return=0x0, instance_and_params=
    0x13ea540) at gsignal.c:3252
#19 0x00007fffefb2a686 in g_signal_emit_valist (instance=0x16171c0, signal_id=470, detail=0, var_args=0x7fffffffc560) at gsignal.c:2983
#20 0x00007fffefb2ac19 in g_signal_emit (instance=0x16171c0, signal_id=470, detail=0) at gsignal.c:3040
#21 0x00007ffff7f9834a in soup_message_finished (msg=0x16171c0) at soup-message.c:1086
#22 0x00007ffff7fad503 in process_queue_item (item=0x132c230, should_prune=0x7fffffffc6d4, loop=1) at soup-session-async.c:376
#23 0x00007ffff7fad6a4 in run_queue (sa=0x6daed0) at soup-session-async.c:418
#24 0x00007ffff7fad74b in idle_run_queue (sa=0x6daed0) at soup-session-async.c:441
#25 0x00007fffeeffd953 in g_idle_dispatch (source=0x14f7890, callback=0x7ffff7fad70d <idle_run_queue>, user_data=0x6daed0) at gmain.c:4545
#26 0x00007fffeeff9aec in g_main_dispatch (context=0x52d270) at gmain.c:2440
#27 0x00007fffeeffb07c in g_main_context_dispatch (context=0x52d270) at gmain.c:3013
#28 0x00007fffeeffb542 in g_main_context_iterate (context=0x52d270, block=1, dispatch=1, self=0x4f9880) at gmain.c:3091
#29 0x00007fffeeffbcd9 in g_main_loop_run (loop=0x5c0d80) at gmain.c:3299
#30 0x00007ffff2706755 in gtk_main () at gtkmain.c:1358
#31 0x00000000004348e1 in main (argc=1, argv=0x7fffffffdac8) at ephy-main.c:747
Comment 1 Naiem 2011-06-01 03:56:03 PDT 
Hi, is anybody looking into this?
Comment 2 Alexey Proskuryakov 2011-06-19 22:41:28 PDT 
Same as bug 62958?
Comment 3 Eric Seidel (no email) 2011-06-19 23:33:27 PDT 
Is this a recent regression?
Comment 4 Adam Barth 2011-06-20 00:22:57 PDT 
Does this crash in release builds, or is this just an ASSERT?
Comment 5 Adam Barth 2011-06-20 01:06:32 PDT 
*** Bug 62958 has been marked as a duplicate of this bug. ***
Comment 6 Alexey Proskuryakov 2011-06-20 01:21:23 PDT 
Bug 62958 has analysis in it:

-------------------------
if there is a attribute in the end tag of script, like this:

<script class="value">
...
</script class="value">

function appendToAttributeName in file HTMLToken.h assert when debug
-------------------------
Comment 7 Adam Barth 2011-06-20 02:51:49 PDT 
Created attachment 97770 [details]
Patch
Comment 8 Alexey Proskuryakov 2011-06-20 09:07:25 PDT 
Comment on attachment 97770 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=97770&action=review

> LayoutTests/fast/parser/attributes-on-close-script.html:2
> +<script class="value">

Do we actually need the attribute on opening tag? It makes the test slightly confusing (does it matter that the opening tag has an attribute? does it need to be the same on opening and closing tags?)

> LayoutTests/fast/parser/attributes-on-close-script.html:3
> +alert('PASS');

This is testing for an assertion failure, so test content or output should explain that ("PASS if no assertion failure occurred" would be sufficient).
Comment 9 Adam Barth 2011-06-20 10:03:46 PDT 
(In reply to comment #8)
> (From update of attachment 97770 [details])
> View in context: https://bugs.webkit.org/attachment.cgi?id=97770&action=review
> 
> > LayoutTests/fast/parser/attributes-on-close-script.html:2
> > +<script class="value">
> 
> Do we actually need the attribute on opening tag? It makes the test slightly confusing (does it matter that the opening tag has an attribute? does it need to be the same on opening and closing tags?)

It's not needed.  I'll remove it.

> > LayoutTests/fast/parser/attributes-on-close-script.html:3
> > +alert('PASS');
> 
> This is testing for an assertion failure, so test content or output should explain that ("PASS if no assertion failure occurred" would be sufficient).

Will do.

Thanks!
Comment 10 Adam Barth 2011-06-20 10:08:44 PDT 
Created attachment 97818 [details]
Patch for landing
Comment 11 WebKit Review Bot 2011-06-20 10:51:53 PDT 
Comment on attachment 97818 [details]
Patch for landing

Clearing flags on attachment: 97818

Committed r89258: <http://trac.webkit.org/changeset/89258>
Comment 12 WebKit Review Bot 2011-06-20 10:51:58 PDT 
All reviewed patches have been landed.  Closing bug.