Bug 7137

Summary: Crash if <table> is removed from DOM while being parsed if it contains bogus content
Product: WebKit Reporter: Ian 'Hixie' Hickson <ian>
Component: TablesAssignee: Eric Seidel (no email) <eric>
Status: RESOLVED FIXED    
Severity: Normal    
Priority: P1    
Version: 420+   
Hardware: PC   
OS: Linux   
URL: http://www.hixie.ch/tests/adhoc/html/parsing/error-handling/034.html
Attachments:
Description Flags
Fixes crash mjs: review+

Description Ian 'Hixie' Hickson 2006-02-07 13:48:38 PST 
STEPS TO REPRODUCE
   1. <table>
   2. Remove the table from the DOM.
   3. <div>
     (bogus element in this context, parser tries to move it outside the table)

ACTUAL RESULTS
   Crash.

EXPECTED RESULTS
   Content should be placed where the table used to be in the DOM. I'm not yet 
   sure exactly what this means if other content is moved around in the DOM. I 
   think if the <table> is no longer inside its original parent, then it should
   just append the bogus content to the parent.
Comment 1 Alexey Proskuryakov 2006-04-24 21:31:26 PDT 
Reproducible crash -> P1.

Thread 0 Crashed:
0   com.apple.WebCore        	0x01b4c778 WebCore::TreeShared<WebCore::Node>::parent() const + 20 (Shared.h:57)
1   com.apple.WebCore        	0x01b4c7b0 WebCore::Node::parentNode() const + 36 (Node.h:89)
2   com.apple.WebCore        	0x017a9a20 WebCore::HTMLParser::handleError(WebCore::Node*, bool, WebCore::AtomicString const&, int) + 6404 (HTMLParser.cpp:490)
3   com.apple.WebCore        	0x017aa760 WebCore::HTMLParser::insertNode(WebCore::Node*, bool) + 912 (HTMLParser.cpp:281)
4   com.apple.WebCore        	0x017ac178 WebCore::HTMLParser::parseToken(WebCore::Token*) + 1388 (HTMLParser.cpp:208)
5   com.apple.WebCore        	0x017b006c WebCore::HTMLTokenizer::processToken() + 564 (HTMLTokenizer.cpp:1628)
6   com.apple.WebCore        	0x017b37c0 WebCore::HTMLTokenizer::parseTag(WebCore::SegmentedString&, WebCore::HTMLTokenizer::State) + 7376 (HTMLTokenizer.cpp:1206)
7   com.apple.WebCore        	0x017b43ec WebCore::HTMLTokenizer::write(WebCore::SegmentedString const&, bool) + 1744 (HTMLTokenizer.cpp:1432)
8   com.apple.WebCore        	0x018a1728 WebCore::Frame::write(char const*, int) + 952 (Frame.cpp:654)
Comment 2 Eric Seidel (no email) 2006-04-25 01:44:09 PDT 
Thanks for the bug.  I chose not to make it match your test case for now (since both FireFox and IE fail your test), but I did fix the crash.
Comment 3 Eric Seidel (no email) 2006-04-25 01:44:39 PDT 
Created attachment 7953 [details]
Fixes crash
Comment 4 Maciej Stachowiak 2006-04-25 01:46:06 PDT 
Comment on attachment 7953 [details]
Fixes crash

r=me