Bug 7137

Summary: Crash if <table> is removed from DOM while being parsed if it contains bogus content
Product: WebKit Reporter: Ian 'Hixie' Hickson <ian>
Component: TablesAssignee: Eric Seidel (no email) <eric>
Status: RESOLVED FIXED    
Severity: Normal    
Priority: P1    
Version: 420+   
Hardware: PC   
OS: Linux   
URL: http://www.hixie.ch/tests/adhoc/html/parsing/error-handling/034.html
Attachments:
Description Flags
Fixes crash mjs: review+

Ian 'Hixie' Hickson
Reported 2006-02-07 13:48:38 PST
STEPS TO REPRODUCE 1. <table> 2. Remove the table from the DOM. 3. <div> (bogus element in this context, parser tries to move it outside the table) ACTUAL RESULTS Crash. EXPECTED RESULTS Content should be placed where the table used to be in the DOM. I'm not yet sure exactly what this means if other content is moved around in the DOM. I think if the <table> is no longer inside its original parent, then it should just append the bogus content to the parent.
Attachments
Fixes crash (3.47 KB, patch)
2006-04-25 01:44 PDT, Eric Seidel (no email) 		mjs: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2006-04-24 21:31:26 PDT
Reproducible crash -> P1. Thread 0 Crashed: 0 com.apple.WebCore 0x01b4c778 WebCore::TreeShared<WebCore::Node>::parent() const + 20 (Shared.h:57) 1 com.apple.WebCore 0x01b4c7b0 WebCore::Node::parentNode() const + 36 (Node.h:89) 2 com.apple.WebCore 0x017a9a20 WebCore::HTMLParser::handleError(WebCore::Node*, bool, WebCore::AtomicString const&, int) + 6404 (HTMLParser.cpp:490) 3 com.apple.WebCore 0x017aa760 WebCore::HTMLParser::insertNode(WebCore::Node*, bool) + 912 (HTMLParser.cpp:281) 4 com.apple.WebCore 0x017ac178 WebCore::HTMLParser::parseToken(WebCore::Token*) + 1388 (HTMLParser.cpp:208) 5 com.apple.WebCore 0x017b006c WebCore::HTMLTokenizer::processToken() + 564 (HTMLTokenizer.cpp:1628) 6 com.apple.WebCore 0x017b37c0 WebCore::HTMLTokenizer::parseTag(WebCore::SegmentedString&, WebCore::HTMLTokenizer::State) + 7376 (HTMLTokenizer.cpp:1206) 7 com.apple.WebCore 0x017b43ec WebCore::HTMLTokenizer::write(WebCore::SegmentedString const&, bool) + 1744 (HTMLTokenizer.cpp:1432) 8 com.apple.WebCore 0x018a1728 WebCore::Frame::write(char const*, int) + 952 (Frame.cpp:654)
Eric Seidel (no email)
Comment 2 2006-04-25 01:44:09 PDT
Thanks for the bug. I chose not to make it match your test case for now (since both FireFox and IE fail your test), but I did fix the crash.
Eric Seidel (no email)
Comment 3 2006-04-25 01:44:39 PDT
Created attachment 7953 [details] Fixes crash
Maciej Stachowiak
Comment 4 2006-04-25 01:46:06 PDT
Comment on attachment 7953 [details] Fixes crash r=me
Note You need to log in before you can comment on or make changes to this bug.