Bug 8440

Summary: iExploder(#3327): Crash in StringImpl::initWithQChar()
Product: WebKit Reporter: Alexey Proskuryakov <ap>
Component: DOMAssignee: Alexey Proskuryakov <ap>
Status: RESOLVED FIXED    
Severity: Normal CC: thomas+opendarwin
Priority: P1 Keywords: Regression
Version: 420+   
Hardware: Mac   
OS: OS X 10.4   
Attachments:
Description Flags
test case
none
proposed fix darin: review+

Description Alexey Proskuryakov 2006-04-17 10:01:19 PDT 
run-iexploder-tests 3327 (or just open the attached test case).

Thread 0 Crashed:
0   <<00000000>> 	0xffff8cc8 __memcpy + 1320 (cpu_capabilities.h:189)
1   com.apple.WebCore        	0x019faf38 WebCore::StringImpl::initWithQChar(QChar const*, unsigned) + 168 (StringImpl.cpp:108)
2   com.apple.WebCore        	0x019faf94 WebCore::StringImpl::StringImpl[in-charge](QChar const*, unsigned) + 72 (StringImpl.cpp:67)
3   com.apple.WebCore        	0x01b7bca8 WebCore::StringImpl::copy() const + 72 (StringImpl.h:75)
4   com.apple.WebCore        	0x019f8f40 WebCore::String::copy() const + 96 (String.cpp:306)
5   com.apple.WebCore        	0x01780f60 WebCore::HTMLMapElement::parseMappedAttribute(WebCore::MappedAttribute*) + 372 (html_imageimpl.cpp:492)
6   com.apple.WebCore        	0x01a9aab8 WebCore::StyledElement::attributeChanged(WebCore::Attribute*, bool) + 772 (StyledElement.cpp:179)
7   com.apple.WebCore        	0x01aa8254 WebCore::Element::setAttributeMap(WebCore::NamedAttrMap*) + 756 (Element.cpp:363)
8   com.apple.WebCore        	0x0179bd88 WebCore::HTMLParser::parseToken(WebCore::Token*) + 1236 (HTMLParser.cpp:200)
9   com.apple.WebCore        	0x0179fd14 WebCore::HTMLTokenizer::processToken() + 564 (HTMLTokenizer.cpp:1628)
10  com.apple.WebCore        	0x017a3468 WebCore::HTMLTokenizer::parseTag(WebCore::SegmentedString&, WebCore::HTMLTokenizer::State) + 7376 (HTMLTokenizer.cpp:1206)
11  com.apple.WebCore        	0x017a4094 WebCore::HTMLTokenizer::write(WebCore::SegmentedString const&, bool) + 1744 (HTMLTokenizer.cpp:1432)
12  com.apple.WebCore        	0x01890d74 WebCore::Frame::write(char const*, int) + 952 (Frame.cpp:654)
13  com.apple.WebCore        	0x01883e64 WebCore::Frame::addData(char const*, int) + 340 (Frame.cpp:2599)
14  com.apple.WebCore        	0x018c7c20 -[WebCoreFrameBridge addData:] + 224 (WebCoreFrameBridge.mm:547)
15  com.apple.WebKit         	0x00335008 -[WebFrameBridge receivedData:textEncodingName:] + 236 (WebFrameBridge.m:458)
16  com.apple.WebKit         	0x0036da8c -[WebHTMLRepresentation receivedData:withDataSource:] + 248 (WebHTMLRepresentation.m:122)
Comment 1 Alexey Proskuryakov 2006-04-17 10:01:55 PDT 
Created attachment 7767 [details]
test case
Comment 2 Alexey Proskuryakov 2006-04-17 12:04:27 PDT 
Created attachment 7772 [details]
proposed fix
Comment 3 Darin Adler 2006-04-17 13:13:05 PDT 
Comment on attachment 7772 [details]
proposed fix

Instead of static_cast<const String&>(m_name) it should be m_name.domString(), otherwise this is fine.

r=me (even without that fix)
Comment 4 Alexey Proskuryakov 2006-04-17 21:50:57 PDT 
(In reply to comment #3)
> Instead of static_cast<const String&>(m_name) it should be m_name.domString(),

Corrected (somehow, domString() looked deprecated to me :) ).
Comment 5 Alexey Proskuryakov 2006-04-18 21:57:00 PDT 
*** Bug 8470 has been marked as a duplicate of this bug. ***