Bug 9317

Summary: REGRESSION: crash in HTML tokenizer at Japanese Apple support page
Product: WebKit Reporter: Rachael Worthington (cheers) <rachael>
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, len, mitz
Priority: P1 Keywords: InRadar, NeedsReduction, Regression
Version: 420+   
Hardware: Mac   
OS: OS X 10.4   
URL: http://apple.com/jp/support/
Attachments:
Description Flags
greatly reduced test case
none
Patch for the crashing half
mjs: review-
Patch for the crashing half, now with changelog and test darin: review+

Rachael Worthington (cheers)
Reported 2006-06-05 11:53:44 PDT
loading the above URL crashes the nightly immediately. following crash report is from identical crash in OmniWeb on same site, based on WebKit rev 13295 Thread 0 Crashed: srr0: 0x34591f0c srr1: 0x0200f930 cr: 0x84024222 xer: 0x20000000 lr: 0x34591f0c ctr: 0x91437800 r0: 0x34591f0c r8: 0x91437808 r16: 0x00000000 r24: 0x0125e930 r1: 0xbfffdcd0 r9: 0x00000000 r17: 0xbfffeb90 r25: 0x0125e800 r2: 0x84024222 r10: 0xf1cb61f0 r18: 0x00006edb r26: 0x00000001 r3: 0x00000000 r11: 0x84024222 r19: 0x011876e0 r27: 0xbfffdd7c r4: 0x00000000 r12: 0x00000000 r20: 0x1d1d547f r28: 0x00000000 r5: 0xbfffdd7c r13: 0x00000000 r21: 0xc621f615 r29: 0x347d262c r6: 0x00000001 r14: 0x00000001 r22: 0x00000001 r30: 0x17ee6968 r7: 0x44847d19 r15: 0x00000000 r23: 0xbfffde4c r31: 0x34496f94 0 -- 0x34591f0c -- __ZN7WebCore8NodeImpl13dispatchEventEN8KXMLCore10PassRefPtrINS_9EventImplEEERib 1 -- 0x34591f0c -- __ZN7WebCore8NodeImpl13dispatchEventEN8KXMLCore10PassRefPtrINS_9EventImplEEERib 2 -- 0x345922a0 -- __ZN7WebCore8NodeImpl17dispatchHTMLEventERKNS_12AtomicStringEbb 3 -- 0x34497160 -- __ZN7WebCore13HTMLTokenizer14notifyFinishedEPNS_12CachedObjectE 4 -- 0x345a8528 -- __ZN7WebCore12CachedScript11checkNotifyEv 5 -- 0x345a867c -- __ZN7WebCore12CachedScript4dataERNS_5ArrayIcEEb 6 -- 0x345aae8c -- __ZN7WebCore6Loader15receivedAllDataEPNS_11TransferJobEP6NSData 7 -- 0x344b6c94 -- -[KWQResourceLoader finishJobAndHandle:] 8 -- 0x005dfb60 -- -[WebSubresourceLoader didFinishLoading] 9 -- 0x005e7abc -- -[WebLoader connectionDidFinishLoading:] 10 -- 0x929a884c -- -[NSURLConnection(NSURLConnectionInternal) _sendDidFinishLoadingCallback] 11 -- 0x929a6ab8 -- -[NSURLConnection(NSURLConnectionInternal) _sendCallbacks] 12 -- 0x929a6810 -- __sendCallbacks 13 -- 0x907e44cc -- ___CFRunLoopDoSources0 14 -- 0x907e39fc -- ___CFRunLoopRun 15 -- 0x907e347c -- _CFRunLoopRunSpecific 16 -- 0x9321d980 -- _RunCurrentEventLoopInMode 17 -- 0x9321d014 -- _ReceiveNextEventCommon 18 -- 0x9321ce80 -- _BlockUntilNextEventMatchingListInMode 19 -- 0x9371fe84 -- __DPSNextEvent 20 -- 0x9371fb48 -- -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] 21 -- 0x9371c08c -- -[NSApplication run] 22 -- 0x003cac54 -- -[OAApplication run] 23 -- 0x9380cbfc -- _NSApplicationMain 24 -- 0x00029d0c -- _main 25 -- 0x0002a5a4 -- __start 26 -- 0x00002a0c -- start
Attachments
greatly reduced test case (64 bytes, text/html)
2006-06-07 09:44 PDT, Darin Adler 		no flags
Details
Patch for the crashing half (4.07 KB, patch)
2006-06-26 11:41 PDT, mitz 		mjs: review-
DetailsFormatted DiffDiff
Patch for the crashing half, now with changelog and test (8.32 KB, patch)
2006-06-27 07:30 PDT, mitz 		darin: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Maciej Stachowiak
Comment 1 2006-06-05 11:56:25 PDT
This is a regression relative to the last released Safari. Marking as such and upgrading to P1.
Alexey Proskuryakov
Comment 2 2006-06-05 12:20:31 PDT
Debug build gets an assertion failure: ASSERTION FAILED: !scriptNode (/Users/ap/WebKit/WebCore/html/HTMLTokenizer.cpp:1166 WebCore::HTMLTokenizer::State WebCore::HTMLTokenizer::parseTag(WebCore::SegmentedString&, WebCore::HTMLTokenizer::State))
Alice Liu
Comment 3 2006-06-06 10:49:32 PDT
<rdar://problem/4575381>
Darin Adler
Comment 4 2006-06-07 09:43:01 PDT
There seem to be two halves to this crash. Half the problem is a crash with script nesting. I've created a much-reduced test case that demonstrates this. The other half of the problem seems to be a yen character mixup, where a \ is being used to escape the / in </script> -- the \ looks like a yen character and I think it might not be working properly. The reduced test case does not address that. Once the crash is fixed we need to look at the page again and make sure the JavaScript is being loaded properly.
Darin Adler
Comment 5 2006-06-07 09:44:15 PDT
Created attachment 8749 [details] greatly reduced test case
mitz
Comment 6 2006-06-25 22:33:38 PDT
(In reply to comment #4) > There seem to be two halves to this crash. > > Half the problem is a crash with script nesting. I've created a much-reduced > test case that demonstrates this.  That would be bug 9554. Not closing this as a duplicate, but it's the second half that needs to be reduced.
mitz
Comment 7 2006-06-25 22:35:27 PDT
*** Bug 9554 has been marked as a duplicate of this bug. ***
mitz
Comment 8 2006-06-26 11:41:06 PDT
Created attachment 9050 [details] Patch for the crashing half This fixes the crash and behaves correctly with the test case from bug 9554. It also passes all the layout tests. I haven't done much testing beyond that (in particular, with external scripts, cached and uncached).
Maciej Stachowiak
Comment 9 2006-06-27 01:10:18 PDT
Comment on attachment 9050 [details] Patch for the crashing half looks good, please add test case and changelog
mitz
Comment 10 2006-06-27 07:30:58 PDT
Created attachment 9061 [details] Patch for the crashing half, now with changelog and test
Darin Adler
Comment 11 2006-06-27 09:31:51 PDT
Comment on attachment 9061 [details] Patch for the crashing half, now with changelog and test r=me
Darin Adler
Comment 12 2006-06-27 20:27:27 PDT
Committed revision 15075.
Note You need to log in before you can comment on or make changes to this bug.