RESOLVED FIXED 113016
HTMLStackItem should include <template> as a special tag 
https://bugs.webkit.org/show_bug.cgi?id=113016
Summary HTMLStackItem should include <template> as a special tag
Takashi Sakamoto
Reported 2013-03-22 01:00:39 PDT
Timestamp 2013-03-14 03:00:22 Fuzzer Dstockwell-css-fuzzer Job Type Linux_asan_drt Crash type UNKNOWN Crash address 0x000000000000 Crash state - crash stack - WebCore::HTMLStackItem::HTMLStackItem WebCore::HTMLTreeBuilder::resetInsertionModeAppropriately WebCore::HTMLTreeBuilder::processTemplateEndTag Redzone 32 bytes https://cluster-fuzz.appspot.com/testcase?key=171557060
Attachments
repro.html (46 bytes, text/html)
2013-03-22 01:02 PDT, Takashi Sakamoto 		no flags
Details
Patch (2.54 KB, patch)
2013-03-22 09:46 PDT, Rafael Weinstein 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Takashi Sakamoto
Comment 1 2013-03-22 01:02:08 PDT
Created attachment 194463 [details] repro.html
Takashi Sakamoto
Comment 2 2013-03-22 01:04:47 PDT
I guess, the crash reason would be that HTMLTreeBuilder::processAnyOtherEndTagForInBody checks items out of <template>.
Takashi Sakamoto
Comment 3 2013-03-22 01:09:59 PDT
When token type is end and toke name is dummy (c.f. repro.html), processAnyOtherEndTagForInBody(dummy), mode(7) HTMLStackItem(span) HTMLStackItem(template) HTMLStackItem(dummy) <---- this dummy will be removed, but this is not a child of <template>.
Rafael Weinstein
Comment 4 2013-03-22 09:45:25 PDT
This is an oversight in the implementation of template element. Note the spec instructs that <template> should be considered a "special" tag: https://dvcs.w3.org/hg/webcomponents/raw-file/tip/spec/templates/index.html#parsing
Rafael Weinstein
Comment 5 2013-03-22 09:46:46 PDT
Created attachment 194575 [details] Patch
Rafael Weinstein
Comment 6 2013-03-24 15:49:16 PDT
ping.
Eric Seidel (no email)
Comment 7 2013-03-26 10:21:11 PDT
Comment on attachment 194575 [details] Patch Thanks.
WebKit Review Bot
Comment 8 2013-03-26 10:26:33 PDT
Comment on attachment 194575 [details] Patch Clearing flags on attachment: 194575 Committed r146904: <http://trac.webkit.org/changeset/146904>
WebKit Review Bot
Comment 9 2013-03-26 10:26:36 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.