Timestamp 2013-03-14 03:00:22 Fuzzer Dstockwell-css-fuzzer Job Type Linux_asan_drt Crash type UNKNOWN Crash address 0x000000000000 Crash state - crash stack - WebCore::HTMLStackItem::HTMLStackItem WebCore::HTMLTreeBuilder::resetInsertionModeAppropriately WebCore::HTMLTreeBuilder::processTemplateEndTag Redzone 32 bytes https://cluster-fuzz.appspot.com/testcase?key=171557060
Created attachment 194463 [details] repro.html
I guess, the crash reason would be that HTMLTreeBuilder::processAnyOtherEndTagForInBody checks items out of <template>.
When token type is end and toke name is dummy (c.f. repro.html), processAnyOtherEndTagForInBody(dummy), mode(7) HTMLStackItem(span) HTMLStackItem(template) HTMLStackItem(dummy) <---- this dummy will be removed, but this is not a child of <template>.
This is an oversight in the implementation of template element. Note the spec instructs that <template> should be considered a "special" tag: https://dvcs.w3.org/hg/webcomponents/raw-file/tip/spec/templates/index.html#parsing
Created attachment 194575 [details] Patch
ping.
Comment on attachment 194575 [details] Patch Thanks.
Comment on attachment 194575 [details] Patch Clearing flags on attachment: 194575 Committed r146904: <http://trac.webkit.org/changeset/146904>
All reviewed patches have been landed. Closing bug.