113016 – HTMLStackItem should include <template> as a special tag

Bug 113016 - HTMLStackItem should include <template> as a special tag

Summary: HTMLStackItem should include <template> as a special tag

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	DOM (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P1 Normal
Assignee:	Rafael Weinstein

URL:
Keywords:

Depends on:
Blocks:

Reported:	2013-03-22 01:00 PDT by Takashi Sakamoto
Modified:	2013-03-26 10:26 PDT (History)
CC List:	8 users (show)

See Also:

Attachments
repro.html (46 bytes, text/html) 2013-03-22 01:02 PDT, Takashi Sakamoto	no flags	Details
Patch (2.54 KB, patch) 2013-03-22 09:46 PDT, Rafael Weinstein	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Takashi Sakamoto 2013-03-22 01:00:39 PDT

Timestamp	2013-03-14 03:00:22
Fuzzer	 Dstockwell-css-fuzzer
Job Type	Linux_asan_drt
Crash type	UNKNOWN
Crash address	0x000000000000
Crash state	- crash stack -
WebCore::HTMLStackItem::HTMLStackItem
WebCore::HTMLTreeBuilder::resetInsertionModeAppropriately
WebCore::HTMLTreeBuilder::processTemplateEndTag
Redzone	 32 bytes

https://cluster-fuzz.appspot.com/testcase?key=171557060

Comment 1 Takashi Sakamoto 2013-03-22 01:02:08 PDT

Created attachment 194463 [details]
repro.html

Comment 2 Takashi Sakamoto 2013-03-22 01:04:47 PDT

I guess, the crash reason would be that HTMLTreeBuilder::processAnyOtherEndTagForInBody checks items out of <template>.

Comment 3 Takashi Sakamoto 2013-03-22 01:09:59 PDT

When token type is end and toke name is dummy (c.f. repro.html),

processAnyOtherEndTagForInBody(dummy), mode(7)
HTMLStackItem(span)
HTMLStackItem(template)
HTMLStackItem(dummy) <---- this dummy will be removed, but this is not a child of <template>.

Comment 4 Rafael Weinstein 2013-03-22 09:45:25 PDT

This is an oversight in the implementation of template element. Note the spec instructs that <template> should be considered a "special" tag:

https://dvcs.w3.org/hg/webcomponents/raw-file/tip/spec/templates/index.html#parsing

Comment 5 Rafael Weinstein 2013-03-22 09:46:46 PDT

Created attachment 194575 [details]
Patch

Comment 6 Rafael Weinstein 2013-03-24 15:49:16 PDT

ping.

Comment 7 Eric Seidel (no email) 2013-03-26 10:21:11 PDT

Comment on attachment 194575 [details]
Patch

Thanks.

Comment 8 WebKit Review Bot 2013-03-26 10:26:33 PDT

Comment on attachment 194575 [details]
Patch

Clearing flags on attachment: 194575

Committed r146904: <http://trac.webkit.org/changeset/146904>

Comment 9 WebKit Review Bot 2013-03-26 10:26:36 PDT

All reviewed patches have been landed.  Closing bug.