23956 – Safari crashes when cloneNode fails (cloning a XML element with an invalid nodeName)

RESOLVED FIXED 23956

Safari crashes when cloneNode fails (cloning a XML element with an invalid nodeName)

https://bugs.webkit.org/show_bug.cgi?id=23956

Summary Safari crashes when cloneNode fails (cloning a XML element with an invalid no...

Eric Seidel (no email)

Reported 2009-02-13 14:20:00 PST

Safari crashes when cloneNode fails In debug mode: ASSERTION FAILED: !ec (/Users/eseidel/Projects/WebKit/WebCore/dom/Element.cpp:93 virtual WTF::PassRefPtr<WebCore::Node> WebCore::Element::cloneNode(b Release mode crashes. Reported from: http://code.google.com/p/chromium/issues/detail?id=7104 What steps will reproduce the problem? 1. Visit http://www.moschorus.com/centre/MosPub/solo_fr/index.html 2. Click 'Product'/'Download' or one of the other 5 top menu links Process: Safari [30638] Path: /Applications/Safari.app/Contents/MacOS/Safari Identifier: com.apple.Safari Version: 4.0 (5528.1) Build Info: WebBrowser-55280100~3 Code Type: X86 (Native) Parent Process: perl [30632] Date/Time: 2009-02-13 14:16:49.640 -0800 OS Version: Mac OS X 10.5.6 (9G55) Report Version: 6 Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x00000000bbadbeef Crashed Thread: 0 Thread 0 Crashed: 0 com.apple.WebCore 0x036f6754 WebCore::Element::cloneNode(bool) + 226 (Element.cpp:93) 1 com.apple.WebCore 0x035b35a2 WebCore::ContainerNode::cloneChildNodes(WebCore::ContainerNode*) + 144 (ContainerNode.cpp:637) 2 com.apple.WebCore 0x036f67f2 WebCore::Element::cloneNode(bool) + 384 (Element.cpp:104) 3 com.apple.WebCore 0x035b35a2 WebCore::ContainerNode::cloneChildNodes(WebCore::ContainerNode*) + 144 (ContainerNode.cpp:637) 4 com.apple.WebCore 0x036f67f2 WebCore::Element::cloneNode(bool) + 384 (Element.cpp:104) 5 com.apple.WebCore 0x035b35a2 WebCore::ContainerNode::cloneChildNodes(WebCore::ContainerNode*) + 144 (ContainerNode.cpp:637) 6 com.apple.WebCore 0x036f67f2 WebCore::Element::cloneNode(bool) + 384 (Element.cpp:104) 7 com.apple.WebCore 0x039494ef WebCore::jsNodePrototypeFunctionCloneNode(JSC::ExecState*, JSC::JSObject*, JSC::JSValuePtr, JSC::ArgList const&) + 197 (JSNode.cpp:1279) 8 com.apple.JavaScriptCore 0x005593ba JSC::Interpreter::cti_op_call_NotJSFunction(void*, ...) + 534 (Interpreter.cpp:4891) 9 com.apple.JavaScriptCore 0x005524f0 jscGeneratedNativeCode + 0 (Interpreter.cpp:4174) 10 com.apple.JavaScriptCore 0x00573df8 JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*, JSC::JSValuePtr*) + 58 (JITCode.h:86) 11 com.apple.JavaScriptCore 0x0055b0d4 JSC::Interpreter::execute(JSC::FunctionBodyNode*, JSC::ExecState*, JSC::JSFunction*, JSC::JSObject*, JSC::ArgList const&, JSC::ScopeChainNode*, JSC::JSValuePtr*) + 888 (Interpreter.cpp:934) 12 com.apple.JavaScriptCore 0x004a3f43 JSC::JSFunction::call(JSC::ExecState*, JSC::JSValuePtr, JSC::ArgList const&) + 139 (JSFunction.cpp:83) 13 com.apple.JavaScriptCore 0x004a3ffc JSC::call(JSC::ExecState*, JSC::JSValuePtr, JSC::CallType, JSC::CallData const&, JSC::JSValuePtr, JSC::ArgList const&) + 178 (CallData.cpp:39) 14 com.apple.WebCore 0x038d79d6 WebCore::JSAbstractEventListener::handleEvent(WebCore::Event*, bool) + 952 (JSEventListener.cpp:115) 15 com.apple.WebCore 0x036a3f19 WebCore::Document::handleWindowEvent(WebCore::Event*, bool) + 253 (Document.cpp:2749) 16 com.apple.WebCore 0x03a5aefc WebCore::Node::dispatchWindowEvent(WTF::PassRefPtr<WebCore::Event>) + 272 (Node.cpp:2484) 17 com.apple.WebCore 0x03a64887 WebCore::Node::dispatchWindowEvent(WebCore::AtomicString const&, bool, bool) + 175 (Node.cpp:2491) 18 com.apple.WebCore 0x036ade90 WebCore::Document::implicitClose() + 766 (Document.cpp:1589) 19 com.apple.WebCore 0x03749d8f WebCore::FrameLoader::checkCallImplicitClose() + 183 (FrameLoader.cpp:1334) 20 com.apple.WebCore 0x037563fd WebCore::FrameLoader::checkCompleted() + 211 (FrameLoader.cpp:1290) 21 com.apple.WebCore 0x03757645 WebCore::FrameLoader::loadDone() + 17 (FrameLoader.cpp:1255) 22 com.apple.WebCore 0x0369896a WebCore::DocLoader::setLoadInProgress(bool) + 116 (DocLoader.cpp:282) 23 com.apple.WebCore 0x03d56e90 WebCore::Loader::Host::didFinishLoading(WebCore::SubresourceLoader*) + 538 (loader.cpp:312) 24 com.apple.WebCore 0x03cb1100 WebCore::SubresourceLoader::didFinishLoading() + 176 (SubresourceLoader.cpp:185) 25 com.apple.WebCore 0x03b919ec WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle*) + 24 (ResourceLoader.cpp:417) 26 com.apple.WebCore 0x03b8f4fe -[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:] + 172 (ResourceHandleMac.mm:603) 27 com.apple.Foundation 0x96690cd7 -[NSURLConnection(NSURLConnectionReallyInternal) sendDidFinishLoading] + 87 28 com.apple.Foundation 0x96690c43 _NSURLConnectionDidFinishLoading + 147 29 com.apple.CFNetwork 0x9019822c URLConnectionClient::clientDidFinishLoading() + 174 30 com.apple.CFNetwork 0x90196d69 URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload(XConnectionEventInfo<XClientEvent, XClientEventParams>*, long) + 281 31 com.apple.CFNetwork 0x90197da8 URLConnectionClient::processEvents() + 114 32 com.apple.CFNetwork 0x90147d37 MultiplexerSource::perform() + 189 33 com.apple.CoreFoundation 0x910f55f5 CFRunLoopRunSpecific + 3141 34 com.apple.CoreFoundation 0x910f5cd8 CFRunLoopRunInMode + 88 35 com.apple.HIToolbox 0x94b792c0 RunCurrentEventLoopInMode + 283 36 com.apple.HIToolbox 0x94b790d9 ReceiveNextEventCommon + 374 37 com.apple.HIToolbox 0x94b78f4d BlockUntilNextEventMatchingListInMode + 106 38 com.apple.AppKit 0x91233d7d _DPSNextEvent + 657 39 com.apple.AppKit 0x91233630 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128 40 com.apple.Safari 0x00007b3e 0x1000 + 27454 41 com.apple.AppKit 0x9122c66b -[NSApplication run] + 795 42 com.apple.AppKit 0x911f98a4 NSApplicationMain + 574 43 com.apple.Safari 0x000b2776 0x1000 + 726902 Thread 1: 0 libSystem.B.dylib 0x960bb3ae __semwait_signal + 10 1 libSystem.B.dylib 0x960e5d0d pthread_cond_wait$UNIX2003 + 73 2 com.apple.JavaScriptCore 0x005b71bb WTF::ThreadCondition::wait(WTF::Mutex&) + 39 (ThreadingPthreads.cpp:233) 3 com.apple.WebCore 0x0380cc05 WebCore::IconDatabase::syncThreadMainLoop() + 651 (IconDatabase.cpp:1336) 4 com.apple.WebCore 0x0380e06e WebCore::IconDatabase::iconDatabaseSyncThread() + 1216 (IconDatabase.cpp:1038) 5 com.apple.WebCore 0x0380e09d WebCore::IconDatabase::iconDatabaseSyncThreadStart(void*) + 23 (IconDatabase.cpp:942) 6 com.apple.JavaScriptCore 0x005b7046 __ZN3WTFL16threadEntryPointEPv + 112 (Threading.cpp:58) 7 libSystem.B.dylib 0x960e5095 _pthread_start + 321 8 libSystem.B.dylib 0x960e4f52 thread_start + 34 Thread 2: 0 libSystem.B.dylib 0x960bb3ae __semwait_signal + 10 1 libSystem.B.dylib 0x960e5d0d pthread_cond_wait$UNIX2003 + 73 2 com.apple.JavaScriptCore 0x005b71bb WTF::ThreadCondition::wait(WTF::Mutex&) + 39 (ThreadingPthreads.cpp:233) 3 com.apple.WebCore 0x03a2fde2 WTF::MessageQueue<WTF::RefPtr<WebCore::LocalStorageTask> >::waitForMessage(WTF::RefPtr<WebCore::LocalStorageTask>&) + 60 (MessageQueue.h:90) 4 com.apple.WebCore 0x03a2f1b4 WebCore::LocalStorageThread::localStorageThread() + 70 (LocalStorageThread.cpp:72) 5 com.apple.WebCore 0x03a2f235 WebCore::LocalStorageThread::localStorageThreadStart(void*) + 17 (LocalStorageThread.cpp:61) 6 com.apple.JavaScriptCore 0x005b7046 __ZN3WTFL16threadEntryPointEPv + 112 (Threading.cpp:58) 7 libSystem.B.dylib 0x960e5095 _pthread_start + 321 8 libSystem.B.dylib 0x960e4f52 thread_start + 34 Thread 3: 0 libSystem.B.dylib 0x960b41c6 mach_msg_trap + 10 1 libSystem.B.dylib 0x960bb9bc mach_msg + 72 2 com.apple.CoreFoundation 0x910f50ae CFRunLoopRunSpecific + 1790 3 com.apple.CoreFoundation 0x910f5cd8 CFRunLoopRunInMode + 88 4 com.apple.CFNetwork 0x9011c052 CFURLCacheWorkerThread(void*) + 396 5 libSystem.B.dylib 0x960e5095 _pthread_start + 321 6 libSystem.B.dylib 0x960e4f52 thread_start + 34 Thread 4: 0 libSystem.B.dylib 0x960b41c6 mach_msg_trap + 10 1 libSystem.B.dylib 0x960bb9bc mach_msg + 72 2 com.apple.CoreFoundation 0x910f50ae CFRunLoopRunSpecific + 1790 3 com.apple.CoreFoundation 0x910f5cd8 CFRunLoopRunInMode + 88 4 com.apple.Foundation 0x9668ed40 +[NSURLConnection(NSURLConnectionReallyInternal) _resourceLoadLoop:] + 320 5 com.apple.Foundation 0x9662b7ed -[NSThread main] + 45 6 com.apple.Foundation 0x9662b394 __NSThread__main__ + 308 7 libSystem.B.dylib 0x960e5095 _pthread_start + 321 8 libSystem.B.dylib 0x960e4f52 thread_start + 34 Thread 5: 0 libSystem.B.dylib 0x961036f2 select$DARWIN_EXTSN + 10 1 libSystem.B.dylib 0x960e5095 _pthread_start + 321 2 libSystem.B.dylib 0x960e4f52 thread_start + 34 Thread 0 crashed with X86 Thread State (32-bit): eax: 0xbbadbeef ebx: 0x036f6680 ecx: 0x00000000 edx: 0x00000000 edi: 0x036aa556 esi: 0x071a1400 ebp: 0xbfffda78 esp: 0xbfffda10 ss: 0x0000001f efl: 0x00010282 eip: 0x036f6754 cs: 0x00000017 ds: 0x0000001f es: 0x0000001f fs: 0x00000000 gs: 0x00000037 cr2: 0xbbadbeef Binary Images: 0x1000 - 0x142fef com.apple.Safari 4.0 (5528.1) <88983e9de4325a60c903ef39a2293d27> /Applications/Safari.app/Contents/MacOS/Safari 0x18f000 - 0x2baffb com.apple.WebKit 530+ (530.1+) <d4e8da9251ec2437bf4cacbd9314331e> /Users/eseidel/Projects/build/Debug/WebKit.framework/Versions/A/WebKit 0x467000 - 0x476ff8 SyndicationUI ??? (???) <1fe4e2e3c35f575a6122b9192644dae4> /System/Library/PrivateFrameworks/SyndicationUI.framework/Versions/A/SyndicationUI 0x486000 - 0x62bff7 com.apple.JavaScriptCore 530+ (530.0+) <a1c54694f2d67451292a43d40422c55a> /Users/eseidel/Projects/build/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore 0xc78000 - 0xe4afe7 com.apple.RawCamera.bundle 2.0.10 (2.0.10) <fea6d22f985aec2f376d937291b54ecc> /System/Library/CoreServices/RawCamera.bundle/Contents/MacOS/RawCamera 0xee2000 - 0xee7ff3 libCGXCoreImage.A.dylib ??? (???) <375e0cdb64b043378dbf637992bbfeb0> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/libCGXCoreImage.A.dylib 0x3445000 - 0x4812fef com.apple.WebCore 530+ (530.1+) <973042b274d172e22042db56beebb4ed> /Users/eseidel/Projects/build/Debug/WebCore.framework/Versions/A/WebCore 0x8fe00000 - 0x8fe2db43 dyld 97.1 (???) <100d362e03410f181a34e04e94189ae5> /usr/lib/dyld 0x90003000 - 0x90011ffd libz.1.dylib ??? (???) <5ddd8539ae2ebfd8e7cc1c57525385c7> /usr/lib/libz.1.dylib 0x90012000 - 0x900ddfff com.apple.ColorSync 4.5.1 (4.5.1) /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ColorSync.framework/Versions/A/ColorSync 0x900de000 - 0x90118fe7 com.apple.coreui 1.2 (62) /System/Library/PrivateFrameworks/CoreUI.framework/Versions/A/CoreUI 0x90119000 - 0x901b6ffc com.apple.CFNetwork 422.11 (422.11) <2780dfc3d2186195fccb3634bfb0944b> /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/CFNetwork.framework/Versions/A/CFNetwork 0x901b7000 - 0x90242fff com.apple.framework.IOKit 1.5.1 (???) <f9f5f0d070e197a832d86751e1d44545> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit 0x90243000 - 0x9024affe libbsm.dylib ??? (???) <d25c63378a5029648ffd4b4669be31bf> /usr/lib/libbsm.dylib 0x9024b000 - 0x9026affa libJPEG.dylib ??? (???) <e7eb56555109e23144924cd64aa8daec> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libJPEG.dylib 0x9026b000 - 0x9027afff libsasl2.2.dylib ??? (???) <bb7971ca2f609c070f87786a93d1041e> /usr/lib/libsasl2.2.dylib 0x9027b000 - 0x9027bffd com.apple.Accelerate.vecLib 3.4.2 (vecLib 3.4.2) /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/vecLib 0x90294000 - 0x90346ffb libcrypto.0.9.7.dylib ??? (???) <69bc2457aa23f12fa7d052601d48fa29> /usr/lib/libcrypto.0.9.7.dylib 0x90347000 - 0x9035dfff com.apple.DictionaryServices 1.0.0 (1.0.0) <ad0aa0252e3323d182e17f50defe56fc> /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/DictionaryServices.framework/Versions/A/DictionaryServices 0x9035e000 - 0x9038dfe3 com.apple.AE 402.2 (402.2) <e01596187e91af5d48653920017b8c8e> /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/AE.framework/Versions/A/AE 0x9038e000 - 0x9038effc com.apple.audio.units.AudioUnit 1.5 (1.5) /System/Library/Frameworks/AudioUnit.framework/Versions/A/AudioUnit 0x9038f000 - 0x903e0ff7 com.apple.HIServices 1.7.0 (???) <01b690d1f376e400ac873105533e39eb> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/HIServices.framework/Versions/A/HIServices 0x90baa000 - 0x90baaffd com.apple.vecLib 3.4.2 (vecLib 3.4.2) /System/Library/Frameworks/vecLib.framework/Versions/A/vecLib 0x90bab000 - 0x90c35fe3 com.apple.DesktopServices 1.4.7 (1.4.7) <d16642ba22c32f67be793ebfbe67ca3a> /System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/DesktopServicesPriv 0x90c36000 - 0x90fd3fef com.apple.QuartzCore 1.5.7 (1.5.7) <2fed2dd7565c84a0f0c608d41d4d172c> /System/Library/Frameworks/QuartzCore.framework/Versions/A/QuartzCore 0x90fd4000 - 0x90fd9fff com.apple.backup.framework 1.0 (1.0) /System/Library/PrivateFrameworks/Backup.framework/Versions/A/Backup 0x9100f000 - 0x91081fff com.apple.PDFKit 2.1.2 (2.1.2) /System/Library/Frameworks/Quartz.framework/Versions/A/Frameworks/PDFKit.framework/Versions/A/PDFKit 0x91082000 - 0x911b5fff com.apple.CoreFoundation 6.5.5 (476.17) <4a70c8dbb582118e31412c53dc1f407f> /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation 0x911bb000 - 0x911f2fff com.apple.SystemConfiguration 1.9.2 (1.9.2) <8b26ebf26a009a098484f1ed01ec499c> /System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration 0x911f3000 - 0x919f1fef com.apple.AppKit 6.5.6 (949.43) <a3a300499bbe4f1dfebf71d752d01916> /System/Library/Frameworks/AppKit.framework/Versions/C/AppKit 0x919f2000 - 0x91d17fe2 com.apple.QuickTime 7.6.0 (1290) <bc0920abbbaad03f5513ac7ffbd30633> /System/Library/Frameworks/QuickTime.framework/Versions/A/QuickTime 0x91d18000 - 0x91d21fff com.apple.speech.recognition.framework 3.7.24 (3.7.24) <d3180f9edbd9a5e6f283d6156aa3c602> /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/SpeechRecognition.framework/Versions/A/SpeechRecognition 0x91d22000 - 0x91d3fff7 com.apple.QuickLookFramework 1.3.1 (170.9) /System/Library/Frameworks/QuickLook.framework/Versions/A/QuickLook 0x91d40000 - 0x91d42fff com.apple.securityhi 3.0 (30817) <2b2854123fed609d1820d2779e2e0963> /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/SecurityHI.framework/Versions/A/SecurityHI 0x91d43000 - 0x92153fef libBLAS.dylib ??? (???) /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libBLAS.dylib 0x921a3000 - 0x92253fff edu.mit.Kerberos 6.0.12 (6.0.12) <685cc018c133668d0d3ac6a1cb63cff9> /System/Library/Frameworks/Kerberos.framework/Versions/A/Kerberos 0x92254000 - 0x923a6ff3 com.apple.audio.toolbox.AudioToolbox 1.5.2 (1.5.2) /System/Library/Frameworks/AudioToolbox.framework/Versions/A/AudioToolbox 0x923a7000 - 0x923a7ffe com.apple.quartzframework 1.5 (1.5) <4b8f505e32e4f2d67967a276401f9aaf> /System/Library/Frameworks/Quartz.framework/Versions/A/Quartz 0x923db000 - 0x923e6fe7 libCSync.A.dylib ??? (???) <e6aceed359bd228f42bc1246af5919c9> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/libCSync.A.dylib 0x923e7000 - 0x927a5fea libLAPACK.dylib ??? (???) /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libLAPACK.dylib 0x92870000 - 0x9292afe3 com.apple.CoreServices.OSServices 226.5 (226.5) <2a135d4fb16f4954290f7b72b4111aa3> /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/OSServices.framework/Versions/A/OSServices 0x9292b000 - 0x9296afef libTIFF.dylib ??? (???) <3589442575ac77746ae99ecf724f5f87> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libTIFF.dylib 0x9296b000 - 0x9296ffff com.apple.OpenDirectory 10.5 (10.5) <e7e4507f5ecd8c8cdcdb2fc0675da0b4> /System/Library/PrivateFrameworks/OpenDirectory.framework/Versions/A/OpenDirectory 0x92970000 - 0x92980ffc com.apple.LangAnalysis 1.6.4 (1.6.4) <8b7831b5f74a950a56cf2d22a2d436f6> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/LangAnalysis.framework/Versions/A/LangAnalysis 0x92981000 - 0x92a14fff com.apple.ink.framework 101.3 (86) <bf3fa8927b4b8baae92381a976fd2079> /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/Ink.framework/Versions/A/Ink 0x92a15000 - 0x92afaff3 com.apple.CoreData 100.1 (186) <8e28162ef2288692615b52acc01f8b54> /System/Library/Frameworks/CoreData.framework/Versions/A/CoreData 0x92afb000 - 0x92b39ff7 libGLImage.dylib ??? (???) <1123b8a48bcbe9cc7aa8dd8e1a214a66> /System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/libGLImage.dylib 0x92b3a000 - 0x92b46ff9 com.apple.helpdata 1.0.1 (14.2) /System/Library/PrivateFrameworks/HelpData.framework/Versions/A/HelpData 0x92b64000 - 0x92b64fff com.apple.Carbon 136 (136) <98a5e3bc0c4fa44bbb09713bb88707fe> /System/Library/Frameworks/Carbon.framework/Versions/A/Carbon 0x92b65000 - 0x92b83ff3 com.apple.DirectoryService.Framework 3.5.5 (3.5.5) <f8931f64103c8a86b82e9714352f4323> /System/Library/Frameworks/DirectoryService.framework/Versions/A/DirectoryService 0x92b84000 - 0x92d03fff com.apple.AddressBook.framework 4.1.1 (699) <60ddae72a1df8ddbc5c53df92f372b76> /System/Library/Frameworks/AddressBook.framework/Versions/A/AddressBook 0x92d04000 - 0x92d60ff7 com.apple.htmlrendering 68 (1.1.3) <fe87a9dede38db00e6c8949942c6bd4f> /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HTMLRendering.framework/Versions/A/HTMLRendering 0x92d61000 - 0x92da3fef com.apple.NavigationServices 3.5.2 (163) <91844980804067b07a0b6124310d3f31> /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/NavigationServices.framework/Versions/A/NavigationServices 0x92da4000 - 0x92e21fef libvMisc.dylib ??? (???) /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libvMisc.dylib 0x92e22000 - 0x92e3afff com.apple.openscripting 1.2.8 (???) <572c7452d7e740e8948a5ad07a99602b> /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/OpenScripting.framework/Versions/A/OpenScripting 0x92e3b000 - 0x92e85fe1 com.apple.securityinterface 3.0.1 (35183) <f855cb06d2541ce544d9bcdf998b991c> /System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface 0x92e86000 - 0x92e9bffb com.apple.ImageCapture 5.0.1 (5.0.1) /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/ImageCapture.framework/Versions/A/ImageCapture 0x92e9c000 - 0x92eabffe com.apple.DSObjCWrappers.Framework 1.3 (1.3) <09deb9e32d0d09dfb95ae569bdd2b7a4> /System/Library/PrivateFrameworks/DSObjCWrappers.framework/Versions/A/DSObjCWrappers 0x92eac000 - 0x92eb8ffe libGL.dylib ??? (???) /System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/libGL.dylib 0x92ebe000 - 0x92ff6ff7 libicucore.A.dylib ??? (???) <18098dcf431603fe47ee027a60006c85> /usr/lib/libicucore.A.dylib 0x92ff7000 - 0x93007fff com.apple.speech.synthesis.framework 3.7.1 (3.7.1) <06d8fc0307314f8ffc16f206ad3dbf44> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/SpeechSynthesis.framework/Versions/A/SpeechSynthesis 0x93008000 - 0x9308fff7 libsqlite3.0.dylib ??? (???) <6978bbcca4277d6ae9f042beff643f7d> /usr/lib/libsqlite3.0.dylib 0x931a2000 - 0x931d4fff com.apple.LDAPFramework 1.4.5 (110) <cc04500cf7b6edccc75bb3fe2973f72c> /System/Library/Frameworks/LDAP.framework/Versions/A/LDAP 0x931d5000 - 0x931fdfff libcups.2.dylib ??? (???) <81abd305142ad1b771024eb4a1309e2e> /usr/lib/libcups.2.dylib 0x931fe000 - 0x936cff3e libGLProgrammability.dylib ??? (???) <5d283543ac844e7c6fa3440ac56cd265> /System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/libGLProgrammability.dylib 0x936d0000 - 0x936d1ffc libffi.dylib ??? (???) <a3b573eb950ca583290f7b2b4c486d09> /usr/lib/libffi.dylib 0x936d2000 - 0x9380afe7 com.apple.imageKit 1.0.2 (1.0) <2e354566521df8b1e3a78e9aeab5e6b4> /System/Library/Frameworks/Quartz.framework/Versions/A/Frameworks/ImageKit.framework/Versions/A/ImageKit 0x947e7000 - 0x94812fe7 libauto.dylib ??? (???) <42d8422dc23a18071869fdf7b5d8fab5> /usr/lib/libauto.dylib 0x94813000 - 0x9481bfff com.apple.DiskArbitration 2.2.1 (2.2.1) <75b0c8d8940a8a27816961dddcac8e0f> /System/Library/Frameworks/DiskArbitration.framework/Versions/A/DiskArbitration 0x9481c000 - 0x948fdff7 libxml2.2.dylib ??? (???) <de34eb9b43eb7d4a4e0b7f25529efa12> /usr/lib/libxml2.2.dylib 0x94908000 - 0x94ac4ff3 com.apple.QuartzComposer 2.1 (106.13) <40f034e8c8fd31c9081f5283dcf22b78> /System/Library/Frameworks/Quartz.framework/Versions/A/Frameworks/QuartzComposer.framework/Versions/A/QuartzComposer 0x94ac5000 - 0x94b42feb com.apple.audio.CoreAudio 3.1.1 (3.1.1) <f35477a5e23db0fa43233c37da01ae1c> /System/Library/Frameworks/CoreAudio.framework/Versions/A/CoreAudio 0x94b43000 - 0x94b48fff com.apple.CommonPanels 1.2.4 (85) <ea0665f57cd267609466ed8b2b20e893> /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/CommonPanels.framework/Versions/A/CommonPanels 0x94b49000 - 0x94e51fff com.apple.HIToolbox 1.5.4 (???) <3747086ba21ee419708a5cab946c8ba6> /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox 0x94e52000 - 0x94f09ff3 com.apple.QTKit 7.6 (1290) /System/Library/Frameworks/QTKit.framework/Versions/A/QTKit 0x94f0a000 - 0x955aafff com.apple.CoreGraphics 1.407.2 (???) <3a91d1037afde01d1d8acdf9cd1caa14> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/CoreGraphics 0x955b8000 - 0x955b8ff8 com.apple.ApplicationServices 34 (34) <8f910fa65f01d401ad8d04cc933cf887> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices 0x955b9000 - 0x9560afeb com.apple.framework.familycontrols 1.0.3 (1.0.3) <52c7ec091f6d3dc99ec42e1e185c38a7> /System/Library/PrivateFrameworks/FamilyControls.framework/Versions/A/FamilyControls 0x9576d000 - 0x957bcfff com.apple.QuickLookUIFramework 1.3.1 (170.9) /System/Library/PrivateFrameworks/QuickLookUI.framework/Versions/A/QuickLookUI 0x957bd000 - 0x95806fef com.apple.Metadata 10.5.2 (398.25) <e0572f20350523116f23000676122a8d> /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Metadata 0x95844000 - 0x958aaffb com.apple.ISSupport 1.7 (38.2) /System/Library/PrivateFrameworks/ISSupport.framework/Versions/A/ISSupport 0x958ab000 - 0x95908ffb libstdc++.6.dylib ??? (???) <04b812dcec670daa8b7d2852ab14be60> /usr/lib/libstdc++.6.dylib 0x95909000 - 0x9593affb com.apple.quartzfilters 1.5.0 (1.5.0) <22581f8fe9dd2cb261f97a897407ec3e> /System/Library/Frameworks/Quartz.framework/Versions/A/Frameworks/QuartzFilters.framework/Versions/A/QuartzFilters 0x9593b000 - 0x9594cffe com.apple.CFOpenDirectory 10.5 (10.5) <6a7f55108d77db7384d0e2219d07e9f8> /System/Library/PrivateFrameworks/OpenDirectory.framework/Versions/A/Frameworks/CFOpenDirectory.framework/Versions/A/CFOpenDirectory 0x9594d000 - 0x95c27ff3 com.apple.CoreServices.CarbonCore 786.10 (786.10) <ec35bb05f67fe0e828d49dda88bbf6d7> /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/CarbonCore.framework/Versions/A/CarbonCore 0x95c96000 - 0x95cd0ffe com.apple.securityfoundation 3.0 (32989) <36f7f260187c435b2670bcb24acd4219> /System/Library/Frameworks/SecurityFoundation.framework/Versions/A/SecurityFoundation 0x95cd1000 - 0x95cd1ff8 com.apple.Cocoa 6.5 (???) <e064f94d969ce25cb7de3cfb980c3249> /System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa 0x95cd2000 - 0x95ceaff7 com.apple.CoreVideo 1.6.0 (20.0) <c0d869876af51283a160cd2224a23abf> /System/Library/Frameworks/CoreVideo.framework/Versions/A/CoreVideo 0x95ceb000 - 0x95cf0fff com.apple.DisplayServicesFW 2.0.2 (2.0.2) <97878a73074e7da4fe31ea010a5d5ae1> /System/Library/PrivateFrameworks/DisplayServices.framework/Versions/A/DisplayServices 0x95cf1000 - 0x95d6bff8 com.apple.print.framework.PrintCore 5.5.3 (245.3) <222dade7b33b99708b8c09d1303f93fc> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/PrintCore.framework/Versions/A/PrintCore 0x95ddf000 - 0x95de2fff com.apple.help 1.1 (36) <b507b08e484cb89033e9cf23062d77de> /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/Help.framework/Versions/A/Help 0x95ed8000 - 0x95f1cfeb com.apple.DirectoryService.PasswordServerFramework 3.0.3 (3.0.3) <29109fed9f54cbe3d3faea0603362719> /System/Library/PrivateFrameworks/PasswordServer.framework/Versions/A/PasswordServer 0x95f1d000 - 0x95fa9ff7 com.apple.LaunchServices 290.3 (290.3) <6f9629f4ed1ba3bb313548e6838b2888> /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/LaunchServices 0x95faa000 - 0x9608afff libobjc.A.dylib ??? (???) <7b92613fdf804fd9a0a3733a0674c30b> /usr/lib/libobjc.A.dylib 0x9608b000 - 0x960a9fff libresolv.9.dylib ??? (???) <a8018c42930596593ddf27f7c20fe7af> /usr/lib/libresolv.9.dylib 0x960b3000 - 0x9621aff3 libSystem.B.dylib ??? (???) <d68880dfb1f8becdbdac6928db1510fb> /usr/lib/libSystem.B.dylib 0x9621b000 - 0x9621bffa com.apple.CoreServices 32 (32) <2fcc8f3bd5bbfc000b476cad8e6a3dd2> /System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices 0x9621c000 - 0x96237ffb libPng.dylib ??? (???) <4780e979d35aa5ec2cea22678836cea5> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libPng.dylib 0x9657e000 - 0x96588feb com.apple.audio.SoundManager 3.9.2 (3.9.2) <0f2ba6e891d3761212cf5a5e6134d683> /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/CarbonSound.framework/Versions/A/CarbonSound 0x96589000 - 0x965adfeb libssl.0.9.7.dylib ??? (???) <c7359b7ab32b5f8574520746e10a41cc> /usr/lib/libssl.0.9.7.dylib 0x965ae000 - 0x965d2fff libxslt.1.dylib ??? (???) <0a9778d6368ae668826f446878deb99b> /usr/lib/libxslt.1.dylib 0x965d3000 - 0x96609fef libtidy.A.dylib ??? (???) <f1d1742e06280444baa5637b209fd0af> /usr/lib/libtidy.A.dylib 0x9660a000 - 0x9660cff5 libRadiance.dylib ??? (???) <8a844202fcd65662bb9ab25f08c45a62> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libRadiance.dylib 0x96619000 - 0x96620fe9 libgcc_s.1.dylib ??? (???) <f53c808e87d1184c0f9df63aef53ce0b> /usr/lib/libgcc_s.1.dylib 0x96621000 - 0x9689cfe7 com.apple.Foundation 6.5.7 (677.22) <8fe77b5d15ecdae1240b4cb604fc6d0b> /System/Library/Frameworks/Foundation.framework/Versions/C/Foundation 0x9689d000 - 0x9691cff5 com.apple.SearchKit 1.2.1 (1.2.1) <3140a605db2abf56b237fa156a08b28b> /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/SearchKit.framework/Versions/A/SearchKit 0x9691d000 - 0x9691ffff com.apple.CrashReporterSupport 10.5.5 (159) <4ca9b6643fcbafd76424a46d162363eb> /System/Library/PrivateFrameworks/CrashReporterSupport.framework/Versions/A/CrashReporterSupport 0x96920000 - 0x969b3ff3 com.apple.ApplicationServices.ATS 3.4 (???) <8c51de0ec3deaef416578cd59df38754> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ATS.framework/Versions/A/ATS 0x969b4000 - 0x96a7bff2 com.apple.vImage 3.0 (3.0) /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vImage.framework/Versions/A/vImage 0x96b61000 - 0x96b61ffb com.apple.installserver.framework 1.0 (8) /System/Library/PrivateFrameworks/InstallServer.framework/Versions/A/InstallServer 0x96b62000 - 0x96bbcff7 com.apple.CoreText 2.0.3 (???) <1f1a97273753e6cfea86c810d6277680> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreText.framework/Versions/A/CoreText 0x96bbd000 - 0x96bbdffd com.apple.Accelerate 1.4.2 (Accelerate 1.4.2) /System/Library/Frameworks/Accelerate.framework/Versions/A/Accelerate 0x96bbe000 - 0x96bc2fff libGIF.dylib ??? (???) <572a32e46e33be1ec041c5ef5b0341ae> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libGIF.dylib 0x96bc3000 - 0x96bc9fff com.apple.print.framework.Print 218.0.2 (220.1) <8bf7ef71216376d12fcd5ec17e43742c> /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/Print.framework/Versions/A/Print 0x96bca000 - 0x96bcaffe com.apple.MonitorPanelFramework 1.2.0 (1.2.0) <a2b462be6c51187eddf7d097ef0e0a04> /System/Library/PrivateFrameworks/MonitorPanel.framework/Versions/A/MonitorPanel 0x96bcb000 - 0x96cccfff com.apple.PubSub 1.0.3 (65.3) /System/Library/Frameworks/PubSub.framework/Versions/A/PubSub 0x96ccd000 - 0x96cd4ff7 libCGATS.A.dylib ??? (???) <386dce4b28448fb86e33e06ac466f4d8> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/libCGATS.A.dylib 0x96cd5000 - 0x96cfefff com.apple.CoreMediaPrivate 15.0 (15.0) /System/Library/PrivateFrameworks/CoreMediaPrivate.framework/Versions/A/CoreMediaPrivate 0x96cff000 - 0x96da6feb com.apple.QD 3.11.54 (???) <b743398c24c38e581a86e91744a2ba6e> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/QD.framework/Versions/A/QD 0x96da7000 - 0x96e00ff7 libGLU.dylib ??? (???) /System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/libGLU.dylib 0x96e01000 - 0x96fcfff3 com.apple.security 5.0.4 (34102) <55dda7486df4e8e1d61505be16f83a1c> /System/Library/Frameworks/Security.framework/Versions/A/Security 0x96fd0000 - 0x96ff8ff7 com.apple.shortcut 1 (1.0) <057783867138902b52bc0941fedb74d1> /System/Library/PrivateFrameworks/Shortcut.framework/Versions/A/Shortcut 0x96ff9000 - 0x97026feb libvDSP.dylib ??? (???) <b232c018ddd040ec4e2c2af632dd497f> /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libvDSP.dylib 0x970cb000 - 0x9710cfe7 libRIP.A.dylib ??? (???) <5d0b5af7992e14de017f9a9c7cb05960> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/libRIP.A.dylib 0x9710d000 - 0x9714cfff com.apple.CoreMediaIOServicesPrivate 15.0 (15.0) /System/Library/PrivateFrameworks/CoreMediaIOServicesPrivate.framework/Versions/A/CoreMediaIOServicesPrivate 0x9714d000 - 0x97151fff libmathCommon.A.dylib ??? (???) /usr/lib/system/libmathCommon.A.dylib 0x97152000 - 0x97298ff7 com.apple.ImageIO.framework 2.0.4 (2.0.4) <6a6623d3d1a7292b5c3763dcd108b55f> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/ImageIO 0x9741a000 - 0x97427fe7 com.apple.opengl 1.5.9 (1.5.9) <7e5048a2677b41098c84045305f42f7f> /System/Library/Frameworks/OpenGL.framework/Versions/A/OpenGL 0xfffe8000 - 0xfffebfff libobjc.A.dylib ??? (???) /usr/lib/libobjc.A.dylib 0xffff0000 - 0xffff1780 libSystem.B.dylib ??? (???) /usr/lib/libSystem.B.dylib

Attachments
test case, crashes! (the logging can be removed when preparing to land) (724 bytes, text/html) 2009-02-18 17:50 PST, Eric Seidel (no email)	no flags	Details
Proposed fix: call Document::createElement(const QualifiedName&, bool) that does not checks. Also removed HTMLElement::cloneNode specialisation. (6.50 KB, patch) 2009-02-22 01:39 PST, Julien Chaffraix	darin: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Eric Seidel (no email)

Comment 1 2009-02-13 14:20:23 PST

I've not tried to reduce this yet, but with a reduction this should be super-simple to fix.

Mark Rowe (bdash)

Comment 2 2009-02-13 14:46:06 PST

Can you please attach the crash log to the bug rather than pasting it in to the comments in the future?

Eric Seidel (no email)

Comment 3 2009-02-18 17:34:56 PST

Ok, it's trying to clone a node and getting an NAMESPACE_ERR when trying to createElementNS the clone. The namespaceURI() passed in is null. Still investigating.

Eric Seidel (no email)

Comment 4 2009-02-18 17:40:08 PST

So the nodeName in question is: "imsss:objectives" So the problem here is that we're using createElementNS which does namespace checks when really we want to just clone this XHTML-invalid, html node. A simple test to reproduce this is probably var node = document.createElement("foo:bar"); var clone = node.cloneNode(); // probably crashes.

Eric Seidel (no email)

Comment 5 2009-02-18 17:50:07 PST

Created attachment 27770 [details] test case, crashes! (the logging can be removed when preparing to land)

Eric Seidel (no email)

Comment 6 2009-02-18 17:53:04 PST

The bug here is that since this is an XML document, we shouldn't have been able to create a node with an invalid prefix to begin with. Document::createElement() should have thrown an error. We'll need to check what FF and IE do here, and what the spec says, but I expect that createElement() should have just thrown an error and we would never have gotten to a case where we have an XML element with an invalid nodeName.

Julien Chaffraix

Comment 7 2009-02-21 22:46:14 PST

(In reply to comment #6) > The bug here is that since this is an XML document, we shouldn't have been able > to create a node with an invalid prefix to begin with. > Document::createElement() should have thrown an error. We'll need to check > what FF and IE do here, and what the spec says, but I expect that > createElement() should have just thrown an error and we would never have gotten > to a case where we have an XML element with an invalid nodeName. I disagree with your conclusion. createElement is asked just to check that the string is a valid XML name by the DOM spec and throwing an exception will lead to regressions. As strange as it seems, createElement puts the string as the localName without any checks on the prefix and thus can lead to invalid XML names. I have tried your test case with the other browser: FF abide by the spec, Opera mostly abide (it just set the namespace to 'http://www.example.com' (instead of null per DOM requirement)) and IE fails on document.implementation,createDocument. The issue here is that we are calling createElementNS with nodes that may have been created by another method and thus do not play along with it. HTMLDocument::cloneNode calls directly the factory and it does not crash on such invalid nodes. I think we should do something equivalent in Document::cloneNode.

Julien Chaffraix

Comment 8 2009-02-21 22:54:05 PST

Taking the bug as I have a fix coming.

Julien Chaffraix

Comment 9 2009-02-22 01:39:11 PST

Created attachment 27857 [details] Proposed fix: call Document::createElement(const QualifiedName&, bool) that does not checks. Also removed HTMLElement::cloneNode specialisation.

Darin Adler

Comment 10 2009-02-23 01:33:11 PST

Comment on attachment 27857 [details] Proposed fix: call Document::createElement(const QualifiedName&, bool) that does not checks. Also removed HTMLElement::cloneNode specialisation. I think this is fine. r=me I think we should go even further and now that cloneElement doesn't have to be virtual, move the code into cloneElement and have cloneNode call cloneElement nstead of the other way around.

Julien Chaffraix

Comment 11 2009-02-23 17:28:54 PST

Landed patch in r41162. Also filed bug 24110: "cloneNode should call cloneElement and not the reverse" to tackle the review comment (already assigned to me).

Lucas Forschler

Comment 12 2019-02-06 09:03:14 PST

Mass moving XML DOM bugs to the "DOM" Component.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P1

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware Mac

OS OS X 10.5

Product WebKit

Component DOM

Assignee

Nobody

Reported

2009-02-13 14:20 PST

Modified

2019-02-06 09:03 PST History

CC List

3 users Show

URL

Keywords

Depends on

Blocks