RESOLVED FIXED 29313
Fix hard-to-reproduce crash in HTMLTokenizer by avoiding a rare fastRealloc edge case 
https://bugs.webkit.org/show_bug.cgi?id=29313
Summary Fix hard-to-reproduce crash in HTMLTokenizer by avoiding a rare fastRealloc e...
Dimitri Glazkov (Google)
Reported 2009-09-16 14:11:31 PDT
From bug 29026: " .. I found a case in WebKit which attempts to realloc(ptr, 0): WTF::fastRealloc+0x10 WebCore::HTMLTokenizer::enlargeScriptBuffer+0x41 WebCore::HTMLTokenizer::parseComment+0x2a WebCore::HTMLTokenizer::parseTag+0x1141 WebCore::HTMLTokenizer::write+0x414 WebCore::FrameLoader::write+0x36b WebCore::FrameLoader::addData+0x12 To get here, we have to read data input off the socket which contains a partial page ending with "<!--". It's a little hard to reproduce. "
Attachments
Fix HTMLTokenizer crash, v1. (1.50 KB, patch)
2009-09-16 14:14 PDT, Dimitri Glazkov (Google) 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Dimitri Glazkov (Google)
Comment 1 2009-09-16 14:14:25 PDT
Created attachment 39660 [details] Fix HTMLTokenizer crash, v1. WebCore/ChangeLog | 15 +++++++++++++++ WebCore/html/HTMLTokenizer.cpp | 8 ++++++++ 2 files changed, 23 insertions(+), 0 deletions(-)
Darin Adler
Comment 2 2009-09-16 14:17:04 PDT
We have other test cases like this done with HTTP tests that deliver text slowly. Can we make a regression test case?
Dimitri Glazkov (Google)
Comment 3 2009-09-16 14:20:11 PDT
(In reply to comment #2) > We have other test cases like this done with HTTP tests that deliver text > slowly. Can we make a regression test case? Mike (the original finder of the problem), what do you think?
Alexey Proskuryakov
Comment 4 2009-09-16 14:40:37 PDT
+ // If we allow fastRealloc(ptr, 0), it will call CRASH(). Given bug 29026, this may be too strong a statement. Will this change even be needed if bug 29026 is fixed the way we seem to have consensus on?
Eric Seidel (no email)
Comment 5 2009-10-05 11:07:42 PDT
Ping?
Yong Li
Comment 6 2009-10-19 08:52:28 PDT
Comment on attachment 39660 [details] Fix HTMLTokenizer crash, v1. Let commit bot land it
WebKit Commit Bot
Comment 7 2009-10-19 09:18:26 PDT
Comment on attachment 39660 [details] Fix HTMLTokenizer crash, v1. Clearing flags on attachment: 39660 Committed r49788: <http://trac.webkit.org/changeset/49788>
WebKit Commit Bot
Comment 8 2009-10-19 09:18:31 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.