RESOLVED FIXED Bug 32426
Crash in WebCore::HTMLParser::createHead 
https://bugs.webkit.org/show_bug.cgi?id=32426
Summary Crash in WebCore::HTMLParser::createHead
Berend-Jan Wever
Reported 2009-12-11 05:06:09 PST
Created attachment 44677 [details] Repro Id: WebCore::HTMLParser::createHead ReadAV@NULL (e76af51d00030543044208d8a1070244) Description: Attempt to read from NULL pointer in WebCore::HTMLParser::createHead Stack: WebCore::HTMLParser::createHead WebCore::HTMLParser::handleError WebCore::HTMLParser::insertNode WebCore::HTMLParser::insertNodeAfterLimitBlockDepth WebCore::HTMLParser::parseToken WebCore::HTMLTokenizer::processToken WebCore::HTMLTokenizer::parseTag WebCore::HTMLTokenizer::write WebCore::parseHTMLDocumentFragment WebCore::HTMLElement::insertAdjacentHTML WebCore::HTMLElementInternal::insertAdjacentHTMLCallback v8::internal::Builtin_HandleApiCall v8::internal::Invoke v8::internal::Execution::Call v8::Script::Run WebCore::V8Proxy::runScript WebCore::V8Proxy::evaluate WebCore::ScriptController::evaluate WebCore::ScriptController::executeScript WebCore::ScriptController::executeScript WebCore::ScriptController::executeIfJavaScriptURL WebCore::FrameLoader::changeLocation WebCore::RedirectScheduler::timerFired WebCore::Timer<...>::fired WebCore::ThreadTimers::sharedTimerFiredInternal MessageLoop::RunTask MessageLoop::DoWork base::MessagePumpDefault::Run MessageLoop::RunInternal MessageLoop::Run RendererMain ChromeMain Repro: <BODY onload=go();></BODY> <SCRIPT> function go() { document.open(); new Image().insertAdjacentHTML(0,"<x<meta>"); } </SCRIPT>
Attachments
Repro (138 bytes, text/html)
2009-12-11 05:06 PST, Berend-Jan Wever 		no flags
Details
Land the tweaked test case. (2.11 KB, patch)
2011-09-26 15:45 PDT, Julien Chaffraix 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Berend-Jan Wever
Comment 1 2009-12-11 05:30:36 PST
Online repro
Alexey Proskuryakov
Comment 2 2009-12-11 10:28:05 PST
Confirmed with r51997. Fails an assertion in HTMLParser::createHead(): if (!m_document->documentElement()) { insertNode(new HTMLHtmlElement(htmlTag, m_document)); ASSERT(m_document->documentElement()); }
Berend-Jan Wever
Comment 3 2010-09-29 06:49:44 PDT
No longer reproduces - assuming fixed.
Alexey Proskuryakov
Comment 4 2010-09-30 12:42:29 PDT
This doesn't seem to have been fixed intentionally, let's land the test case.
Julien Chaffraix
Comment 5 2011-09-26 15:00:36 PDT
Will land the test soon as there is no need to keep this bug opened.
Julien Chaffraix
Comment 6 2011-09-26 15:45:43 PDT
Created attachment 108742 [details] Land the tweaked test case.
WebKit Review Bot
Comment 7 2011-09-27 10:17:13 PDT
Comment on attachment 108742 [details] Land the tweaked test case. Clearing flags on attachment: 108742 Committed r96124: <http://trac.webkit.org/changeset/96124>
WebKit Review Bot
Comment 8 2011-09-27 10:17:18 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.