Created attachment 44677 [details] Repro Id: WebCore::HTMLParser::createHead ReadAV@NULL (e76af51d00030543044208d8a1070244) Description: Attempt to read from NULL pointer in WebCore::HTMLParser::createHead Stack: WebCore::HTMLParser::createHead WebCore::HTMLParser::handleError WebCore::HTMLParser::insertNode WebCore::HTMLParser::insertNodeAfterLimitBlockDepth WebCore::HTMLParser::parseToken WebCore::HTMLTokenizer::processToken WebCore::HTMLTokenizer::parseTag WebCore::HTMLTokenizer::write WebCore::parseHTMLDocumentFragment WebCore::HTMLElement::insertAdjacentHTML WebCore::HTMLElementInternal::insertAdjacentHTMLCallback v8::internal::Builtin_HandleApiCall v8::internal::Invoke v8::internal::Execution::Call v8::Script::Run WebCore::V8Proxy::runScript WebCore::V8Proxy::evaluate WebCore::ScriptController::evaluate WebCore::ScriptController::executeScript WebCore::ScriptController::executeScript WebCore::ScriptController::executeIfJavaScriptURL WebCore::FrameLoader::changeLocation WebCore::RedirectScheduler::timerFired WebCore::Timer<...>::fired WebCore::ThreadTimers::sharedTimerFiredInternal MessageLoop::RunTask MessageLoop::DoWork base::MessagePumpDefault::Run MessageLoop::RunInternal MessageLoop::Run RendererMain ChromeMain Repro: <BODY onload=go();></BODY> <SCRIPT> function go() { document.open(); new Image().insertAdjacentHTML(0,"<x<meta>"); } </SCRIPT>
Online repro
Confirmed with r51997. Fails an assertion in HTMLParser::createHead(): if (!m_document->documentElement()) { insertNode(new HTMLHtmlElement(htmlTag, m_document)); ASSERT(m_document->documentElement()); }
No longer reproduces - assuming fixed.
This doesn't seem to have been fixed intentionally, let's land the test case.
Will land the test soon as there is no need to keep this bug opened.
Created attachment 108742 [details] Land the tweaked test case.
Comment on attachment 108742 [details] Land the tweaked test case. Clearing flags on attachment: 108742 Committed r96124: <http://trac.webkit.org/changeset/96124>
All reviewed patches have been landed. Closing bug.