Bug 45621 - isParsingFragment assert hit in new treebuilder
Summary: isParsingFragment assert hit in new treebuilder
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: DOM (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-09-12 14:30 PDT by Abhishek Arya
Modified: 2010-09-12 17:43 PDT (History)
3 users (show)

See Also:

Attachments
Testcase (35 bytes, text/html)
2010-09-12 14:30 PDT, Abhishek Arya 		no flags Details
test cases (873 bytes, patch)
2010-09-12 16:27 PDT, Adam Barth 		no flags Details | Formatted Diff | Diff
Patch (5.11 KB, patch)
2010-09-12 16:47 PDT, Adam Barth 		no flags Details | Formatted Diff | Diff
Patch (5.06 KB, patch)
2010-09-12 16:50 PDT, Adam Barth 		no flags Details | Formatted Diff | Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Abhishek Arya 2010-09-12 14:30:02 PDT 
Created attachment 67345 [details]
Testcase

found in my layouttest fuzzing. Also credit to Cris Neckar, from whose html fuzzer i took some ideas from. This is the second most hit assert,crash in my fuzzing after bug 45570.

Reduced Testcase:
<kbd><table></kbd><col><select><tr>

In HTMLTreeBuilder::resetInsertionModeAppropriately(), this assert is hit first. Then we pick up m_fragmentContext.contextElement() which comes out as null, which causes node to be null and crashes in the if statement. I am not sure if this can trigger memory corruption. So filed with security tags.

            ASSERT(isParsingFragment());
            last = true;
            node = m_fragmentContext.contextElement();
        }
        if (node->hasTagName(selectTag)) {

Eric, Adam, if you think it cannot have security consequences, please feel free to remove the tags.
Comment 1 Adam Barth 2010-09-12 16:25:44 PDT 
This is a bug in the spec:

http://www.w3.org/Bugs/Public/show_bug.cgi?id=10617
Comment 2 Adam Barth 2010-09-12 16:27:16 PDT 
Created attachment 67346 [details]
test cases
Comment 3 Adam Barth 2010-09-12 16:47:53 PDT 
Created attachment 67348 [details]
Patch
Comment 4 Adam Barth 2010-09-12 16:50:56 PDT 
Created attachment 67349 [details]
Patch
Comment 5 Eric Seidel (no email) 2010-09-12 16:56:19 PDT 
Comment on attachment 67349 [details]
Patch

LGTM.
Comment 6 Eric Seidel (no email) 2010-09-12 16:56:33 PDT 
I don't believe this is security sensitive and can be unmarked as such.
Comment 7 WebKit Commit Bot 2010-09-12 17:43:10 PDT 
Comment on attachment 67349 [details]
Patch

Clearing flags on attachment: 67349

Committed r67356: <http://trac.webkit.org/changeset/67356>
Comment 8 WebKit Commit Bot 2010-09-12 17:43:15 PDT 
All reviewed patches have been landed.  Closing bug.