RESOLVED FIXED 47190
Issue in treebuilder parsing related to table tags 
https://bugs.webkit.org/show_bug.cgi?id=47190
Summary Issue in treebuilder parsing related to table tags
Abhishek Arya
Reported 2010-10-05 10:15:30 PDT
These issues don't look security related, but filing just as a precaution. Adam, Eric, can you please take a look. If you think they can have any security consequence, then i will file a bug on chromium repository to track this correctly. Otherwise, we can remove the security tags. Testcase: <table> <td></tfoot> Stack: ASSERTION FAILED: isParsingFragment() (..\html\parser\HTMLTreeBuilder.cpp:1852 WebCore::HTMLTreeBuilder::processEndTagForInCell) (b48.1884): Break instruction exception - code 80000003 (first chance) *** WARNING: Unable to verify checksum for D:\chromium\src\chrome\Debug\chrome.dll ExceptionAddress: 59f2ff42 (chrome_57e50000!WebCore::HTMLTreeBuilder::processEndTagForInCell+0x00000202) ExceptionCode: 80000003 (Break instruction exception) ExceptionFlags: 00000000 NumberParameters: 1 Parameter[0]: 00000000 ChildEBP RetAddr 0584edbc 59f314f1 chrome_57e50000!WebCore::HTMLTreeBuilder::processEndTagForInCell( class WebCore::AtomicHTMLToken * token = 0x0584ee44)+0x202 0584ee08 59f29c5a chrome_57e50000!WebCore::HTMLTreeBuilder::processEndTag( class WebCore::AtomicHTMLToken * token = 0x0584ee44)+0x721 0584ee1c 59f29a53 chrome_57e50000!WebCore::HTMLTreeBuilder::processToken( class WebCore::AtomicHTMLToken * token = 0x0584ee44)+0x7a 0584ee30 59f29483 chrome_57e50000!WebCore::HTMLTreeBuilder::constructTreeFromAtomicToken( class WebCore::AtomicHTMLToken * token = 0x0584ee44)+0x23 0584ee68 59ee8324 chrome_57e50000!WebCore::HTMLTreeBuilder::constructTreeFromToken( class WebCore::HTMLToken * rawToken = 0x0554d05c)+0x33 0584eea4 59ee7f0f chrome_57e50000!WebCore::HTMLDocumentParser::pumpTokenizer( WebCore::HTMLDocumentParser::SynchronousMode mode = AllowYield (0))+0x174 0584eeb4 59ee8aa8 chrome_57e50000!WebCore::HTMLDocumentParser::pumpTokenizerIfPossible( WebCore::HTMLDocumentParser::SynchronousMode mode = AllowYield (0))+0x7f 0584eedc 59aaceb7 chrome_57e50000!WebCore::HTMLDocumentParser::append( class WebCore::SegmentedString * source = 0x0584eef0)+0xb8 0584ef3c 5986ad47 chrome_57e50000!WebCore::DecodedDataDocumentParser::appendBytes( class WebCore::DocumentWriter * writer = 0x0557518c, char * data = 0x00000000 "", int length = 0, bool shouldFlush = true)+0xb7 Testcase 2: <table><isindex action='1'> Stack: ASSERTION FAILED: m_tree.currentElement()->hasTagName(formTag) (..\html\parser\HTMLTreeBuilder.cpp:546 WebCore::HTMLTreeBuilder::processIsindexStartTagForInBody) (1360.13ec): Break instruction exception - code 80000003 (first chance) *** WARNING: Unable to verify checksum for D:\chromium\src\chrome\Debug\chrome.dll ExceptionAddress: 59f2a50c (chrome_57e50000!WebCore::HTMLTreeBuilder::processIsindexStartTagForInBody+0x0000015c) ExceptionCode: 80000003 (Break instruction exception) ExceptionFlags: 00000000 NumberParameters: 1 Parameter[0]: 00000000 ChildEBP RetAddr 056dea2c 59f2bd73 chrome_57e50000!WebCore::HTMLTreeBuilder::processIsindexStartTagForInBody( class WebCore::AtomicHTMLToken * token = 0x056dec20)+0x15c 056dea84 59f2c99c chrome_57e50000!WebCore::HTMLTreeBuilder::processStartTagForInBody( class WebCore::AtomicHTMLToken * token = 0x056dec20)+0xe03 056deab0 59f2d141 chrome_57e50000!WebCore::HTMLTreeBuilder::processStartTagForInTable( class WebCore::AtomicHTMLToken * token = 0x056dec20)+0x3fc 056debe4 59f29c4c chrome_57e50000!WebCore::HTMLTreeBuilder::processStartTag( class WebCore::AtomicHTMLToken * token = 0x056dec20)+0x541 056debf8 59f29a53 chrome_57e50000!WebCore::HTMLTreeBuilder::processToken( class WebCore::AtomicHTMLToken * token = 0x056dec20)+0x6c 056dec0c 59f29483 chrome_57e50000!WebCore::HTMLTreeBuilder::constructTreeFromAtomicToken( class WebCore::AtomicHTMLToken * token = 0x056dec20)+0x23 056dec44 59ee8324 chrome_57e50000!WebCore::HTMLTreeBuilder::constructTreeFromToken( class WebCore::HTMLToken * rawToken = 0x0570e05c)+0x33 056dec80 59ee7f0f chrome_57e50000!WebCore::HTMLDocumentParser::pumpTokenizer( WebCore::HTMLDocumentParser::SynchronousMode mode = AllowYield (0))+0x174 056dec90 59ee8aa8 chrome_57e50000!WebCore::HTMLDocumentParser::pumpTokenizerIfPossible( WebCore::HTMLDocumentParser::SynchronousMode mode = AllowYield (0))+0x7f 056decb8 59aaceb7 chrome_57e50000!WebCore::HTMLDocumentParser::append( class WebCore::SegmentedString * source = 0x056deccc)+0xb8 056ded18 5986ad47 chrome_57e50000!WebCore::DecodedDataDocumentParser::appendBytes( class WebCore::DocumentWriter * writer = 0x0573618c, char * data = 0x00000000 "", int length = 0, bool shouldFlush = true)+0xb7 056ded3c 5986ae0c chrome_57e50000!WebCore::DocumentWriter::addData( char * str = 0x00000000 "", int len = 0, bool flush = true)+0x67
Attachments
Patch (2.78 KB, patch)
2010-10-05 12:19 PDT, Adam Barth 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Adam Barth
Comment 1 2010-10-05 11:21:03 PDT
Yessir. Will look today.
Abhishek Arya
Comment 2 2010-10-05 11:37:50 PDT
Thanks a lot Adam.
Adam Barth
Comment 3 2010-10-05 12:08:30 PDT
The ASSERT is wrong. Our behavior is correct.
Abhishek Arya
Comment 4 2010-10-05 12:10:08 PDT
Thanks Adam for the quick response. One less security bug :)
Adam Barth
Comment 5 2010-10-05 12:19:39 PDT
Created attachment 69827 [details] Patch
WebKit Commit Bot
Comment 6 2010-10-05 20:04:29 PDT
Comment on attachment 69827 [details] Patch Clearing flags on attachment: 69827 Committed r69170: <http://trac.webkit.org/changeset/69170>
WebKit Commit Bot
Comment 7 2010-10-05 20:04:34 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.