RESOLVED FIXED 48789
REGRESSION(49798): Crash in HTMLObjectElement::parseMappedAttribute 
https://bugs.webkit.org/show_bug.cgi?id=48789
Summary REGRESSION(49798): Crash in HTMLObjectElement::parseMappedAttribute
David Levin
Reported 2010-11-01 15:17:56 PDT
Load the given url and refresh. Stack Trace ------------ Thread 0 *CRASHED* ( EXCEPTION_ACCESS_VIOLATION_READ @ 0x00000008 ) 0x02654732 [chrome.dll - stringimpl.cpp:195] WTF::StringImpl::lower() 0x02653b5e [chrome.dll - atomicstring.cpp:293] WTF::AtomicString::lower() 0x02171c08 [chrome.dll - htmlobjectelement.cpp:71] WebCore::HTMLObjectElement::parseMappedAttribute(WebCore::Attribute *) 0x021dda1c [chrome.dll - styledelement.cpp:183] WebCore::StyledElement::attributeChanged(WebCore::Attribute *,bool) 0x021db8e8 [chrome.dll - namednodemap.cpp:296] WebCore::NamedNodeMap::removeAttribute(WebCore::QualifiedName const &) 0x020ffa5a [chrome.dll - element.cpp:592] WebCore::Element::setAttribute(WebCore::QualifiedName const &,WTF::AtomicString const &,int &) 0x021cf659 [chrome.dll - v8binding.cpp:569] WebCore::setElementStringAttr(v8::AccessorInfo const &,WebCore::QualifiedName const &,v8::Local<v8::Value>) 0x02695cdb [chrome.dll - v8htmlulistelement.cpp:67] WebCore::HTMLUListElementInternal::typeAttrSetter 0x027fd186 [chrome.dll - objects.cc:1581] v8::internal::JSObject::SetPropertyWithCallback(v8::internal::Object *,v8::internal::String *,v8::internal::Object *,v8::internal::JSObject *) Related chromium bug: http://code.google.com/p/chromium/issues/detail?id=55345
Attachments
Patch (3.83 KB, patch)
2010-11-01 16:19 PDT, Eric Seidel (no email) 		no flags
DetailsFormatted DiffDiff
Patch for landing (3.23 KB, patch)
2010-11-04 08:49 PDT, Eric Seidel (no email) 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Eric Seidel (no email)
Comment 1 2010-11-01 16:00:14 PDT
I've found the problem. When AtomicString::lower() was optimized, the contract of "it's always safe to call member functions even when the string is null" was broken.
Eric Seidel (no email)
Comment 2 2010-11-01 16:19:29 PDT
Created attachment 72588 [details] Patch
Eric Seidel (no email)
Comment 3 2010-11-01 16:20:19 PDT
--suggest-reviewers may have gone a little overboard on this one. Please feel free to remove yourself from the CC list if you're not interested in this patch.
Gavin Barraclough
Comment 4 2010-11-01 16:22:38 PDT
Comment on attachment 72588 [details] Patch Looks good
WebKit Commit Bot
Comment 5 2010-11-02 13:32:58 PDT
Comment on attachment 72588 [details] Patch Rejecting patch 72588 from commit-queue. Failed to run "['./WebKitTools/Scripts/webkit-patch', '--status-host=queues.webkit.org', '--bot-id=abarth-cq-sl', 'apply-attachment', '--force-clean', '--non-interactive', 72588]" exit_code: 2 Last 500 characters of output: fuzz 3. patching file LayoutTests/fast/dom/HTMLObjectElement/set-type-to-null-crash-expected.txt patching file LayoutTests/fast/dom/HTMLObjectElement/set-type-to-null-crash.html patching file WebCore/WebCore.xcodeproj/project.pbxproj Hunk #1 FAILED at 21305. 1 out of 1 hunk FAILED -- saving rejects to file WebCore/WebCore.xcodeproj/project.pbxproj.rej Failed to run "[u'/Users/abarth/git/webkit-queue/WebKitTools/Scripts/svn-apply', u'--reviewer', u'Gavin Barraclough', u'--force']" exit_code: 1 Full output: http://queues.webkit.org/results/5008013
Eric Seidel (no email)
Comment 6 2010-11-04 08:49:10 PDT
Created attachment 72946 [details] Patch for landing
WebKit Commit Bot
Comment 7 2010-11-04 10:31:56 PDT
Comment on attachment 72946 [details] Patch for landing Clearing flags on attachment: 72946 Committed r71345: <http://trac.webkit.org/changeset/71345>
WebKit Commit Bot
Comment 8 2010-11-04 10:32:02 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.