50444 – chrome.dll!WebCore::Document::write ReadAV@NULL (64769eadff629b4366f33eb18eb92124)

NEW 50444

chrome.dll!WebCore::Document::write ReadAV@NULL (64769eadff629b4366f33eb18eb92124)

https://bugs.webkit.org/show_bug.cgi?id=50444

Summary chrome.dll!WebCore::Document::write ReadAV@NULL (64769eadff629b4366f33eb18eb9...

Berend-Jan Wever

Reported 2010-12-03 01:48:41 PST

Created attachment 75475 [details] Repro Repro: <script> window.open('repro.wav', 'test'); setTimeout(function () { window.open('javascript:document.write("Ja");', 'test'); }, 1000); </script> Must be hosted on a server because of file:// SOP restrictions. id: chrome.dll!WebCore::Document::write ReadAV@NULL (64769eadff629b4366f33eb18eb92124) description: Attempt to read from unallocated NULL pointer in chrome.dll!WebCore::Document::write application: Chromium 9.0.598.0 stack: chrome.dll!WebCore::Document::write chrome.dll!WebCore::V8HTMLDocument::writeCallback chrome.dll!v8::internal::HandleApiCallHelper<...> chrome.dll!v8::internal::Builtin_HandleApiCall chrome.dll!v8::internal::Invoke chrome.dll!v8::internal::Execution::Call ...

Attachments
Repro (345 bytes, application/x-zip-compressed) 2010-12-03 01:48 PST, Berend-Jan Wever	no flags	Details
Variation repro (501 bytes, application/x-zip-compressed) 2010-12-20 00:46 PST, Berend-Jan Wever	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Alexey Proskuryakov

Comment 1 2010-12-03 10:08:17 PST

Also crashes Safari 5.0.3 on Mac (can be opened from a local file here).

Adam Barth

Comment 2 2010-12-03 16:16:01 PST

I suspect this problem is that MediaDocument (or whatever) isn't really an HTMLDocument or don't have a legit HTMLDocumentParser.

Alexey Proskuryakov

Comment 3 2010-12-03 16:22:22 PST

See also: bug 25397.

Berend-Jan Wever

Comment 4 2010-12-20 00:46:33 PST

Created attachment 76980 [details] Variation repro I found a variation that also crashes with a NULL pointer but in a different part of the code. I expect this to be the same issue: Repro.html: <script> window.open('repro2.html', 'test2'); </script> Repro2.html: <script> window.open('repro.mid', 'test'); setTimeout(function () { window.open('javascript:document.open("");parent.document.close()', 'test'); location.reload(); }, 100); </script> Repro.mid could be any midi file, repro should be loaded off a server with correct mime types to work. id: chrome.dll!WebCore::ResourceLoader::setShouldBufferData WriteAV@NULL (a07e47074c4b3b824a30d4fa9bef4782) description: Attempt to write to unallocated NULL pointer+0x25D in chrome.dll!WebCore::ResourceLoader::setShouldBufferData application: Chromium 10.0.617.0 stack: chrome.dll!WebCore::ResourceLoader::setShouldBufferData chrome.dll!WebCore::PluginDocumentParser::appendBytes chrome.dll!WebCore::DocumentWriter::endIfNotLoadingMainResource chrome.dll!WebCore::Document::close chrome.dll!WebCore::HTMLDocumentInternal::closeCallback chrome.dll!v8::internal::HandleApiCallHelper<...> chrome.dll!v8::internal::Builtin_HandleApiCall chrome.dll!v8::internal::Invoke chrome.dll!v8::internal::Execution::Call ...

Note You need to log in before you can comment on or make changes to this bug.

Status NEW

Resolution

Priority P1

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware All

OS All

Product WebKit

Component DOM

Assignee

Nobody

Reported

2010-12-03 01:48 PST

Modified

2010-12-20 00:46 PST History

CC List

3 users Show

URL

http://code.google.com/p/chromium/issues/detail?id=65260

Keywords

Depends on

Blocks