50444 – chrome.dll!WebCore::Document::write ReadAV@NULL (64769eadff629b4366f33eb18eb92124)

Bug 50444 - chrome.dll!WebCore::Document::write ReadAV@NULL (64769eadff629b4366f33eb18eb92124)

Summary: chrome.dll!WebCore::Document::write ReadAV@NULL (64769eadff629b4366f33eb18eb9...

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	DOM (show other bugs)
Version:	528+ (Nightly build)
Hardware:	All All

Importance:	P1 Normal
Assignee:	Nobody

URL:	http://code.google.com/p/chromium/iss...
Keywords:

Depends on:
Blocks:

Reported:	2010-12-03 01:48 PST by Berend-Jan Wever
Modified:	2010-12-20 00:46 PST (History)
CC List:	3 users (show)

See Also:

Attachments
Repro (345 bytes, application/x-zip-compressed) 2010-12-03 01:48 PST, Berend-Jan Wever	no flags	Details
Variation repro (501 bytes, application/x-zip-compressed) 2010-12-20 00:46 PST, Berend-Jan Wever	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Berend-Jan Wever 2010-12-03 01:48:41 PST

Created attachment 75475 [details]
Repro

Repro:
<script>
  window.open('repro.wav', 'test');
  setTimeout(function () {
    window.open('javascript:document.write("Ja");', 'test');
  }, 1000);
</script>
Must be hosted on a server because of file:// SOP restrictions.


id:             chrome.dll!WebCore::Document::write ReadAV@NULL (64769eadff629b4366f33eb18eb92124)
description:    Attempt to read from unallocated NULL pointer in chrome.dll!WebCore::Document::write
application:    Chromium 9.0.598.0
stack:          chrome.dll!WebCore::Document::write
                chrome.dll!WebCore::V8HTMLDocument::writeCallback
                chrome.dll!v8::internal::HandleApiCallHelper<...>
                chrome.dll!v8::internal::Builtin_HandleApiCall
                chrome.dll!v8::internal::Invoke
                chrome.dll!v8::internal::Execution::Call
                ...

Comment 1 Alexey Proskuryakov 2010-12-03 10:08:17 PST

Also crashes Safari 5.0.3 on Mac (can be opened from a local file here).

Comment 2 Adam Barth 2010-12-03 16:16:01 PST

I suspect this problem is that MediaDocument (or whatever) isn't really an HTMLDocument or don't have a legit HTMLDocumentParser.

Comment 3 Alexey Proskuryakov 2010-12-03 16:22:22 PST

See also: bug 25397.

Comment 4 Berend-Jan Wever 2010-12-20 00:46:33 PST

Created attachment 76980 [details]
Variation repro

I found a variation that also crashes with a NULL pointer but in a different part of the code. I expect this to be the same issue:
Repro.html:
<script>
  window.open('repro2.html', 'test2');
</script>

Repro2.html:
<script>
  window.open('repro.mid', 'test');
  setTimeout(function () {
    window.open('javascript:document.open("");parent.document.close()', 'test');
    location.reload();
  }, 100);
</script>

Repro.mid could be any midi file, repro should be loaded off a server with correct mime types to work.

id:             chrome.dll!WebCore::ResourceLoader::setShouldBufferData WriteAV@NULL (a07e47074c4b3b824a30d4fa9bef4782)
description:    Attempt to write to unallocated NULL pointer+0x25D in chrome.dll!WebCore::ResourceLoader::setShouldBufferData
application:    Chromium 10.0.617.0
stack:          chrome.dll!WebCore::ResourceLoader::setShouldBufferData
                chrome.dll!WebCore::PluginDocumentParser::appendBytes
                chrome.dll!WebCore::DocumentWriter::endIfNotLoadingMainResource
                chrome.dll!WebCore::Document::close
                chrome.dll!WebCore::HTMLDocumentInternal::closeCallback
                chrome.dll!v8::internal::HandleApiCallHelper<...>
                chrome.dll!v8::internal::Builtin_HandleApiCall
                chrome.dll!v8::internal::Invoke
                chrome.dll!v8::internal::Execution::Call
                ...