Bug 56773 - REGRESSION(81035): crash in RenderDetails::removeChild
Summary: REGRESSION(81035): crash in RenderDetails::removeChild
Alias: None
Product: WebKit
Classification: Unclassified
Component: Layout and Rendering (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC OS X 10.5
: P2 Normal
Assignee: Luiz Agostini
URL: http://runescape.wikia.com/wiki/Speci...
Keywords: InRadar
Depends on: 51071
  Show dependency treegraph
Reported: 2011-03-21 15:34 PDT by James Robinson
Modified: 2011-04-04 10:17 PDT (History)
10 users (show)

See Also:

patch (3.65 KB, patch)
2011-03-22 10:52 PDT, Luiz Agostini
no flags Details | Formatted Diff | Diff
patch (3.65 KB, patch)
2011-03-22 11:28 PDT, Luiz Agostini
jamesr: review-
Details | Formatted Diff | Diff
patch (6.11 KB, patch)
2011-03-22 13:48 PDT, Luiz Agostini
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description James Robinson 2011-03-21 15:34:54 PDT
The URL above crashes after r81035.  stack:

#0  0x00000000016e2e3f in WebCore::RenderDetails::removeChild (this=0x7fffc0b2c6d8, oldChild=0x7fffc1306018)
    at third_party/WebKit/Source/WebCore/rendering/RenderDetails.cpp:94
#1  0x0000000000c032db in WebCore::RenderObject::remove (this=0x7fffc1306018) at third_party/WebKit/Source/WebCore/rendering/RenderObject.h:752
#2  0x000000000164cef2 in WebCore::RenderObject::destroy (this=0x7fffc1306018) at third_party/WebKit/Source/WebCore/rendering/RenderObject.cpp:2187
#3  0x00000000015e31a9 in WebCore::RenderBoxModelObject::destroy (this=0x7fffc1306018)
    at third_party/WebKit/Source/WebCore/rendering/RenderBoxModelObject.cpp:277
#4  0x00000000015d11a1 in WebCore::RenderBox::destroy (this=0x7fffc1306018) at third_party/WebKit/Source/WebCore/rendering/RenderBox.cpp:211
#5  0x0000000001589f54 in WebCore::RenderBlock::destroy (this=0x7fffc1306018) at third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:193
#6  0x000000000164f884 in WebCore::RenderObjectChildList::destroyLeftoverChildren (this=0x7fffc0b2c768)
    at third_party/WebKit/Source/WebCore/rendering/RenderObjectChildList.cpp:59
#7  0x0000000001589dcc in WebCore::RenderBlock::destroy (this=0x7fffc0b2c6d8) at third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:158
#8  0x00000000016e2c27 in WebCore::RenderDetails::destroy (this=0x7fffc0b2c6d8) at third_party/WebKit/Source/WebCore/rendering/RenderDetails.cpp:52
#9  0x0000000000c55d15 in WebCore::Node::detach (this=0x7fffc0b2bb40) at third_party/WebKit/Source/WebCore/dom/Node.cpp:1306
#10 0x0000000000be0cc9 in WebCore::ContainerNode::detach (this=0x7fffc0b2bb40) at third_party/WebKit/Source/WebCore/dom/ContainerNode.cpp:731
#11 0x0000000000c36981 in WebCore::Element::detach (this=0x7fffc0b2bb40) at third_party/WebKit/Source/WebCore/dom/Element.cpp:987
#12 0x0000000000be02af in WebCore::ContainerNode::removeChildren (this=0x7fffc1309990)
    at third_party/WebKit/Source/WebCore/dom/ContainerNode.cpp:536
#13 0x000000000170126a in WebCore::replaceChildrenWithFragment (element=0x7fffc1309990, fragment=..., ec=@0x7fffffffb5cc)
    at third_party/WebKit/Source/WebCore/html/HTMLElement.cpp:322
#14 0x0000000001701602 in WebCore::HTMLElement::setInnerHTML (this=0x7fffc1309990, html=..., ec=@0x7fffffffb5cc)
    at third_party/WebKit/Source/WebCore/html/HTMLElement.cpp:368
Comment 1 James Robinson 2011-03-21 15:36:20 PDT
innerHTML is being set on a <section> that contains a <details> element. Here's the showTree() output for the node that innerHTML is being set on immediately before the crash:

*			SECTION	0x7fffc0e783f0 CLASS=WikiaPagesOnWikiModule module
				#text	0x7fffc0e7bf50 "\n	"
				H1	0x7fffc0e78360
					#text	0x7fffc0e7bee0 "Pages on RuneScape Wiki"
				#text	0x7fffc0e7be70 "\n	"
				A	0x7fffc1f5f000 CLASS=wikia-button createpage
					IMG	0x7fffc0e7ec40 CLASS=sprite new
					#text	0x7fffc1473a80 "Add a Page"
				#text	0x7fffc1473a10 "	"
				DETAILS	0x7fffc1474f00 CLASS=tally
					#text	0x7fffc1473770 "\n		"
					EM	0x7fffc0e78240
						#text	0x7fffc1473700 "17,135"
					SPAN	0x7fffc0e781b0 CLASS=fixedwidth
						#text	0x7fffc1473620 "pages on this wiki"
					#text	0x7fffc14735b0 "	"
				#text	0x7fffc1473540 "\n"
Comment 2 Abhishek Arya 2011-03-22 09:10:21 PDT
This introduced multiple security regressions including this one and another one in acccessibility code. See testcase in http://trac.webkit.org/changeset/81648 in Chrome.

Luiz, can you please take a look.
Comment 3 Luiz Agostini 2011-03-22 09:21:46 PDT
(In reply to comment #2)
> This introduced multiple security regressions including this one and another one in acccessibility code. See testcase in http://trac.webkit.org/changeset/81648 in Chrome.
> Luiz, can you please take a look.

Comment 4 Alexey Proskuryakov 2011-03-22 10:25:12 PDT
Comment 5 Luiz Agostini 2011-03-22 10:52:18 PDT
Created attachment 86477 [details]
Comment 6 Luiz Agostini 2011-03-22 11:28:18 PDT
Created attachment 86485 [details]

bad spelling in changelog.
Comment 7 James Robinson 2011-03-22 11:39:44 PDT
Comment on attachment 86485 [details]

This needs at least one test
Comment 8 Luiz Agostini 2011-03-22 13:48:43 PDT
Created attachment 86499 [details]
Comment 9 Dave Hyatt 2011-03-23 12:01:38 PDT
Comment on attachment 86499 [details]

Comment 10 WebKit Commit Bot 2011-03-23 15:04:31 PDT
Comment on attachment 86499 [details]

Clearing flags on attachment: 86499

Committed r81812: <http://trac.webkit.org/changeset/81812>
Comment 11 WebKit Commit Bot 2011-03-23 15:04:36 PDT
All reviewed patches have been landed.  Closing bug.