Bug 61774 - ASSERT in WebCore::HTMLToken::appendToAttributeName when visiting www.nba.com
Summary: ASSERT in WebCore::HTMLToken::appendToAttributeName when visiting www.nba.com
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: HTML DOM (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Critical
Assignee: Adam Barth
URL: http://www.nba.com
Keywords:
: 62958 (view as bug list)
Depends on:
Blocks:
 
Reported: 2011-05-31 02:14 PDT by Sergio Villar Senin
Modified: 2011-06-20 10:51 PDT (History)
6 users (show)

See Also:


Attachments
Patch (3.96 KB, patch)
2011-06-20 02:51 PDT, Adam Barth
no flags Details | Formatted Diff | Diff
Patch for landing (4.01 KB, patch)
2011-06-20 10:08 PDT, Adam Barth
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sergio Villar Senin 2011-05-31 02:14:48 PDT
ASSERTION FAILED: m_currentAttribute->m_nameRange.m_start
../../Source/WebCore/html/parser/HTMLToken.h(211) : void WebCore::HTMLToken::appendToAttributeName(UChar)

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff3b56561 in WebCore::HTMLToken::appendToAttributeName (this=0x18de740, character=60)
    at ../../Source/WebCore/html/parser/HTMLToken.h:211
211	        ASSERT(m_currentAttribute->m_nameRange.m_start);
(gdb) bt
#0  0x00007ffff3b56561 in WebCore::HTMLToken::appendToAttributeName (this=0x18de740, character=60)
    at ../../Source/WebCore/html/parser/HTMLToken.h:211
#1  0x00007ffff3b501e5 in WebCore::HTMLTokenizer::nextToken (this=0x18e18a0, source=..., token=...)
    at ../../Source/WebCore/html/parser/HTMLTokenizer.cpp:898
#2  0x00007ffff3b3d372 in WebCore::HTMLDocumentParser::pumpTokenizer (this=0x18de690, mode=WebCore::HTMLDocumentParser::AllowYield)
    at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:265
#3  0x00007ffff3b3ce1c in WebCore::HTMLDocumentParser::pumpTokenizerIfPossible (this=0x18de690, mode=
    WebCore::HTMLDocumentParser::AllowYield) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:175
#4  0x00007ffff3b3de87 in WebCore::HTMLDocumentParser::resumeParsingAfterScriptExecution (this=0x18de690)
    at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:479
#5  0x00007ffff3b3e199 in WebCore::HTMLDocumentParser::notifyFinished (this=0x18de690, cachedResource=0x1de9a90)
    at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:524
#6  0x00007ffff3c3d296 in WebCore::CachedResource::checkNotify (this=0x1de9a90)
    at ../../Source/WebCore/loader/cache/CachedResource.cpp:151
#7  0x00007ffff3c4fbed in WebCore::CachedScript::data (this=0x1de9a90, data=..., allDataReceived=true)
    at ../../Source/WebCore/loader/cache/CachedScript.cpp:104
#8  0x00007ffff3c4e835 in WebCore::CachedResourceRequest::didFinishLoading (this=0x1de9620, loader=0x1dec080)
    at ../../Source/WebCore/loader/cache/CachedResourceRequest.cpp:164
#9  0x00007ffff3cb3fc0 in WebCore::SubresourceLoader::didFinishLoading (this=0x1dec080, finishTime=0)
    at ../../Source/WebCore/loader/SubresourceLoader.cpp:197
#10 0x00007ffff3cab23f in WebCore::ResourceLoader::didFinishLoading (this=0x1dec080, finishTime=0)
    at ../../Source/WebCore/loader/ResourceLoader.cpp:449
#11 0x00007ffff41e224a in WebCore::readCallback (source=0x1651900, asyncResult=0x7fffd80121e0, data=0x0)
    at ../../Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp:792
#12 0x00007ffff08b2b3f in async_ready_callback_wrapper (source_object=0x1651900, res=0x7fffd80121e0, user_data=0x0) at ginputstream.c:470
#13 0x00007ffff08c7d75 in g_simple_async_result_complete (simple=0x7fffd80121e0) at gsimpleasyncresult.c:747
#14 0x00007ffff7f94e80 in read_async_done (stream=0x1651900) at soup-http-input-stream.c:723
#15 0x00007ffff7f93fe3 in soup_http_input_stream_finished (msg=0x16171c0, stream=0x1651900) at soup-http-input-stream.c:310
---Type <return> to continue, or q <return> to quit---
#16 0x00007fffefb2c03b in g_cclosure_marshal_VOID__VOID (closure=0x1dee100, return_value=0x0, n_param_values=1, param_values=0x13ea540, 
    invocation_hint=0x7fffffffc2d0, marshal_data=0x0) at gmarshal.c:79
#17 0x00007fffefb1216f in g_closure_invoke (closure=0x1dee100, return_value=0x0, n_param_values=1, param_values=0x13ea540, 
    invocation_hint=0x7fffffffc2d0) at gclosure.c:767
#18 0x00007fffefb2b741 in signal_emit_unlocked_R (node=0x128e0f0, detail=0, instance=0x16171c0, emission_return=0x0, instance_and_params=
    0x13ea540) at gsignal.c:3252
#19 0x00007fffefb2a686 in g_signal_emit_valist (instance=0x16171c0, signal_id=470, detail=0, var_args=0x7fffffffc560) at gsignal.c:2983
#20 0x00007fffefb2ac19 in g_signal_emit (instance=0x16171c0, signal_id=470, detail=0) at gsignal.c:3040
#21 0x00007ffff7f9834a in soup_message_finished (msg=0x16171c0) at soup-message.c:1086
#22 0x00007ffff7fad503 in process_queue_item (item=0x132c230, should_prune=0x7fffffffc6d4, loop=1) at soup-session-async.c:376
#23 0x00007ffff7fad6a4 in run_queue (sa=0x6daed0) at soup-session-async.c:418
#24 0x00007ffff7fad74b in idle_run_queue (sa=0x6daed0) at soup-session-async.c:441
#25 0x00007fffeeffd953 in g_idle_dispatch (source=0x14f7890, callback=0x7ffff7fad70d <idle_run_queue>, user_data=0x6daed0) at gmain.c:4545
#26 0x00007fffeeff9aec in g_main_dispatch (context=0x52d270) at gmain.c:2440
#27 0x00007fffeeffb07c in g_main_context_dispatch (context=0x52d270) at gmain.c:3013
#28 0x00007fffeeffb542 in g_main_context_iterate (context=0x52d270, block=1, dispatch=1, self=0x4f9880) at gmain.c:3091
#29 0x00007fffeeffbcd9 in g_main_loop_run (loop=0x5c0d80) at gmain.c:3299
#30 0x00007ffff2706755 in gtk_main () at gtkmain.c:1358
#31 0x00000000004348e1 in main (argc=1, argv=0x7fffffffdac8) at ephy-main.c:747
Comment 1 Naiem 2011-06-01 03:56:03 PDT
Hi, is anybody looking into this?
Comment 2 Alexey Proskuryakov 2011-06-19 22:41:28 PDT
Same as bug 62958?
Comment 3 Eric Seidel 2011-06-19 23:33:27 PDT
Is this a recent regression?
Comment 4 Adam Barth 2011-06-20 00:22:57 PDT
Does this crash in release builds, or is this just an ASSERT?
Comment 5 Adam Barth 2011-06-20 01:06:32 PDT
*** Bug 62958 has been marked as a duplicate of this bug. ***
Comment 6 Alexey Proskuryakov 2011-06-20 01:21:23 PDT
Bug 62958 has analysis in it:

-------------------------
if there is a attribute in the end tag of script, like this:

<script class="value">
...
</script class="value">

function appendToAttributeName in file HTMLToken.h assert when debug
-------------------------
Comment 7 Adam Barth 2011-06-20 02:51:49 PDT
Created attachment 97770 [details]
Patch
Comment 8 Alexey Proskuryakov 2011-06-20 09:07:25 PDT
Comment on attachment 97770 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=97770&action=review

> LayoutTests/fast/parser/attributes-on-close-script.html:2
> +<script class="value">

Do we actually need the attribute on opening tag? It makes the test slightly confusing (does it matter that the opening tag has an attribute? does it need to be the same on opening and closing tags?)

> LayoutTests/fast/parser/attributes-on-close-script.html:3
> +alert('PASS');

This is testing for an assertion failure, so test content or output should explain that ("PASS if no assertion failure occurred" would be sufficient).
Comment 9 Adam Barth 2011-06-20 10:03:46 PDT
(In reply to comment #8)
> (From update of attachment 97770 [details])
> View in context: https://bugs.webkit.org/attachment.cgi?id=97770&action=review
> 
> > LayoutTests/fast/parser/attributes-on-close-script.html:2
> > +<script class="value">
> 
> Do we actually need the attribute on opening tag? It makes the test slightly confusing (does it matter that the opening tag has an attribute? does it need to be the same on opening and closing tags?)

It's not needed.  I'll remove it.

> > LayoutTests/fast/parser/attributes-on-close-script.html:3
> > +alert('PASS');
> 
> This is testing for an assertion failure, so test content or output should explain that ("PASS if no assertion failure occurred" would be sufficient).

Will do.

Thanks!
Comment 10 Adam Barth 2011-06-20 10:08:44 PDT
Created attachment 97818 [details]
Patch for landing
Comment 11 WebKit Review Bot 2011-06-20 10:51:53 PDT
Comment on attachment 97818 [details]
Patch for landing

Clearing flags on attachment: 97818

Committed r89258: <http://trac.webkit.org/changeset/89258>
Comment 12 WebKit Review Bot 2011-06-20 10:51:58 PDT
All reviewed patches have been landed.  Closing bug.