RESOLVED FIXED 66101
Two null crashes in Treebuilder 
https://bugs.webkit.org/show_bug.cgi?id=66101
Summary Two null crashes in Treebuilder
Abhishek Arya
Reported 2011-08-11 14:44:46 PDT
crashes don't look exploitable, but might be big stability issues. Testcase1:: AAAA0AAAA0<iframe onload="document.write('<iframe onload=&quot;document.write(\'<script>\')&quot;>');document.close();"> /usr/local/google/home/aarya/chrome/src/out/Release/chrome --allow-file-access-from-files --disable-click-to-play --disable-hang-monitor --disable-metrics --disable-popup-blocking --disable-prompt-on-repost --enable-desktop-notifications --enable-experimental-extension-apis --enable-extension-apps --enable-extension-timeline-api --enable-geolocation --enable-indexed-database --enable-nacl --enable-native-web-workers --enable-search-provider-api-v2 --force-internal-pdf --incognito --js-flags="--expose-gc" --new-window --no-default-browser-check --no-first-run --no-process-singleton-dialog --no-sandbox --single-process --enable-gpu-plugin --enable-gpu-rendering --enable-accelerated-compositing --enable-webgl --enable-accelerated-2d-canvas --user-data-dir=/usr/local/google/home/aarya/FuzzTmp/t71 ASAN:SIGSEGV ==23678== ERROR: AddressSanitizer crashed on unknown address 0x0000000000000000 (pc 0x7f1dff2eeb80 sp 0x7f1de05f0750 bp 0x7f1de05f0760 ax 0x100000000000 T12) AddressSanitizer can not provide additional info. ABORTING #2 0x7f1dff2752a1 in WebCore::HTMLTreeBuilder::processEndOfFile(WebCore::AtomicHTMLToken&) #3 0x7f1dff268f51 in WebCore::HTMLTreeBuilder::processToken(WebCore::AtomicHTMLToken&) #4 0x7f1dff268995 in WebCore::HTMLTreeBuilder::constructTreeFromAtomicToken(WebCore::AtomicHTMLToken&) #5 0x7f1dff26887b in WebCore::HTMLTreeBuilder::constructTreeFromToken(WebCore::HTMLToken&) #6 0x7f1dff21f07c in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) #7 0x7f1dff21e91d in WebCore::HTMLDocumentParser::prepareToStopParsing() #8 0x7f1dfef3522f in WebCore::Document::close() #9 0x7f1dfe6bb78a in WebCore::HTMLDocumentInternal::closeCallback(v8::Arguments const&) out/Release/obj/gen/webkit/bindings/V8DerivedSources03.cpp:0 #10 0x7f1dfdb31a31 in v8::internal::Builtin_HandleApiCall(v8::internal::(anonymous namespace)::BuiltinArguments<(v8::internal::BuiltinExtraArguments)1>, v8::internal::Isolate*) v8/src/builtins.cc:0 #11 0x37beff93e14e in #12 0x37beff9662bd in #13 0x37beff966640 in #14 0x37beff958fe7 in #15 0x37beff942f7f in #16 0x7f1dfdb70bd3 in v8::internal::Invoke(bool, v8::internal::Handle<v8::internal::JSFunction>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Object***, bool*) v8/src/execution.cc:0 #17 0x7f1dfdaf277d in v8::Function::Call(v8::Handle<v8::Object>, int, v8::Handle<v8::Value>*) #18 0x7f1dff5e3fa6 in WebCore::V8Proxy::callFunction(v8::Handle<v8::Function>, v8::Handle<v8::Object>, int, v8::Handle<v8::Value>*) #19 0x7f1dff5d6372 in WebCore::V8LazyEventListener::callListenerFunction(WebCore::ScriptExecutionContext*, v8::Handle<v8::Value>, WebCore::Event*) #20 0x7f1dffeed7ec in WebCore::V8AbstractEventListener::invokeEventHandler(WebCore::ScriptExecutionContext*, WebCore::Event*, v8::Handle<v8::Value>) #21 0x7f1dffeed512 in WebCore::V8AbstractEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) #22 0x7f1dfefb5e80 in WebCore::EventTarget::fireEventListeners(WebCore::Event*, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1ul>&) #23 0x7f1dfefb5a3f in WebCore::EventTarget::fireEventListeners(WebCore::Event*) #24 0x7f1dfefee631 in WebCore::Node::handleLocalEvents(WebCore::Event*) #25 0x7f1dfefa9626 in WebCore::EventDispatcher::dispatchEvent(WTF::PassRefPtr<WebCore::Event>) #26 0x7f1dfefa5db0 in WebCore::EventDispatchMediator::dispatchEvent(WebCore::EventDispatcher*) const #27 0x7f1dfefa6226 in WebCore::EventDispatcher::dispatchEvent(WebCore::Node*, WTF::PassRefPtr<WebCore::EventDispatchMediator>) #28 0x7f1dfefeec84 in WebCore::Node::dispatchEvent(WTF::PassRefPtr<WebCore::Event>) #29 0x7f1dffca09f7 in WebCore::DOMWindow::dispatchLoadEvent() #30 0x7f1dfef3e2e3 in WebCore::Document::implicitClose() #31 0x7f1dffb934bd in WebCore::FrameLoader::checkCompleted() #32 0x7f1dffb8f6c8 in WebCore::FrameLoader::finishedParsing() #33 0x7f1dfef5c4c4 in WebCore::Document::finishedParsing() #34 0x7f1dff21e9e5 in WebCore::HTMLDocumentParser::prepareToStopParsing() #35 0x7f1dffb703c4 in WebCore::DocumentWriter::endIfNotLoadingMainResource() #36 0x7f1dffbaf649 in WebCore::FrameLoader::finishedLoading() #37 0x7f1dffbd4510 in WebCore::MainResourceLoader::didFinishLoading(double) #38 0x7f1dffbd2a68 in WebCore::MainResourceLoader::continueAfterContentPolicy(WebCore::PolicyAction, WebCore::ResourceResponse const&) #39 0x7f1dffbd339e in WebCore::MainResourceLoader::continueAfterContentPolicy(WebCore::PolicyAction) #40 0x7f1dffbe6fba in WebCore::PolicyChecker::continueAfterContentPolicy(WebCore::PolicyAction) #41 0x7f1dfe56e692 in WebKit::FrameLoaderClientImpl::dispatchDecidePolicyForResponse(void (WebCore::PolicyChecker::*)(WebCore::PolicyAction), WebCore::ResourceResponse const&, WebCore::ResourceRequest const&) #42 0x7f1dffbd3d65 in WebCore::MainResourceLoader::didReceiveResponse(WebCore::ResourceResponse const&) #43 0x7f1dffbd4f90 in WebCore::MainResourceLoader::handleEmptyLoad(WebCore::KURL const&, bool) #44 0x7f1dffbd58f5 in WebCore::MainResourceLoader::loadNow(WebCore::ResourceRequest&) #45 0x7f1dffbd5ff8 in WebCore::MainResourceLoader::load(WebCore::ResourceRequest const&, WebCore::SubstituteData const&) #46 0x7f1dffb5fc89 in WebCore::DocumentLoader::startLoadingMainResource(unsigned long) #47 0x7f1dffbb0ac1 in WebCore::FrameLoader::continueLoadAfterWillSubmitForm() #48 0x7f1dffba4551 in WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool) #49 0x7f1dffba49b8 in WebCore::FrameLoader::callContinueLoadAfterNavigationPolicy(void*, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool) #50 0x7f1dffbe3c78 in WebCore::PolicyCallback::call(bool) #51 0x7f1dffbe646c in WebCore::PolicyChecker::continueAfterNavigationPolicy(WebCore::PolicyAction) #52 0x7f1dfe56f785 in WebKit::FrameLoaderClientImpl::dispatchDecidePolicyForNavigationAction(void (WebCore::PolicyChecker::*)(WebCore::PolicyAction), WebCore::NavigationAction const&, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>) #53 0x7f1dffbe52cb in WebCore::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest const&, WebCore::DocumentLoader*, WTF::PassRefPtr<WebCore::FormState>, void (*)(void*, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool), void*) #54 0x7f1dffba2bdb in WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>) #55 0x7f1dffba11ab in WebCore::FrameLoader::loadWithNavigationAction(WebCore::ResourceRequest const&, WebCore::NavigationAction const&, bool, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>) #56 0x7f1dffb98989 in WebCore::FrameLoader::loadURL(WebCore::KURL const&, WTF::String const&, WTF::String const&, bool, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::Event>, WTF::PassRefPtr<WebCore::FormState>) #57 0x7f1dffb9453a in WebCore::FrameLoader::loadURLIntoChildFrame(WebCore::KURL const&, WTF::String const&, WebCore::Frame*) #58 0x7f1dfe4ca867 in WebKit::WebFrameImpl::createChildFrame(WebCore::FrameLoadRequest const&, WebCore::HTMLFrameOwnerElement*) #59 0x7f1dfe5741ef in WebKit::FrameLoaderClientImpl::createFrame(WebCore::KURL const&, WTF::String const&, WebCore::HTMLFrameOwnerElement*, WTF::String const&, bool, int, int) #60 0x7f1dffc00743 in WebCore::SubframeLoader::loadSubframe(WebCore::HTMLFrameOwnerElement*, WebCore::KURL const&, WTF::String const&, WTF::String const&) #61 0x7f1dffbfc018 in WebCore::SubframeLoader::loadOrRedirectSubframe(WebCore::HTMLFrameOwnerElement*, WebCore::KURL const&, WTF::AtomicString const&, bool, bool) #62 0x7f1dffbfb78c in WebCore::SubframeLoader::requestFrame(WebCore::HTMLFrameOwnerElement*, WTF::String const&, WTF::AtomicString const&, bool, bool) #63 0x7f1dff0e12b6 in WebCore::HTMLFrameElementBase::openURL(bool, bool) #0 0x7f1dff2eeb80 in WebCore::HTMLElementStack::pop() #1 0x7f1dff2752a1 in WebCore::HTMLTreeBuilder::processEndOfFile(WebCore::AtomicHTMLToken&) #2 0x7f1dff268f51 in WebCore::HTMLTreeBuilder::processToken(WebCore::AtomicHTMLToken&) #3 0x7f1dff268995 in WebCore::HTMLTreeBuilder::constructTreeFromAtomicToken(WebCore::AtomicHTMLToken&) #4 0x7f1dff26887b in WebCore::HTMLTreeBuilder::constructTreeFromToken(WebCore::HTMLToken&) #5 0x7f1dff21f07c in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) #6 0x7f1dff21e91d in WebCore::HTMLDocumentParser::prepareToStopParsing() #7 0x7f1dfef3522f in WebCore::Document::close() #8 0x7f1dfe6bb78a in WebCore::HTMLDocumentInternal::closeCallback(v8::Arguments const&) out/Release/obj/gen/webkit/bindings/V8DerivedSources03.cpp:0 #9 0x7f1dfdb31a31 in v8::internal::Builtin_HandleApiCall(v8::internal::(anonymous namespace)::BuiltinArguments<(v8::internal::BuiltinExtraArguments)1>, v8::internal::Isolate*) v8/src/builtins.cc:0 #10 0x37beff93e14e in Stats: 0M malloced (0M for red zones) by 0 calls Stats: 0M realloced by 0 calls Stats: 0M freed by 0 calls Stats: 0M really freed by 0 calls Stats: 0M (0 pages) mmaped in 0 calls mmaps by size: mallocs by size: frees by size: rfrees by size: Stats: malloc large: 0 small slow: 0 Testcase2:: <math><option><option></html><option></option> /usr/local/google/home/aarya/chrome/src/out/Release/chrome --allow-file-access-from-files --disable-click-to-play --disable-hang-monitor --disable-metrics --disable-popup-blocking --disable-prompt-on-repost --enable-desktop-notifications --enable-experimental-extension-apis --enable-extension-apps --enable-extension-timeline-api --enable-geolocation --enable-indexed-database --enable-nacl --enable-native-web-workers --enable-search-provider-api-v2 --force-internal-pdf --incognito --js-flags="--expose-gc" --new-window --no-default-browser-check --no-first-run --no-process-singleton-dialog --no-sandbox --single-process --enable-gpu-plugin --enable-gpu-rendering --enable-accelerated-compositing --enable-webgl --enable-accelerated-2d-canvas --user-data-dir=/usr/local/google/home/aarya/FuzzTmp/t71 ASAN:SIGSEGV ==17326== ERROR: AddressSanitizer crashed on unknown address 0x0000000000000000 (pc 0x7f423c22408c sp 0x7f421b2d0660 bp 0x7f421b2d0690 ax (nil) T12) AddressSanitizer can not provide additional info. ABORTING #2 0x7f423c1c0e7d in WebCore::HTMLTreeBuilder::processEndTagForInBody(WebCore::AtomicHTMLToken&) #3 0x7f423c1a618e in WebCore::HTMLTreeBuilder::processEndTag(WebCore::AtomicHTMLToken&) #4 0x7f423c19d404 in WebCore::HTMLTreeBuilder::processToken(WebCore::AtomicHTMLToken&) #5 0x7f423c19cf95 in WebCore::HTMLTreeBuilder::constructTreeFromAtomicToken(WebCore::AtomicHTMLToken&) #6 0x7f423c19ce7b in WebCore::HTMLTreeBuilder::constructTreeFromToken(WebCore::HTMLToken&) #7 0x7f423c1536ac in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) #8 0x7f423c155254 in WebCore::HTMLDocumentParser::append(WebCore::SegmentedString const&) #9 0x7f423eab0f06 in WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter*) #10 0x7f423cab5af9 in WebCore::DocumentWriter::endIfNotLoadingMainResource() #11 0x7f423caf4e09 in WebCore::FrameLoader::finishedLoading() #12 0x7f423cb199e0 in WebCore::MainResourceLoader::didFinishLoading(double) #13 0x7f423d9c6039 in webkit_glue::WebURLLoaderImpl::Context::OnCompletedRequest(net::URLRequestStatus const&, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, base::Time const&) #14 0x7f423b2c9aca in bool IPC::MessageWithTuple<Tuple4<int, net::URLRequestStatus, std::basic_string<char, std::char_traits<char>, std::allocator<char> >, base::Time> >::Dispatch<ResourceDispatcher, ResourceDispatcher, void (ResourceDispatcher::*)(int, net::URLRequestStatus const&, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, base::Time const&)>(IPC::Message const*, ResourceDispatcher*, ResourceDispatcher*, void (ResourceDispatcher::*)(int, net::URLRequestStatus const&, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, base::Time const&)) #15 0x7f423b2c76b0 in ResourceDispatcher::DispatchMessage(IPC::Message const&) #16 0x7f423b2c5489 in ResourceDispatcher::OnMessageReceived(IPC::Message const&) #17 0x7f423b1ea930 in ChildThread::OnMessageReceived(IPC::Message const&) #18 0x7f423b324894 in IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message const&) #19 0x7f4239db0119 in base::subtle::TaskClosureAdapter::Run() #20 0x7f4239d4129c in MessageLoop::RunTask(MessageLoop::PendingTask const&) #21 0x7f4239d418a2 in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) #22 0x7f4239d42aee in MessageLoop::DoWork() #23 0x7f4239d4bf98 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) #24 0x7f4239d401c7 in MessageLoop::RunInternal() #25 0x7f4239d3e42e in MessageLoop::Run() #26 0x7f4239db38c0 in base::Thread::ThreadMain() #27 0x7f4239db24fc in base::(anonymous namespace)::ThreadFunc(void*) base/threading/platform_thread_posix.cc:0 #28 0x7f423ee9b1e7 in AsanThread::ThreadStart() /home/kcc/asan/asan/asan_thread.cc:98 #0 0x7f423c22408c in WebCore::HTMLElementStack::popUntilPopped(WebCore::Element*) #1 0x7f423c1c0e7d in WebCore::HTMLTreeBuilder::processEndTagForInBody(WebCore::AtomicHTMLToken&) #2 0x7f423c1a618e in WebCore::HTMLTreeBuilder::processEndTag(WebCore::AtomicHTMLToken&) #3 0x7f423c19d404 in WebCore::HTMLTreeBuilder::processToken(WebCore::AtomicHTMLToken&) #4 0x7f423c19cf95 in WebCore::HTMLTreeBuilder::constructTreeFromAtomicToken(WebCore::AtomicHTMLToken&) #5 0x7f423c19ce7b in WebCore::HTMLTreeBuilder::constructTreeFromToken(WebCore::HTMLToken&) #6 0x7f423c1536ac in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) #7 0x7f423c155254 in WebCore::HTMLDocumentParser::append(WebCore::SegmentedString const&) #8 0x7f423eab0f06 in WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter*) #9 0x7f423cab5af9 in WebCore::DocumentWriter::endIfNotLoadingMainResource() #10 0x7f423caf4e09 in WebCore::FrameLoader::finishedLoading() #11 0x7f423cb199e0 in WebCore::MainResourceLoader::didFinishLoading(double) #12 0x7f423d9c6039 in webkit_glue::WebURLLoaderImpl::Context::OnCompletedRequest(net::URLRequestStatus const&, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, base::Time const&) #13 0x7f423b2c9aca in bool IPC::MessageWithTuple<Tuple4<int, net::URLRequestStatus, std::basic_string<char, std::char_traits<char>, std::allocator<char> >, base::Time> >::Dispatch<ResourceDispatcher, ResourceDispatcher, void (ResourceDispatcher::*)(int, net::URLRequestStatus const&, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, base::Time const&)>(IPC::Message const*, ResourceDispatcher*, ResourceDispatcher*, void (ResourceDispatcher::*)(int, net::URLRequestStatus const&, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, base::Time const&)) #14 0x7f423b2c76b0 in ResourceDispatcher::DispatchMessage(IPC::Message const&) #15 0x7f423b2c5489 in ResourceDispatcher::OnMessageReceived(IPC::Message const&) #16 0x7f423b1ea930 in ChildThread::OnMessageReceived(IPC::Message const&) #17 0x7f423b324894 in IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message const&) #18 0x7f4239db0119 in base::subtle::TaskClosureAdapter::Run() #19 0x7f4239d4129c in MessageLoop::RunTask(MessageLoop::PendingTask const&) #20 0x7f4239d418a2 in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) #21 0x7f4239d42aee in MessageLoop::DoWork() #22 0x7f4239d4bf98 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) #23 0x7f4239d401c7 in MessageLoop::RunInternal() #24 0x7f4239d3e42e in MessageLoop::Run() #25 0x7f4239db38c0 in base::Thread::ThreadMain() #26 0x7f4239db24fc in base::(anonymous namespace)::ThreadFunc(void*) base/threading/platform_thread_posix.cc:0 #27 0x7f423ee9b1e7 in AsanThread::ThreadStart() /home/kcc/asan/asan/asan_thread.cc:98 #28 0x7f423436e9ca in start_thread #29 0x7f42322cc70d in __clone Stats: 0M malloced (0M for red zones) by 0 calls Stats: 0M realloced by 0 calls Stats: 0M freed by 0 calls Stats: 0M really freed by 0 calls Stats: 0M (0 pages) mmaped in 0 calls mmaps by size: mallocs by size: frees by size: rfrees by size: Stats: malloc large: 0 small slow: 0
Attachments
work in progress (9.25 KB, patch)
2011-12-28 17:32 PST, Adam Barth 		no flags
DetailsFormatted DiffDiff
ugly, but fast (11.74 KB, patch)
2011-12-29 15:55 PST, Adam Barth 		no flags
DetailsFormatted DiffDiff
Patch (16.60 KB, patch)
2012-01-03 15:20 PST, Adam Barth 		no flags
DetailsFormatted DiffDiff
Patch for landing (18.60 KB, patch)
2012-01-03 17:12 PST, Adam Barth 		no flags
DetailsFormatted DiffDiff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.
Adam Barth
Comment 1 2011-08-11 15:00:15 PDT
I can look at this once I'm done gardening.
Adam Barth
Comment 2 2011-10-13 16:15:19 PDT
These still repro.
Adam Barth
Comment 3 2011-12-28 17:32:41 PST
Created attachment 120711 [details] work in progress
Adam Barth
Comment 4 2011-12-28 18:19:55 PST
The underly issue with Testcase1 is that we're re-entering the tree builder. We've done a bunch of point fixes around tree builder re-entrancy, but neither the implementation nor the specification are really designed to handle re-entrancy. Firefox avoids this problem by putting the parser on its own thread. I don't think we're quite ready to do that yet (although we will eventually, presumably, as computers become ever more parallel). The approach in this patch is to queue up the DOM mutations and actually perform them on a shallower stack. That's essentially the approach we've used for executing <scripts>. This patch seems to work pretty well. I need to do some more performance tuning to make sure we're not churning reference counts, but I believe the approach is sound.
Adam Barth
Comment 5 2011-12-29 12:06:28 PST
Currently this patch is a 36% slowdown on the html-parser benchmark. Looks like I've got some more work to do here. :)
Adam Barth
Comment 6 2011-12-29 15:55:19 PST
Created attachment 120771 [details] ugly, but fast
Adam Barth
Comment 7 2011-12-29 15:56:21 PST
This lastest patch is within a couple percent of our original performance. Next step: beautification.
Adam Barth
Comment 8 2012-01-03 15:20:37 PST
Created attachment 121005 [details] Patch
Adam Barth
Comment 9 2012-01-03 15:21:28 PST
This patch isn't really 100% done. I still need to add the test and do some final performance tuning, but I wanted to upload it for review to make sure it's on the right track.
Eric Seidel (no email)
Comment 10 2012-01-03 16:43:17 PST
Comment on attachment 121005 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=121005&action=review > Source/WebCore/html/parser/HTMLConstructionSite.cpp:136 > + AttachmentQueue queue; > + queue.swap(m_attachmentQueue); You might note why we do a swap here. Maybe it's obvious to other readers, but it seems subtle yet important that you're doing this to allow executeTask to cause reentry. > Source/WebCore/html/parser/HTMLConstructionSite.cpp:252 > + // We need to actually add the Doctype node to the DOM. > + executeQueuedTasks(); > m_document->setCompatibilityModeFromDoctype(); You should probably add a FIXME here about ways to improve this. Could this cause some of the same rentrancy troubles as before? > Source/WebCore/html/parser/HTMLConstructionSite.h:148 > + typedef Vector<HTMLConstructionSiteTask, 5> AttachmentQueue; You should note here that it's rare to have more than one item in this queue. You should also note when things get queued. As you explained in person, this happens when a single token can cause more than one DOM node (such as reconstructing active formatting elements, or adding implicit elements like <head>, or <tbody>, etc.)
Eric Seidel (no email)
Comment 11 2012-01-03 16:44:14 PST
finishParsingChildren can do all sorts of stuff, iirc. Possibly even execute script (for SVG). It seems dangerous that we're calling it synchronously and possibly reentering from such.
Adam Barth
Comment 12 2012-01-03 17:12:58 PST
Created attachment 121023 [details] Patch for landing
WebKit Review Bot
Comment 13 2012-01-03 18:58:01 PST
Comment on attachment 121023 [details] Patch for landing Clearing flags on attachment: 121023 Committed r104000: <http://trac.webkit.org/changeset/104000>
WebKit Review Bot
Comment 14 2012-01-03 18:58:06 PST
All reviewed patches have been landed. Closing bug.
Csaba Osztrogonác
Comment 15 2012-01-03 23:44:44 PST
It made 15 tests assert on SL, GTK, Qt: http://build.webkit.org/results/SnowLeopard%20Intel%20Debug%20%28Tests%29/r104000%20%284100%29/results.html
Csaba Osztrogonác
Comment 16 2012-01-04 00:15:30 PST
Fixed by http://trac.webkit.org/changeset/104015
Note You need to log in before you can comment on or make changes to this bug.