Bug 7137 - Crash if <table> is removed from DOM while being parsed if it contains bogus content
Summary: Crash if <table> is removed from DOM while being parsed if it contains bogus ...
Alias: None
Product: WebKit
Classification: Unclassified
Component: Tables (show other bugs)
Version: 420+
Hardware: PC Linux
: P1 Normal
Assignee: Eric Seidel (no email)
URL: http://www.hixie.ch/tests/adhoc/html/...
Depends on:
Reported: 2006-02-07 13:48 PST by Ian 'Hixie' Hickson
Modified: 2006-04-25 01:47 PDT (History)
0 users

See Also:

Fixes crash (3.47 KB, patch)
2006-04-25 01:44 PDT, Eric Seidel (no email)
mjs: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Ian 'Hixie' Hickson 2006-02-07 13:48:38 PST
   1. <table>
   2. Remove the table from the DOM.
   3. <div>
     (bogus element in this context, parser tries to move it outside the table)


   Content should be placed where the table used to be in the DOM. I'm not yet 
   sure exactly what this means if other content is moved around in the DOM. I 
   think if the <table> is no longer inside its original parent, then it should
   just append the bogus content to the parent.
Comment 1 Alexey Proskuryakov 2006-04-24 21:31:26 PDT
Reproducible crash -> P1.

Thread 0 Crashed:
0   com.apple.WebCore        	0x01b4c778 WebCore::TreeShared<WebCore::Node>::parent() const + 20 (Shared.h:57)
1   com.apple.WebCore        	0x01b4c7b0 WebCore::Node::parentNode() const + 36 (Node.h:89)
2   com.apple.WebCore        	0x017a9a20 WebCore::HTMLParser::handleError(WebCore::Node*, bool, WebCore::AtomicString const&, int) + 6404 (HTMLParser.cpp:490)
3   com.apple.WebCore        	0x017aa760 WebCore::HTMLParser::insertNode(WebCore::Node*, bool) + 912 (HTMLParser.cpp:281)
4   com.apple.WebCore        	0x017ac178 WebCore::HTMLParser::parseToken(WebCore::Token*) + 1388 (HTMLParser.cpp:208)
5   com.apple.WebCore        	0x017b006c WebCore::HTMLTokenizer::processToken() + 564 (HTMLTokenizer.cpp:1628)
6   com.apple.WebCore        	0x017b37c0 WebCore::HTMLTokenizer::parseTag(WebCore::SegmentedString&, WebCore::HTMLTokenizer::State) + 7376 (HTMLTokenizer.cpp:1206)
7   com.apple.WebCore        	0x017b43ec WebCore::HTMLTokenizer::write(WebCore::SegmentedString const&, bool) + 1744 (HTMLTokenizer.cpp:1432)
8   com.apple.WebCore        	0x018a1728 WebCore::Frame::write(char const*, int) + 952 (Frame.cpp:654)
Comment 2 Eric Seidel (no email) 2006-04-25 01:44:09 PDT
Thanks for the bug.  I chose not to make it match your test case for now (since both FireFox and IE fail your test), but I did fix the crash.
Comment 3 Eric Seidel (no email) 2006-04-25 01:44:39 PDT
Created attachment 7953 [details]
Fixes crash
Comment 4 Maciej Stachowiak 2006-04-25 01:46:06 PDT
Comment on attachment 7953 [details]
Fixes crash