[Webkit-unassigned] [Bug 25567] New: document.write and document.title NULL ptr

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue May 5 07:12:21 PDT 2009 

https://bugs.webkit.org/show_bug.cgi?id=25567

           Summary: document.write and document.title NULL ptr
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Windows Vista
            Status: NEW
          Keywords: GoogleBug
          Severity: Normal
          Priority: P1
         Component: HTML DOM
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: skylined at chromium.org
                CC: eric at webkit.org


When the document title is set by document.write()-ing an HTML title tag to the
page, then set again using document.title=... after which document.write() is
used again, this causes a NULL ptr.

<SCRIPT>
  document.write("<title>x");
  document.title = "x";
  document.write("");
</SCRIPT>

Here's some debugger output for Chrome 2.0.175.0 (WebKit 530.6) on Windows
5.1.2600(x86):

*** Start event av(1st)
-- Start info exception
ExceptionAddress: 034eda11 (chrome_28f0000!WebCore::Node::renderer+0x00000011)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 00000020
Attempt to read from address 00000020
--- End info exception
-- Start info code
chrome_28f0000!WebCore::Node::renderer+0x11:
034eda11 8b4020          mov     eax,dword ptr [eax+20h]
034eda14 8be5            mov     esp,ebp
034eda16 5d              pop     ebp
034eda17 c3              ret
034eda18 cc              int     3
034eda19 cc              int     3
034eda1a cc              int     3
034eda1b cc              int     3
--- End info code
-- Start info process
0n2964 D:\trunk\src\chrome\debug\chrome.exe
--- End info process
-- Start info module
start    end        module name
028f0000 05cec000   chrome_28f0000 chrome.dll  
--- End info module
-- Start info registers
eax=00000000 ebx=03419b90 ecx=00000000 edx=00000000 esi=05fef3f0 edi=05fef424
esp=05fef3a8 ebp=05fef3ac eip=034eda11
--- End info registers
-- Start info stack
ChildEBP RetAddr  
05fef3ac 035cf42c chrome_28f0000!WebCore::Node::renderer(void)+0x11
05fef3dc 036764e6
chrome_28f0000!WebCore::Node::createRendererIfNeeded(void)+0xac
05fef3e8 03a2ce1d chrome_28f0000!WebCore::Text::attach(void)+0x16
05fef424 03a2c6eb chrome_28f0000!WebCore::HTMLParser::insertNode(class
WebCore::Node * n = 0x097cf020, bool flat = false)+0x28d
05fef48c 038a78ef chrome_28f0000!WebCore::HTMLParser::parseToken(struct
WebCore::Token * t = 0x0fcb5038)+0x24b
05fef4c0 038a6b8b
chrome_28f0000!WebCore::HTMLTokenizer::processToken(void)+0x1df
05fef574 0358d3f5 chrome_28f0000!WebCore::HTMLTokenizer::write(class
WebCore::SegmentedString * str = 0x05fef5a0, bool appendData = false)+0x5db
05fef58c 0358d444 chrome_28f0000!WebCore::Document::write(class
WebCore::SegmentedString * text = 0x05fef5a0, class WebCore::Document *
ownerDocument = 0x08e2f020)+0x75
05fef5d4 02ab3ad6 chrome_28f0000!WebCore::Document::write(class WebCore::String
* text = 0x05fef5e8, class WebCore::Document * ownerDocument = 0x08e2f020)+0x34
05fef600 03419eb9
chrome_28f0000!WebCore::V8Custom::v8HTMLDocumentWriteCallback(class
v8::Arguments * args = 0x05fef660)+0x96
05fef738 064f018b chrome_28f0000!v8::internal::Builtin_HandleApiCall(int
__argc__ = 2, class v8::internal::Object ** __argv__ = 0x05fef75c)+0x329
WARNING: Frame IP not in any known module. Following frames may be wrong.
05fef824 03351891 0x64f018b
05fef8b8 03351762 chrome_28f0000!v8::internal::Invoke(bool construct = true,
class v8::internal::Handle<v8::internal::JSFunction> func = class
v8::internal::Handle<v8::internal::JSFunction>, class
v8::internal::Handle<v8::internal::Object> receiver = class
v8::internal::Handle<v8::internal::Object>, int argc = 113380529, class
v8::internal::Object *** args = 0x05fef7cc, bool * has_pending_exception =
0x06502fe9)+0x111
05fef8dc 03320bb8 chrome_28f0000!v8::internal::Execution::Call(class
v8::internal::Handle<v8::internal::JSFunction> func = class
v8::internal::Handle<v8::internal::JSFunction>, class
v8::internal::Handle<v8::internal::Object> receiver = class
v8::internal::Handle<v8::internal::Object>, int argc = 0, class
v8::internal::Object *** args = 0x00000000, bool * pending_exception =
0x05fef92b)+0x22
05fef96c 02a5e5ef chrome_28f0000!v8::Function::Call(class
v8::Handle<v8::Object> recv = class v8::Handle<v8::Object>, int argc = 0, class
v8::Handle<v8::Value> * argv = 0x00000000)+0x108
05fef9a4 02ace0bf chrome_28f0000!WebCore::V8Proxy::CallFunction(class
v8::Handle<v8::Function> function = class v8::Handle<v8::Function>, class
v8::Handle<v8::Object> receiver = class v8::Handle<v8::Object>, int argc = 0,
class v8::Handle<v8::Value> * args = 0x00000000)+0x5f
05fefa20 035cb3da chrome_28f0000!WebCore::ScheduledAction::execute(class
WebCore::ScriptExecutionContext * context = 0x08e2f054)+0xff
05fefa5c 036920c5 chrome_28f0000!WebCore::DOMTimer::fired(void)+0x12a
05fefa94 036921ea chrome_28f0000!WebCore::ThreadTimers::fireTimers(double
fireTime = 1241520087.5222499, class WTF::Vector<WebCore::TimerBase *,0> *
firingTimers = 0x05fefaac)+0xb5
05fefac8 03692136
chrome_28f0000!WebCore::ThreadTimers::sharedTimerFiredInternal(void)+0xaa
05fefad0 02904562
chrome_28f0000!WebCore::ThreadTimers::sharedTimerFired(void)+0x16
05fefae0 02904fdc
chrome_28f0000!webkit_glue::WebKitClientImpl::DoTimeout(void)+0x22
05fefaec 02904af4
chrome_28f0000!DispatchToMethod<webkit_glue::WebKitClientImpl,void (class
webkit_glue::WebKitClientImpl * obj = 0x061a5020, <function> * method =
0x02904540, struct Tuple0 * arg = 0x05fefb03)+0xc
05fefb08 03ac4b29
chrome_28f0000!base::BaseTimer<webkit_glue::WebKitClientImpl,0>::TimerTask::Run(void)+0x54
05fefbbc 03ac4bd5 chrome_28f0000!MessageLoop::RunTask(class Task * task =
0x08f35020)+0xb9
05fefbcc 03ac5246 chrome_28f0000!MessageLoop::DeferOrRunPendingTask(struct
MessageLoop::PendingTask * pending_task = 0x05fefbf0)+0x35
05fefc10 03b51aa0 chrome_28f0000!MessageLoop::DoDelayedWork(class base::Time *
next_delayed_work_time = 0x05dbf038)+0x116
05fefcf8 03ac444b chrome_28f0000!base::MessagePumpDefault::Run(class
base::MessagePump::Delegate * delegate = 0x05fefeb0)+0xf0
05fefda8 03ac42b0 chrome_28f0000!MessageLoop::RunInternal(void)+0xfb
05fefde0 03ac413a chrome_28f0000!MessageLoop::RunHandler(void)+0x90
05fefe08 03ae9138 chrome_28f0000!MessageLoop::Run(void)+0x3a
05feffa4 03ae8271 chrome_28f0000!base::Thread::ThreadMain(void)+0xb8
05feffb4 7c80b729 chrome_28f0000!`anonymous namespace'::ThreadFunc(void *
closure = 0x05d7702c)+0x21
05feffec 00000000 kernel32!GetModuleFileNameA+0x1ba
--- End info stack
*** End event av(1st)


-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list