[Webkit-unassigned] [Bug 25694] HTMLParser::createHead() ASSERT: Creating an element, calling document.open() and writing to the document NULL ptr

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon May 11 08:11:54 PDT 2009


https://bugs.webkit.org/show_bug.cgi?id=25694


skylined at chromium.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |skylined at chromium.org
                URL|                            |http://skypher.com/SkyLined/
                   |                            |Repro/WebKit/Bug%2025694%20-
                   |                            |%20HTMLParsercreateHead()%20
                   |                            |ASSERT/repro.html




------- Comment #1 from skylined at chromium.org  2009-05-11 08:11 PDT -------
Here's some info from my FuzzFramework:
CdbFatalExceptionInfo(ReadAV [NULL]@chrome!WebCore::HTMLParser::createHead+0xeb
(Stack:WebCore::HTMLParser::createHead+0xEB,WebCore::HTMLParser::bodyCreateErrorCheck+0x14,WebCore::HTMLParser::getNode+0xE74,WebCore::HTMLParser::parseToken+0x21D,WebCore::HTMLTokenizer::processToken+0x13B,WebCore::HTMLTokenizer::parseTag+0x1056,WebCore::HTMLTokenizer::write+0x40E,WebCore::parseHTMLDocumentFragment+0x50,WebCore::HTMLElement::createContextualFragment+0xC2,WebCore::HTMLElement::setInnerHTML+0x17,WebCore::HTMLElementInternal::innerHTMLAttrSetter+0x51,v8::internal::JSObject::SetPropertyWithCallback+0x205,v8::internal::JSObject::SetProperty+0x233,v8::internal::JSObject::SetProperty+0x3C,v8::internal::StoreIC::Store+0x138,v8::internal::StoreIC_Miss+0x6D,v8::internal::Invoke+0x81,v8::internal::Execution::Call+0x25,v8::Function::Call+0x8C,WebCore::V8Proxy::CallFunction+0x34,WebCore::ScheduledAction::execute+0x9A,WebCore::DOMTimer::fired+0x81,WebCore::ThreadTimers::fireTimers+0x74,WebCore::ThreadTimers::sharedTimerFiredInternal+0x4F,MessageLoop::RunTask+0x7E,MessageL
 oop::DoWork+0x1EA,base::MessagePumpDefault::Run+0x111,MessageLoop::RunInternal+0xB7,MessageLoop::RunHandler+0xA0,MessageLoop::Run+0x3D,base::Thread::ThreadMain+0x8A,`anonymous
namespace'::ThreadFunc+0xD,BaseThreadInitThunk+0x12,RtlInitializeExceptionChain+0x63,RtlInitializeExceptionChain+0x36))
(18% reproducable after 11 attempts, reducing)
Attempt to read from a NULL pointer, instruction:
6a29f4ab 8b01            mov     eax,dword ptr [ecx]
Registers:
eax=032ca040 ebx=00000000 ecx=00000000 edx=01f8e918 esi=032cad40 edi=016e7000
esp=01f8e918 ebp=01f8e938 eip=6a29f4ab
Stack:
ChildEBP RetAddr  
01f8e938 6a2a15e4 chrome_69bb0000!WebCore::HTMLParser::createHead(void)+0xeb
01f8e940 6a2a2a84
chrome_69bb0000!WebCore::HTMLParser::bodyCreateErrorCheck(struct WebCore::Token
* __formal = 0x01f8e9c0, class WTF::RefPtr<WebCore::Node> * __formal =
0x016dde20)+0x14
01f8e98c 6a2a2e0d chrome_69bb0000!WebCore::HTMLParser::getNode(struct
WebCore::Token * t = 0x016dde20)+0xe74
01f8e9b4 6a1ced2b chrome_69bb0000!WebCore::HTMLParser::parseToken(struct
WebCore::Token * t = 0x01f8ebb8)+0x21d
01f8e9d8 6a1d26d6
chrome_69bb0000!WebCore::HTMLTokenizer::processToken(void)+0x13b
01f8eacc 6a1d2e5e chrome_69bb0000!WebCore::HTMLTokenizer::parseTag(class
WebCore::SegmentedString * src = 0x00000000, class
WebCore::HTMLTokenizer::State state = class
WebCore::HTMLTokenizer::State)+0x1056
01f8eb60 6a1d3050 chrome_69bb0000!WebCore::HTMLTokenizer::write(class
WebCore::SegmentedString * str = 0x01f8eb74, bool appendData = true)+0x40e
01f8f53c 6a0b0e52 chrome_69bb0000!WebCore::parseHTMLDocumentFragment(class
WebCore::String * source = 0x01f8f5b0, class WebCore::DocumentFragment *
fragment = 0x032e04b0)+0x50
01f8f568 6a0b11c7
chrome_69bb0000!WebCore::HTMLElement::createContextualFragment(class
WebCore::String * html = 0x01f8f5b0)+0xc2
01f8f584 6a303b91 chrome_69bb0000!WebCore::HTMLElement::setInnerHTML(class
WebCore::String * html = 0x01f8f5b0, int * ec = 0x01f8f59c)+0x17
01f8f5a0 6a3aede5
chrome_69bb0000!WebCore::HTMLElementInternal::innerHTMLAttrSetter(class
v8::Local<v8::String> name = class v8::Local<v8::String>, class
v8::Local<v8::Value> value = class v8::Local<v8::Value>, class v8::AccessorInfo
* info = 0x032df840)+0x51
01f8f5e0 6a3bac73
chrome_69bb0000!v8::internal::JSObject::SetPropertyWithCallback(class
v8::internal::Object * structure = 0x029d5e8d, class v8::internal::String *
name = 0x029c8135, class v8::internal::Object * value = 0x02e93ec0, class
v8::internal::JSObject * holder = 0x0287b159)+0x205
01f8f618 6a3bb3ec chrome_69bb0000!v8::internal::JSObject::SetProperty(class
v8::internal::LookupResult * result = <Memory access error>, class
v8::internal::String * name = <Memory access error>, class v8::internal::Object
* value = <Memory access error>, PropertyAttributes attributes = <Memory access
error>)+0x233
01f8f648 6a423138 chrome_69bb0000!v8::internal::JSObject::SetProperty(class
v8::internal::String * name = 0x029d5e8d, class v8::internal::Object * value =
0x029a0849, PropertyAttributes attributes = 43649097 (No matching
enumerant))+0x3c
01f8f688 6a42357d
chrome_69bb0000!v8::internal::StoreIC::Store(v8::internal::InlineCacheState
state = 43867789 (No matching enumerant), class
v8::internal::Handle<v8::internal::Object> object = class
v8::internal::Handle<v8::internal::Object>, class
v8::internal::Handle<v8::internal::String> name = class
v8::internal::Handle<v8::internal::String>, class
v8::internal::Handle<v8::internal::Object> value = class
v8::internal::Handle<v8::internal::Object>)+0x138
01f8f79c 6a3c1fb1 chrome_69bb0000!v8::internal::StoreIC_Miss(class
v8::internal::Arguments args = class v8::internal::Arguments)+0x6d
01f8f7d8 6a3c2095 chrome_69bb0000!v8::internal::Invoke(bool construct = true,
class v8::internal::Handle<v8::internal::JSFunction> func = class
v8::internal::Handle<v8::internal::JSFunction>, class
v8::internal::Handle<v8::internal::Object> receiver = class
v8::internal::Handle<v8::internal::Object>, int argc = 43649097, class
v8::internal::Object *** args = 0x029a0849, bool * has_pending_exception =
0x029c8135)+0x81
01f8f7f8 6a39ed4c chrome_69bb0000!v8::internal::Execution::Call(class
v8::internal::Handle<v8::internal::JSFunction> func = class
v8::internal::Handle<v8::internal::JSFunction>, class
v8::internal::Handle<v8::internal::Object> receiver = class
v8::internal::Handle<v8::internal::Object>, int argc = 24436740, class
v8::internal::Object *** args = 0x00000000, bool * pending_exception =
0x00000000)+0x25
01f8f830 6a0d9ae4 chrome_69bb0000!v8::Function::Call(class
v8::Handle<v8::Object> recv = class v8::Handle<v8::Object>, int argc =
53344448, class v8::Handle<v8::Value> * argv = 0x0174e004)+0x8c
01f8f850 6a2120ca chrome_69bb0000!WebCore::V8Proxy::CallFunction(class
v8::Handle<v8::Function> function = class v8::Handle<v8::Function>, class
v8::Handle<v8::Object> receiver = class v8::Handle<v8::Object>, int argc = 0,
class v8::Handle<v8::Value> * args = 0x00000000)+0x34
01f8f894 6a1a1531 chrome_69bb0000!WebCore::ScheduledAction::execute(class
WebCore::ScriptExecutionContext * context = 0x0174e004)+0x9a
01f8f8a8 6a20ec94 chrome_69bb0000!WebCore::DOMTimer::fired(void)+0x81
01f8f8c8 6a20ed8f chrome_69bb0000!WebCore::ThreadTimers::fireTimers(double
fireTime = 1241871163.5501339, class WTF::Vector<WebCore::TimerBase *,0> *
firingTimers = 0x01f8f8e4)+0x74
01f8f8f8 69bcd51e
chrome_69bb0000!WebCore::ThreadTimers::sharedTimerFiredInternal(void)+0x4f
01f8f99c 69bce59a chrome_69bb0000!MessageLoop::RunTask(class Task * task =
0x032dd740)+0x7e
01f8f9ec 69be2751 chrome_69bb0000!MessageLoop::DoWork(void)+0x1ea
01f8fa9c 69bcdb27 chrome_69bb0000!base::MessagePumpDefault::Run(class
base::MessagePump::Delegate * delegate = 0x01f8fba4)+0x111
01f8fb40 69bcdf50 chrome_69bb0000!MessageLoop::RunInternal(void)+0xb7
01f8fb74 69bce25d chrome_69bb0000!MessageLoop::RunHandler(void)+0xa0
01f8fb90 6a0246fa chrome_69bb0000!MessageLoop::Run(void)+0x3d
01f8fc60 69bd699d chrome_69bb0000!base::Thread::ThreadMain(void)+0x8a
01f8fc68 76884911 chrome_69bb0000!`anonymous namespace'::ThreadFunc(void *
closure = 0x016d800c)+0xd
WARNING: Stack unwind information not available. Following frames may be wrong.
01f8fc74 778ee4b6 kernel32!BaseThreadInitThunk+0x12
01f8fcb4 778ee489 ntdll!RtlInitializeExceptionChain+0x63
01f8fccc 00000000 ntdll!RtlInitializeExceptionChain+0x36


-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.



More information about the webkit-unassigned mailing list