[Webkit-unassigned] [Bug 66101] New: Two null crashes in Treebuilder
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Aug 11 14:44:46 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=66101
Summary: Two null crashes in Treebuilder
Product: WebKit
Version: 528+ (Nightly build)
Platform: All
OS/Version: All
Status: NEW
Severity: Normal
Priority: P2
Component: Layout and Rendering
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: inferno at chromium.org
CC: eric at webkit.org, abarth at webkit.org,
simonjam at chromium.org
crashes don't look exploitable, but might be big stability issues.
Testcase1::
AAAA0AAAA0<iframe onload="document.write('<iframe onload="document.write(\'<script>\')">');document.close();">
/usr/local/google/home/aarya/chrome/src/out/Release/chrome --allow-file-access-from-files --disable-click-to-play --disable-hang-monitor --disable-metrics --disable-popup-blocking --disable-prompt-on-repost --enable-desktop-notifications --enable-experimental-extension-apis --enable-extension-apps --enable-extension-timeline-api --enable-geolocation --enable-indexed-database --enable-nacl --enable-native-web-workers --enable-search-provider-api-v2 --force-internal-pdf --incognito --js-flags="--expose-gc" --new-window --no-default-browser-check --no-first-run --no-process-singleton-dialog --no-sandbox --single-process --enable-gpu-plugin --enable-gpu-rendering --enable-accelerated-compositing --enable-webgl --enable-accelerated-2d-canvas --user-data-dir=/usr/local/google/home/aarya/FuzzTmp/t71
ASAN:SIGSEGV
==23678== ERROR: AddressSanitizer crashed on unknown address 0x0000000000000000 (pc 0x7f1dff2eeb80 sp 0x7f1de05f0750 bp 0x7f1de05f0760 ax 0x100000000000 T12)
AddressSanitizer can not provide additional info. ABORTING
#2 0x7f1dff2752a1 in WebCore::HTMLTreeBuilder::processEndOfFile(WebCore::AtomicHTMLToken&)
#3 0x7f1dff268f51 in WebCore::HTMLTreeBuilder::processToken(WebCore::AtomicHTMLToken&)
#4 0x7f1dff268995 in WebCore::HTMLTreeBuilder::constructTreeFromAtomicToken(WebCore::AtomicHTMLToken&)
#5 0x7f1dff26887b in WebCore::HTMLTreeBuilder::constructTreeFromToken(WebCore::HTMLToken&)
#6 0x7f1dff21f07c in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode)
#7 0x7f1dff21e91d in WebCore::HTMLDocumentParser::prepareToStopParsing()
#8 0x7f1dfef3522f in WebCore::Document::close()
#9 0x7f1dfe6bb78a in WebCore::HTMLDocumentInternal::closeCallback(v8::Arguments const&) out/Release/obj/gen/webkit/bindings/V8DerivedSources03.cpp:0
#10 0x7f1dfdb31a31 in v8::internal::Builtin_HandleApiCall(v8::internal::(anonymous namespace)::BuiltinArguments<(v8::internal::BuiltinExtraArguments)1>, v8::internal::Isolate*) v8/src/builtins.cc:0
#11 0x37beff93e14e in
#12 0x37beff9662bd in
#13 0x37beff966640 in
#14 0x37beff958fe7 in
#15 0x37beff942f7f in
#16 0x7f1dfdb70bd3 in v8::internal::Invoke(bool, v8::internal::Handle<v8::internal::JSFunction>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Object***, bool*) v8/src/execution.cc:0
#17 0x7f1dfdaf277d in v8::Function::Call(v8::Handle<v8::Object>, int, v8::Handle<v8::Value>*)
#18 0x7f1dff5e3fa6 in WebCore::V8Proxy::callFunction(v8::Handle<v8::Function>, v8::Handle<v8::Object>, int, v8::Handle<v8::Value>*)
#19 0x7f1dff5d6372 in WebCore::V8LazyEventListener::callListenerFunction(WebCore::ScriptExecutionContext*, v8::Handle<v8::Value>, WebCore::Event*)
#20 0x7f1dffeed7ec in WebCore::V8AbstractEventListener::invokeEventHandler(WebCore::ScriptExecutionContext*, WebCore::Event*, v8::Handle<v8::Value>)
#21 0x7f1dffeed512 in WebCore::V8AbstractEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*)
#22 0x7f1dfefb5e80 in WebCore::EventTarget::fireEventListeners(WebCore::Event*, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1ul>&)
#23 0x7f1dfefb5a3f in WebCore::EventTarget::fireEventListeners(WebCore::Event*)
#24 0x7f1dfefee631 in WebCore::Node::handleLocalEvents(WebCore::Event*)
#25 0x7f1dfefa9626 in WebCore::EventDispatcher::dispatchEvent(WTF::PassRefPtr<WebCore::Event>)
#26 0x7f1dfefa5db0 in WebCore::EventDispatchMediator::dispatchEvent(WebCore::EventDispatcher*) const
#27 0x7f1dfefa6226 in WebCore::EventDispatcher::dispatchEvent(WebCore::Node*, WTF::PassRefPtr<WebCore::EventDispatchMediator>)
#28 0x7f1dfefeec84 in WebCore::Node::dispatchEvent(WTF::PassRefPtr<WebCore::Event>)
#29 0x7f1dffca09f7 in WebCore::DOMWindow::dispatchLoadEvent()
#30 0x7f1dfef3e2e3 in WebCore::Document::implicitClose()
#31 0x7f1dffb934bd in WebCore::FrameLoader::checkCompleted()
#32 0x7f1dffb8f6c8 in WebCore::FrameLoader::finishedParsing()
#33 0x7f1dfef5c4c4 in WebCore::Document::finishedParsing()
#34 0x7f1dff21e9e5 in WebCore::HTMLDocumentParser::prepareToStopParsing()
#35 0x7f1dffb703c4 in WebCore::DocumentWriter::endIfNotLoadingMainResource()
#36 0x7f1dffbaf649 in WebCore::FrameLoader::finishedLoading()
#37 0x7f1dffbd4510 in WebCore::MainResourceLoader::didFinishLoading(double)
#38 0x7f1dffbd2a68 in WebCore::MainResourceLoader::continueAfterContentPolicy(WebCore::PolicyAction, WebCore::ResourceResponse const&)
#39 0x7f1dffbd339e in WebCore::MainResourceLoader::continueAfterContentPolicy(WebCore::PolicyAction)
#40 0x7f1dffbe6fba in WebCore::PolicyChecker::continueAfterContentPolicy(WebCore::PolicyAction)
#41 0x7f1dfe56e692 in WebKit::FrameLoaderClientImpl::dispatchDecidePolicyForResponse(void (WebCore::PolicyChecker::*)(WebCore::PolicyAction), WebCore::ResourceResponse const&, WebCore::ResourceRequest const&)
#42 0x7f1dffbd3d65 in WebCore::MainResourceLoader::didReceiveResponse(WebCore::ResourceResponse const&)
#43 0x7f1dffbd4f90 in WebCore::MainResourceLoader::handleEmptyLoad(WebCore::KURL const&, bool)
#44 0x7f1dffbd58f5 in WebCore::MainResourceLoader::loadNow(WebCore::ResourceRequest&)
#45 0x7f1dffbd5ff8 in WebCore::MainResourceLoader::load(WebCore::ResourceRequest const&, WebCore::SubstituteData const&)
#46 0x7f1dffb5fc89 in WebCore::DocumentLoader::startLoadingMainResource(unsigned long)
#47 0x7f1dffbb0ac1 in WebCore::FrameLoader::continueLoadAfterWillSubmitForm()
#48 0x7f1dffba4551 in WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)
#49 0x7f1dffba49b8 in WebCore::FrameLoader::callContinueLoadAfterNavigationPolicy(void*, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)
#50 0x7f1dffbe3c78 in WebCore::PolicyCallback::call(bool)
#51 0x7f1dffbe646c in WebCore::PolicyChecker::continueAfterNavigationPolicy(WebCore::PolicyAction)
#52 0x7f1dfe56f785 in WebKit::FrameLoaderClientImpl::dispatchDecidePolicyForNavigationAction(void (WebCore::PolicyChecker::*)(WebCore::PolicyAction), WebCore::NavigationAction const&, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>)
#53 0x7f1dffbe52cb in WebCore::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest const&, WebCore::DocumentLoader*, WTF::PassRefPtr<WebCore::FormState>, void (*)(void*, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool), void*)
#54 0x7f1dffba2bdb in WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>)
#55 0x7f1dffba11ab in WebCore::FrameLoader::loadWithNavigationAction(WebCore::ResourceRequest const&, WebCore::NavigationAction const&, bool, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>)
#56 0x7f1dffb98989 in WebCore::FrameLoader::loadURL(WebCore::KURL const&, WTF::String const&, WTF::String const&, bool, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::Event>, WTF::PassRefPtr<WebCore::FormState>)
#57 0x7f1dffb9453a in WebCore::FrameLoader::loadURLIntoChildFrame(WebCore::KURL const&, WTF::String const&, WebCore::Frame*)
#58 0x7f1dfe4ca867 in WebKit::WebFrameImpl::createChildFrame(WebCore::FrameLoadRequest const&, WebCore::HTMLFrameOwnerElement*)
#59 0x7f1dfe5741ef in WebKit::FrameLoaderClientImpl::createFrame(WebCore::KURL const&, WTF::String const&, WebCore::HTMLFrameOwnerElement*, WTF::String const&, bool, int, int)
#60 0x7f1dffc00743 in WebCore::SubframeLoader::loadSubframe(WebCore::HTMLFrameOwnerElement*, WebCore::KURL const&, WTF::String const&, WTF::String const&)
#61 0x7f1dffbfc018 in WebCore::SubframeLoader::loadOrRedirectSubframe(WebCore::HTMLFrameOwnerElement*, WebCore::KURL const&, WTF::AtomicString const&, bool, bool)
#62 0x7f1dffbfb78c in WebCore::SubframeLoader::requestFrame(WebCore::HTMLFrameOwnerElement*, WTF::String const&, WTF::AtomicString const&, bool, bool)
#63 0x7f1dff0e12b6 in WebCore::HTMLFrameElementBase::openURL(bool, bool)
#0 0x7f1dff2eeb80 in WebCore::HTMLElementStack::pop()
#1 0x7f1dff2752a1 in WebCore::HTMLTreeBuilder::processEndOfFile(WebCore::AtomicHTMLToken&)
#2 0x7f1dff268f51 in WebCore::HTMLTreeBuilder::processToken(WebCore::AtomicHTMLToken&)
#3 0x7f1dff268995 in WebCore::HTMLTreeBuilder::constructTreeFromAtomicToken(WebCore::AtomicHTMLToken&)
#4 0x7f1dff26887b in WebCore::HTMLTreeBuilder::constructTreeFromToken(WebCore::HTMLToken&)
#5 0x7f1dff21f07c in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode)
#6 0x7f1dff21e91d in WebCore::HTMLDocumentParser::prepareToStopParsing()
#7 0x7f1dfef3522f in WebCore::Document::close()
#8 0x7f1dfe6bb78a in WebCore::HTMLDocumentInternal::closeCallback(v8::Arguments const&) out/Release/obj/gen/webkit/bindings/V8DerivedSources03.cpp:0
#9 0x7f1dfdb31a31 in v8::internal::Builtin_HandleApiCall(v8::internal::(anonymous namespace)::BuiltinArguments<(v8::internal::BuiltinExtraArguments)1>, v8::internal::Isolate*) v8/src/builtins.cc:0
#10 0x37beff93e14e in
Stats: 0M malloced (0M for red zones) by 0 calls
Stats: 0M realloced by 0 calls
Stats: 0M freed by 0 calls
Stats: 0M really freed by 0 calls
Stats: 0M (0 pages) mmaped in 0 calls
mmaps by size:
mallocs by size:
frees by size:
rfrees by size:
Stats: malloc large: 0 small slow: 0
Testcase2::
<math><option><option></html><option></option>
/usr/local/google/home/aarya/chrome/src/out/Release/chrome --allow-file-access-from-files --disable-click-to-play --disable-hang-monitor --disable-metrics --disable-popup-blocking --disable-prompt-on-repost --enable-desktop-notifications --enable-experimental-extension-apis --enable-extension-apps --enable-extension-timeline-api --enable-geolocation --enable-indexed-database --enable-nacl --enable-native-web-workers --enable-search-provider-api-v2 --force-internal-pdf --incognito --js-flags="--expose-gc" --new-window --no-default-browser-check --no-first-run --no-process-singleton-dialog --no-sandbox --single-process --enable-gpu-plugin --enable-gpu-rendering --enable-accelerated-compositing --enable-webgl --enable-accelerated-2d-canvas --user-data-dir=/usr/local/google/home/aarya/FuzzTmp/t71
ASAN:SIGSEGV
==17326== ERROR: AddressSanitizer crashed on unknown address 0x0000000000000000 (pc 0x7f423c22408c sp 0x7f421b2d0660 bp 0x7f421b2d0690 ax (nil) T12)
AddressSanitizer can not provide additional info. ABORTING
#2 0x7f423c1c0e7d in WebCore::HTMLTreeBuilder::processEndTagForInBody(WebCore::AtomicHTMLToken&)
#3 0x7f423c1a618e in WebCore::HTMLTreeBuilder::processEndTag(WebCore::AtomicHTMLToken&)
#4 0x7f423c19d404 in WebCore::HTMLTreeBuilder::processToken(WebCore::AtomicHTMLToken&)
#5 0x7f423c19cf95 in WebCore::HTMLTreeBuilder::constructTreeFromAtomicToken(WebCore::AtomicHTMLToken&)
#6 0x7f423c19ce7b in WebCore::HTMLTreeBuilder::constructTreeFromToken(WebCore::HTMLToken&)
#7 0x7f423c1536ac in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode)
#8 0x7f423c155254 in WebCore::HTMLDocumentParser::append(WebCore::SegmentedString const&)
#9 0x7f423eab0f06 in WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter*)
#10 0x7f423cab5af9 in WebCore::DocumentWriter::endIfNotLoadingMainResource()
#11 0x7f423caf4e09 in WebCore::FrameLoader::finishedLoading()
#12 0x7f423cb199e0 in WebCore::MainResourceLoader::didFinishLoading(double)
#13 0x7f423d9c6039 in webkit_glue::WebURLLoaderImpl::Context::OnCompletedRequest(net::URLRequestStatus const&, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, base::Time const&)
#14 0x7f423b2c9aca in bool IPC::MessageWithTuple<Tuple4<int, net::URLRequestStatus, std::basic_string<char, std::char_traits<char>, std::allocator<char> >, base::Time> >::Dispatch<ResourceDispatcher, ResourceDispatcher, void (ResourceDispatcher::*)(int, net::URLRequestStatus const&, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, base::Time const&)>(IPC::Message const*, ResourceDispatcher*, ResourceDispatcher*, void (ResourceDispatcher::*)(int, net::URLRequestStatus const&, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, base::Time const&))
#15 0x7f423b2c76b0 in ResourceDispatcher::DispatchMessage(IPC::Message const&)
#16 0x7f423b2c5489 in ResourceDispatcher::OnMessageReceived(IPC::Message const&)
#17 0x7f423b1ea930 in ChildThread::OnMessageReceived(IPC::Message const&)
#18 0x7f423b324894 in IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message const&)
#19 0x7f4239db0119 in base::subtle::TaskClosureAdapter::Run()
#20 0x7f4239d4129c in MessageLoop::RunTask(MessageLoop::PendingTask const&)
#21 0x7f4239d418a2 in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&)
#22 0x7f4239d42aee in MessageLoop::DoWork()
#23 0x7f4239d4bf98 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*)
#24 0x7f4239d401c7 in MessageLoop::RunInternal()
#25 0x7f4239d3e42e in MessageLoop::Run()
#26 0x7f4239db38c0 in base::Thread::ThreadMain()
#27 0x7f4239db24fc in base::(anonymous namespace)::ThreadFunc(void*) base/threading/platform_thread_posix.cc:0
#28 0x7f423ee9b1e7 in AsanThread::ThreadStart() /home/kcc/asan/asan/asan_thread.cc:98
#0 0x7f423c22408c in WebCore::HTMLElementStack::popUntilPopped(WebCore::Element*)
#1 0x7f423c1c0e7d in WebCore::HTMLTreeBuilder::processEndTagForInBody(WebCore::AtomicHTMLToken&)
#2 0x7f423c1a618e in WebCore::HTMLTreeBuilder::processEndTag(WebCore::AtomicHTMLToken&)
#3 0x7f423c19d404 in WebCore::HTMLTreeBuilder::processToken(WebCore::AtomicHTMLToken&)
#4 0x7f423c19cf95 in WebCore::HTMLTreeBuilder::constructTreeFromAtomicToken(WebCore::AtomicHTMLToken&)
#5 0x7f423c19ce7b in WebCore::HTMLTreeBuilder::constructTreeFromToken(WebCore::HTMLToken&)
#6 0x7f423c1536ac in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode)
#7 0x7f423c155254 in WebCore::HTMLDocumentParser::append(WebCore::SegmentedString const&)
#8 0x7f423eab0f06 in WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter*)
#9 0x7f423cab5af9 in WebCore::DocumentWriter::endIfNotLoadingMainResource()
#10 0x7f423caf4e09 in WebCore::FrameLoader::finishedLoading()
#11 0x7f423cb199e0 in WebCore::MainResourceLoader::didFinishLoading(double)
#12 0x7f423d9c6039 in webkit_glue::WebURLLoaderImpl::Context::OnCompletedRequest(net::URLRequestStatus const&, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, base::Time const&)
#13 0x7f423b2c9aca in bool IPC::MessageWithTuple<Tuple4<int, net::URLRequestStatus, std::basic_string<char, std::char_traits<char>, std::allocator<char> >, base::Time> >::Dispatch<ResourceDispatcher, ResourceDispatcher, void (ResourceDispatcher::*)(int, net::URLRequestStatus const&, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, base::Time const&)>(IPC::Message const*, ResourceDispatcher*, ResourceDispatcher*, void (ResourceDispatcher::*)(int, net::URLRequestStatus const&, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, base::Time const&))
#14 0x7f423b2c76b0 in ResourceDispatcher::DispatchMessage(IPC::Message const&)
#15 0x7f423b2c5489 in ResourceDispatcher::OnMessageReceived(IPC::Message const&)
#16 0x7f423b1ea930 in ChildThread::OnMessageReceived(IPC::Message const&)
#17 0x7f423b324894 in IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message const&)
#18 0x7f4239db0119 in base::subtle::TaskClosureAdapter::Run()
#19 0x7f4239d4129c in MessageLoop::RunTask(MessageLoop::PendingTask const&)
#20 0x7f4239d418a2 in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&)
#21 0x7f4239d42aee in MessageLoop::DoWork()
#22 0x7f4239d4bf98 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*)
#23 0x7f4239d401c7 in MessageLoop::RunInternal()
#24 0x7f4239d3e42e in MessageLoop::Run()
#25 0x7f4239db38c0 in base::Thread::ThreadMain()
#26 0x7f4239db24fc in base::(anonymous namespace)::ThreadFunc(void*) base/threading/platform_thread_posix.cc:0
#27 0x7f423ee9b1e7 in AsanThread::ThreadStart() /home/kcc/asan/asan/asan_thread.cc:98
#28 0x7f423436e9ca in start_thread
#29 0x7f42322cc70d in __clone
Stats: 0M malloced (0M for red zones) by 0 calls
Stats: 0M realloced by 0 calls
Stats: 0M freed by 0 calls
Stats: 0M really freed by 0 calls
Stats: 0M (0 pages) mmaped in 0 calls
mmaps by size:
mallocs by size:
frees by size:
rfrees by size:
Stats: malloc large: 0 small slow: 0
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list