Bug 12457 - crash if set innerHTML in onchange event
Summary: crash if set innerHTML in onchange event
Status: RESOLVED WORKSFORME
Alias: None
Product: WebKit
Classification: Unclassified
Component: DOM (show other bugs)
Version: 419.x
Hardware: Mac OS X 10.4
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-01-29 02:39 PST by nrlz
Modified: 2007-01-30 01:19 PST (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description nrlz 2007-01-29 02:39:02 PST
I can crash Safari 419.3 with the following HTML:

<div id="a"><input type=checkbox onchange="prefill();"></div>

<script>
function prefill() {
  var elm = document.getElementById("a");
  elm.innerHTML = "<input type=checkbox>";
  elm.firstChild.onchange = prefill;
}
</script>
Comment 1 Mark Rowe (bdash) 2007-01-29 04:00:13 PST
Backtrace in WebKit 418.9.1 is:

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_INVALID_ADDRESS (0x0001) at 0x4130003c

Reading symbols for shared libraries ............. done
/Users/mrowe/8271: No such file or directory.
Attaching to program: `/Applications/Safari.app/Contents/MacOS/Safari', process 8271.
Reading symbols for shared libraries ........................................................................................................ done
0x952ec447 in QWidget::getView ()

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x4130003c
0x952ec447 in QWidget::getView ()
(gdb) bt
#0  0x952ec447 in QWidget::getView ()
#1  0x953a7601 in QButton::clicked ()
#2  0x9335cd88 in -[NSApplication sendAction:to:from:] ()
#3  0x0002b34b in ?? ()
#4  0x9335cce1 in -[NSControl sendAction:to:] ()
#5  0x9335ee91 in -[NSCell _sendActionFrom:] ()
#6  0x93371671 in -[NSCell trackMouse:inRect:ofView:untilMouseUp:] ()
#7  0x9338f25d in -[NSButtonCell trackMouse:inRect:ofView:untilMouseUp:] ()
#8  0x9338eb0d in -[NSControl mouseDown:] ()
#9  0x953f4526 in -[KWQButton mouseDown:] ()
#10 0x953a4d16 in KWQKHTMLPart::passWidgetMouseDownEventToWidget ()
#11 0x95380cd3 in KWQKHTMLPart::passWidgetMouseDownEventToWidget ()
#12 0x95380b16 in KWQKHTMLPart::khtmlMousePressEvent ()
#13 0x9550d5f8 in KParts::Part::event ()
#14 0x9538043d in KHTMLView::viewportMousePressEvent ()
#15 0x953800a1 in KWQKHTMLPart::mouseDown ()
#16 0x95169b30 in -[WebHTMLView mouseDown:] ()
#17 0x9334c3af in -[NSWindow sendEvent:] ()
#18 0x0002338e in ?? ()
#19 0x9333e350 in -[NSApplication sendEvent:] ()
#20 0x00022f1e in ?? ()
#21 0x93268dfe in -[NSApplication run] ()
#22 0x9325cd2f in NSApplicationMain ()
#23 0x0005f7de in ?? ()
#24 0x0005f6f9 in ?? ()
(gdb) 
Comment 2 Mark Rowe (bdash) 2007-01-29 04:04:22 PST
This does not crash with ToT WebKit.  As expected, the checkbox remains unchecked when clicked.
Comment 3 nrlz 2007-01-30 01:19:52 PST
Out of curiosity, should I continue to file new bugs which crash Safari 419.3, but which don't crash nightlies? This has been the case for both this bug and bug 12191. If I am wasting your time, then please let me know.

By the way, I found another crasher for 419.3 (safe on nightlies again) with this HTML:

<a href="javascript:doit();">click me</a>
<div id="menu" style="overflow:auto"></div>
<script>
function doit() {
  var m = document.getElementById("menu");
  document.body.appendChild(m);
  m.style.display = "none";
  m.scrollTop = 0;
}
</script>