12191 2007-01-10 02:25:19 -0800 crash when getting property of NodeList 2007-01-12 08:10:35 -0800 1 1 1 Unclassified WebKit DOM 419.x Mac OS X 10.4 RESOLVED FIXED InRadar P2 Normal --- 1 nrlz webkit-unassigned oldest_to_newest 35951 0 nrlz 2007-01-10 02:25:19 -0800 I can crash Safari 419.3 with the following HTML: <script> var n = document.createElement("DIV"); n.appendChild(document.createTextNode("")); n.childNodes.slice; </script> 35923 1 ddkilzer 2007-01-10 05:57:54 -0800 Confirmed with Safari 2.0.4 (419.3) on Mac OS X 10.4.8 (8L127). Radar: <rdar://problem/4916817> 35925 2 ddkilzer 2007-01-10 05:59:27 -0800 Testing on a locally-built debug build of WebKit r18731 with Safari 2.0.4 (419.3) and Mac OS X 10.4.8 (8L127), this does not cause a crash. Therefore closing this bug as RESOLVED/FIXED. 35763 3 ddkilzer 2007-01-11 03:36:24 -0800 Note that reproducing the crash requires clicking the Reload button as fast as possible (once the initial page has loaded) until Safari crashes. On shipping Safari 2.0.4 (419.3), the crash happens on the initial load, or the first reload. On the first WebKit nightly from CVS (WebKit-CVS-2005-10-01 03:27:01 GMT.dmg), you must reload about 5 times. On the first WebKit nightly from SVN (WebKit-SVN-r11976.dmg), you must reload about 20 times. At r12161, it takes over 30 times. At r12162, it takes over 40 times. During the binary search of WebKit nightlies, I found that between r12190 (over 40 times) and r12443 (doesn't crash over 100 times) there was a fix, then there was a regression between r12443 and r12899 (over 40 times to crash), and another fix between r12904 and r12930. 35527 4 12383 ddkilzer 2007-01-12 07:08:57 -0800 Created attachment 12383 Torture test (hangs if fixed, else crashes) This is a torture test for this bug. It replaces having to click on Reload as fast as you can to reproduce the bug, and will probably extend the life of your mouse's clicker. :) If the bug is fixed, Safari will hang but not crash. If the bug is still present, Safari will crash within 5 seconds or so (not including the time it takes crashreporter to do its thing). I found that with the same revision (e.g., r12930), the WebKit nightly (release) build is fixed, but a locally-built debug build still fails. 35508 5 ddkilzer 2007-01-12 08:10:35 -0800 (In reply to comment #4) > I found that with the same revision (e.g., r12930), the WebKit nightly > (release) build is fixed, but a locally-built debug build still fails. Confirmed that the bug is fixed in nightly r18794 (release build) and a locally-built debug build of r18802 with the torture test. 12383 2007-01-12 07:08:57 -0800 2007-01-12 08:14:56 -0800 Torture test (hangs if fixed, else crashes) bug-12191-torture-test.html text/html 136 ddkilzer PHNjcmlwdD4Kd2hpbGUgKDEpIHsKdmFyIG4gPSBkb2N1bWVudC5jcmVhdGVFbGVtZW50KCJESVYi KTsKbi5hcHBlbmRDaGlsZChkb2N1bWVudC5jcmVhdGVUZXh0Tm9kZSgiIikpOwpuLmNoaWxkTm9k ZXMuc2xpY2U7Cn0KPC9zY3JpcHQ+Cg==