Bug 12191

Summary: crash when getting property of NodeList
Product: WebKit Reporter: nrlz
Component: DOMAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal Keywords: InRadar
Priority: P2    
Version: 419.x   
Hardware: Mac   
OS: OS X 10.4   
Attachments:
Description Flags
Torture test (hangs if fixed, else crashes) none

nrlz
Reported 2007-01-10 02:25:19 PST
I can crash Safari 419.3 with the following HTML: <script> var n = document.createElement("DIV"); n.appendChild(document.createTextNode("")); n.childNodes.slice; </script>
Attachments
Torture test (hangs if fixed, else crashes) (136 bytes, text/html)
2007-01-12 07:08 PST, David Kilzer (:ddkilzer) 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
David Kilzer (:ddkilzer)
Comment 1 2007-01-10 05:57:54 PST
Confirmed with Safari 2.0.4 (419.3) on Mac OS X 10.4.8 (8L127). Radar: <rdar://problem/4916817>
David Kilzer (:ddkilzer)
Comment 2 2007-01-10 05:59:27 PST
Testing on a locally-built debug build of WebKit r18731 with Safari 2.0.4 (419.3) and Mac OS X 10.4.8 (8L127), this does not cause a crash. Therefore closing this bug as RESOLVED/FIXED.
David Kilzer (:ddkilzer)
Comment 3 2007-01-11 03:36:24 PST
Note that reproducing the crash requires clicking the Reload button as fast as possible (once the initial page has loaded) until Safari crashes. On shipping Safari 2.0.4 (419.3), the crash happens on the initial load, or the first reload. On the first WebKit nightly from CVS (WebKit-CVS-2005-10-01 03:27:01 GMT.dmg), you must reload about 5 times. On the first WebKit nightly from SVN (WebKit-SVN-r11976.dmg), you must reload about 20 times. At r12161, it takes over 30 times. At r12162, it takes over 40 times. During the binary search of WebKit nightlies, I found that between r12190 (over 40 times) and r12443 (doesn't crash over 100 times) there was a fix, then there was a regression between r12443 and r12899 (over 40 times to crash), and another fix between r12904 and r12930.
David Kilzer (:ddkilzer)
Comment 4 2007-01-12 07:08:57 PST
Created attachment 12383 [details] Torture test (hangs if fixed, else crashes) This is a torture test for this bug. It replaces having to click on Reload as fast as you can to reproduce the bug, and will probably extend the life of your mouse's clicker. :) If the bug is fixed, Safari will hang but not crash. If the bug is still present, Safari will crash within 5 seconds or so (not including the time it takes crashreporter to do its thing). I found that with the same revision (e.g., r12930), the WebKit nightly (release) build is fixed, but a locally-built debug build still fails.
David Kilzer (:ddkilzer)
Comment 5 2007-01-12 08:10:35 PST
(In reply to comment #4) > I found that with the same revision (e.g., r12930), the WebKit nightly > (release) build is fixed, but a locally-built debug build still fails. Confirmed that the bug is fixed in nightly r18794 (release build) and a locally-built debug build of r18802 with the torture test.
Note You need to log in before you can comment on or make changes to this bug.