Bug 12191

Summary:

crash when getting property of NodeList

Product:

WebKit

Reporter:

nrlz

Component:

DOM

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

Keywords:

InRadar

Priority:

Version:

419.x

Hardware:

Mac

OS:

OS X 10.4

Attachments:

Description	Flags
Torture test (hangs if fixed, else crashes)	none

Description nrlz 2007-01-10 02:25:19 PST

I can crash Safari 419.3 with the following HTML:

<script>
var n = document.createElement("DIV");
n.appendChild(document.createTextNode(""));
n.childNodes.slice;
</script>

Comment 1 David Kilzer (:ddkilzer) 2007-01-10 05:57:54 PST

Confirmed with Safari 2.0.4 (419.3) on Mac OS X 10.4.8 (8L127).

Radar: <rdar://problem/4916817>

Comment 2 David Kilzer (:ddkilzer) 2007-01-10 05:59:27 PST

Testing on a locally-built debug build of WebKit r18731 with Safari 2.0.4 (419.3) and Mac OS X 10.4.8 (8L127), this does not cause a crash.  Therefore closing this bug as RESOLVED/FIXED.

Comment 3 David Kilzer (:ddkilzer) 2007-01-11 03:36:24 PST

Note that reproducing the crash requires clicking the Reload button as fast as possible (once the initial page has loaded) until Safari crashes.

On shipping Safari 2.0.4 (419.3), the crash happens on the initial load, or the first reload.

On the first WebKit nightly from CVS (WebKit-CVS-2005-10-01 03:27:01 GMT.dmg), you must reload about 5 times.

On the first WebKit nightly from SVN (WebKit-SVN-r11976.dmg), you must reload about 20 times.

At r12161, it takes over 30 times.

At r12162, it takes over 40 times.

During the binary search of WebKit nightlies, I found that between r12190 (over 40 times) and r12443 (doesn't crash over 100 times) there was a fix, then there was a regression between r12443 and r12899 (over 40 times to crash), and another fix between r12904 and r12930.

Comment 4 David Kilzer (:ddkilzer) 2007-01-12 07:08:57 PST

Created attachment 12383 [details]
Torture test (hangs if fixed, else crashes)


This is a torture test for this bug.  It replaces having to click on Reload as fast as you can to reproduce the bug, and will probably extend the life of your mouse's clicker.  :)

If the bug is fixed, Safari will hang but not crash.

If the bug is still present, Safari will crash within 5 seconds or so (not including the time it takes crashreporter to do its thing).

I found that with the same revision (e.g., r12930), the WebKit nightly (release) build is fixed, but a locally-built debug build still fails.

Comment 5 David Kilzer (:ddkilzer) 2007-01-12 08:10:35 PST

(In reply to comment #4)
> I found that with the same revision (e.g., r12930), the WebKit nightly
> (release) build is fixed, but a locally-built debug build still fails.

Confirmed that the bug is fixed in nightly r18794 (release build) and a locally-built debug build of r18802 with the torture test.