Bug 12457

Summary: crash if set innerHTML in onchange event
Product: WebKit Reporter: nrlz
Component: DOMAssignee: Nobody <webkit-unassigned>
Status: RESOLVED WORKSFORME    
Severity: Normal CC: mrowe
Priority: P2    
Version: 419.x   
Hardware: Mac   
OS: OS X 10.4   

nrlz
Reported 2007-01-29 02:39:02 PST
I can crash Safari 419.3 with the following HTML: <div id="a"><input type=checkbox onchange="prefill();"></div> <script> function prefill() { var elm = document.getElementById("a"); elm.innerHTML = "<input type=checkbox>"; elm.firstChild.onchange = prefill; } </script>
Attachments
Add attachment proposed patch, testcase, etc.
Mark Rowe (bdash)
Comment 1 2007-01-29 04:00:13 PST
Backtrace in WebKit 418.9.1 is: Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_INVALID_ADDRESS (0x0001) at 0x4130003c Reading symbols for shared libraries ............. done /Users/mrowe/8271: No such file or directory. Attaching to program: `/Applications/Safari.app/Contents/MacOS/Safari', process 8271. Reading symbols for shared libraries ........................................................................................................ done 0x952ec447 in QWidget::getView () Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0x4130003c 0x952ec447 in QWidget::getView () (gdb) bt #0 0x952ec447 in QWidget::getView () #1 0x953a7601 in QButton::clicked () #2 0x9335cd88 in -[NSApplication sendAction:to:from:] () #3 0x0002b34b in ?? () #4 0x9335cce1 in -[NSControl sendAction:to:] () #5 0x9335ee91 in -[NSCell _sendActionFrom:] () #6 0x93371671 in -[NSCell trackMouse:inRect:ofView:untilMouseUp:] () #7 0x9338f25d in -[NSButtonCell trackMouse:inRect:ofView:untilMouseUp:] () #8 0x9338eb0d in -[NSControl mouseDown:] () #9 0x953f4526 in -[KWQButton mouseDown:] () #10 0x953a4d16 in KWQKHTMLPart::passWidgetMouseDownEventToWidget () #11 0x95380cd3 in KWQKHTMLPart::passWidgetMouseDownEventToWidget () #12 0x95380b16 in KWQKHTMLPart::khtmlMousePressEvent () #13 0x9550d5f8 in KParts::Part::event () #14 0x9538043d in KHTMLView::viewportMousePressEvent () #15 0x953800a1 in KWQKHTMLPart::mouseDown () #16 0x95169b30 in -[WebHTMLView mouseDown:] () #17 0x9334c3af in -[NSWindow sendEvent:] () #18 0x0002338e in ?? () #19 0x9333e350 in -[NSApplication sendEvent:] () #20 0x00022f1e in ?? () #21 0x93268dfe in -[NSApplication run] () #22 0x9325cd2f in NSApplicationMain () #23 0x0005f7de in ?? () #24 0x0005f6f9 in ?? () (gdb)
Mark Rowe (bdash)
Comment 2 2007-01-29 04:04:22 PST
This does not crash with ToT WebKit. As expected, the checkbox remains unchecked when clicked.
nrlz
Comment 3 2007-01-30 01:19:52 PST
Out of curiosity, should I continue to file new bugs which crash Safari 419.3, but which don't crash nightlies? This has been the case for both this bug and bug 12191. If I am wasting your time, then please let me know. By the way, I found another crasher for 419.3 (safe on nightlies again) with this HTML: <a href="javascript:doit();">click me</a> <div id="menu" style="overflow:auto"></div> <script> function doit() { var m = document.getElementById("menu"); document.body.appendChild(m); m.style.display = "none"; m.scrollTop = 0; } </script>
Note You need to log in before you can comment on or make changes to this bug.