Bug 144371

Summary: Reproducible crash removing name attribute from <img> node
Product: WebKit Reporter: Neil Jenkins <neilj>
Component: DOMAssignee: Andreas Kling <kling>
Status: RESOLVED FIXED    
Severity: Normal CC: cmarcelo, commit-queue, esprehn+autocc, kangil.han
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Mac   
OS: OS X 10.10   
Attachments:
Description Flags
Minimal test case to crash Safari
none
Patch none

Neil Jenkins
Reported 2015-04-28 19:31:20 PDT
Created attachment 251916 [details] Minimal test case to crash Safari Steps to reproduce (or see attached minimal test case): 1. Create a document using document.implementation.createHTMLDocument('') 2. Add an image node to this document with both a name and an id attribute. 3. Attempt to remove the name attribute from the image node. Expected result: The name attribute is removed. Safari does not crash. Actual result: Safari crashes. This reproduces in the latest stable Safari (8.0.5) on both OS X and iOS.
Attachments
Minimal test case to crash Safari (271 bytes, text/html)
2015-04-28 19:31 PDT, Neil Jenkins 		no flags
Details
Patch (6.94 KB, patch)
2015-05-01 16:23 PDT, Andreas Kling 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2015-04-28 22:29:40 PDT
Thank you, nice test case! rdar://problem/17198583
Andreas Kling
Comment 2 2015-05-01 16:23:35 PDT
Created attachment 252190 [details] Patch
WebKit Commit Bot
Comment 3 2015-05-01 18:30:47 PDT
Comment on attachment 252190 [details] Patch Clearing flags on attachment: 252190 Committed r183706: <http://trac.webkit.org/changeset/183706>
WebKit Commit Bot
Comment 4 2015-05-01 18:30:51 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.