Bug 144371

Summary: Reproducible crash removing name attribute from <img> node
Product: WebKit Reporter: Neil Jenkins <neilj>
Component: DOMAssignee: Andreas Kling <kling>
Status: RESOLVED FIXED    
Severity: Normal CC: cmarcelo, commit-queue, esprehn+autocc, kangil.han
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Mac   
OS: OS X 10.10   
Attachments:
Description Flags
Minimal test case to crash Safari
none
Patch none

Description Neil Jenkins 2015-04-28 19:31:20 PDT 
Created attachment 251916 [details]
Minimal test case to crash Safari

Steps to reproduce (or see attached minimal test case):

1. Create a document using document.implementation.createHTMLDocument('')
2. Add an image node to this document with both a name and an id attribute.
3. Attempt to remove the name attribute from the image node.

Expected result:

The name attribute is removed. Safari does not crash.

Actual result:

Safari crashes.

This reproduces in the latest stable Safari (8.0.5) on both OS X and iOS.
Comment 1 Alexey Proskuryakov 2015-04-28 22:29:40 PDT 
Thank you, nice test case!

rdar://problem/17198583
Comment 2 Andreas Kling 2015-05-01 16:23:35 PDT 
Created attachment 252190 [details]
Patch
Comment 3 WebKit Commit Bot 2015-05-01 18:30:47 PDT 
Comment on attachment 252190 [details]
Patch

Clearing flags on attachment: 252190

Committed r183706: <http://trac.webkit.org/changeset/183706>
Comment 4 WebKit Commit Bot 2015-05-01 18:30:51 PDT 
All reviewed patches have been landed.  Closing bug.