Bug 19744
| Summary: | Crash caused by DOM modification | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Berend-Jan Wever <skylined> |
| Component: | New Bugs | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | ddkilzer, mitz |
| Priority: | P1 | Keywords: | HasReduction |
| Version: | 525.x (Safari 3.1) | ||
| Hardware: | PC | ||
| OS: | Windows Vista | ||
| URL: | http://skypher.com/SkyLined/Repro/Safari/AccessViolation%201b362643.html | ||
Berend-Jan Wever
The below HTML causes an Access Violation in Safari 3.1.1:
<BODY onload="go()"><SCRIPT>
var i=0;
function go() {
document.body.outerHTML="";
var o = document.createElement("kbd");
o.innerHTML = '<frameSet></frameset><noBR><small><dir><link></dir></small></noBR>';
}
</SCRIPT></BODY>
The repro's of a bunch of the bugs I filed recently (this one, 19516, 19517, 19536 and 19537) all look very similar. Though they all crash in different locations, they may be different manifestations of the same problem.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Jon@Chromium
Tracked at Chromium as http://code.google.com/p/chromium/issues/detail?id=3776
mitz
This does not reproduce in TOT WebKit. I think this was fixed along with similar bugs.
Sam Weinig
I don't think this is the correct usage of the GoogleBug, which is really meant to be a bug in a high profile google web product and not a Chromium issue.
David Kilzer (:ddkilzer)
This appears to be fixed in ToT. Marking as RESOLVED/FIXED per Comment #2.