Bug 19745

Summary: Crash caused by DOM modification
Product: WebKit Reporter: Berend-Jan Wever <skylined>
Component: New BugsAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: ddkilzer, mitz
Priority: P1 Keywords: HasReduction
Version: 525.x (Safari 3.1)   
Hardware: PC   
OS: Windows Vista   
URL: http://skypher.com/SkyLined/Repro/Safari/AccessViolation 1b362643.html

Description Berend-Jan Wever 2008-06-24 08:12:36 PDT 
The following HTML causes an Access Violation in Safari 3.1.1:

<BODY onload="go()"><SCRIPT>
    function go() {
		document.body.outerHTML='';
		document.createElement('map').innerHTML='<frameSet></frameSet><em><div><link></div></em><head></head><html>';
    }
</SCRIPT></BODY>
Comment 1 David Kilzer (:ddkilzer) 2009-07-22 12:10:53 PDT 
This does not reproduce in ToT WebKit.  Marking as RESOLVED/FIXED.