Bug 20540

Summary:	HTML/JavaScript causes Read AV[3c]@WebKit.dll+4c00 #bd95c6be
Product:	WebKit	Reporter:	Berend-Jan Wever <skylined>
Component:	New Bugs	Assignee:	Nobody <webkit-unassigned>
Status:	RESOLVED CONFIGURATION CHANGED
Severity:	Critical	CC:	ap, bfulgham
Priority:	P2	Keywords:	HasReduction, InRadar
Version:	525.x (Safari 3.1)
Hardware:	PC
OS:	Windows Vista
URL:	http://skypher.com/SkyLined/Repro/Safari/AVR%5B3c%5D@WebKit.dll+4c00%20%23bd95c6be/repro.html

Berend-Jan Wever

Reported 2008-08-27 04:08:06 PDT

The following HTML file triggers a NULL pointer AV: <BODY onload=go()></BODY> <SCRIPT> function go() { var oOldBody = document.body; document.addEventListener("DOMNodeRemoved", function () { event.relatedNode.parentElement.removeChild(event.relatedNode); },true); document.body.parentElement.removeChild(document.body); oOldBody.innerHTML = "x<l><html>"; } </SCRIPT>

Attachments
Add attachment proposed patch, testcase, etc.

Mark Rowe (bdash)

Comment 1 2008-08-27 12:09:51 PDT

<rdar://problem/6180069>

Alexey Proskuryakov

Comment 2 2008-08-28 03:38:09 PDT

Could you please try this with a nightly build (http://nightly.webkit.org)? We could not reproduce this yet.

Berend-Jan Wever

Comment 3 2008-08-28 08:52:52 PDT

I tested it in nightly and it does indeed not repro - but... I open Safari (with webkit nightly) and drag the URL in. The page opens fine. I drag the URL in again and I see this: (f6c.df0): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. WebKit!WebCore::DragController::concludeDrag+0x3a: 00000000`6d4a0cda 8b03 mov eax,dword ptr [ebx] ds:002b:00000000`00000000=???????? So something is still messed up in nightly, but it doesn't repro until you do a drag and drop.

Berend-Jan Wever

Comment 4 2008-08-28 09:08:36 PDT

This same drag and drop problem happens with the repro for bug 19516

Alexey Proskuryakov

Comment 5 2008-08-28 09:16:49 PDT

That certainly sounds bad - but probably a separate problem.

Berend-Jan Wever

Comment 6 2008-08-28 09:35:50 PDT

Do I need to file a new bug or can we reuse this one?

Mark Rowe (bdash)

Comment 7 2008-08-28 18:16:14 PDT

A new bug report would be preferred since it appears to be a separate issue.

Berend-Jan Wever

Comment 8 2008-08-29 01:28:59 PDT

Ok, if we're going to be bueaucratic about it: I opened bug 20565 :)

Note You need to log in before you can comment on or make changes to this bug.