Bug 40670

If Javascript addEventListener() method is executed in an iframe which has style attribute "display:none" set on itself or on an parent element, then Safari crashes.

The method is invoked by the window onload listener

If style is set to display:block Safari does not crash

This behavior appears for registering on 'touchstart', 'touchmove', 'touchend' and 'touchcancel'

It does not appear when registering on 'click'

navigator.useragent for Safari on iphone returns:
 Mozilla/5.0 (iphone; U; CPU iPhone OS 4_0 like Mac OS X; en-us) AppleWebKit/532.9 (KHTML, like Gecko) Version/4.0.5 Mobile/8A293 Safari/6531.22.7

iphone OS Version: 4.0 (8A293)

Safari on Desktop for Windows does not crash (mozilla/5.0 (windows; u; windows nt 5.1; de-de) applewebkit/531.21.8 (khtml, like gecko) version/4.0.4 safari/531.21.10)


Here the testcode

iframe (code does not change in crashing version and not crashing version):

<html><head>
</head>
<body>
    IFRAME
<script>

console.log('crash safari test');
window.addEventListener('load', function() {
    // adding eventlistener crashes safari
    document.body.addEventListener('touchcancel', function() {
        // do nothing
    }, false);

});
</script>
</body>
</html>

html which loads iframe:

crashing version

<html><head>
<title>Safari crash test</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0, minimum-scale=1.0,
maximum-scale=1.0">
</head><body>
<div>
    Safari crash test
<!-- iframe with style display:none crashes the browser -->
<iframe style="display:none;" src="iframe.htm"></iframe>
</div>
</body></html>

not crashing version

<html><head>
<title>Safari crash test</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0, minimum-scale=1.0,
maximum-scale=1.0">
</head><body>
<div>
    Safari crash test
<!-- iframe with style display:none crashes the browser -->
<iframe style="display:block;" src="iframe.htm"></iframe>
</div>
</body></html>