Bug 4367

Summary: Crash when executing setTimeout / Date / document.write Javascript (bugtraq)
Product: WebKit Reporter: Kevin Broderick <kbroderick>
Component: JavaScriptCoreAssignee: Darin Adler <darin>
Status: RESOLVED FIXED    
Severity: Normal CC: mrowe
Priority: P1    
Version: 420+   
Hardware: Mac   
OS: OS X 10.4   
Attachments:
Description Flags
Javascript that crashes WebKit
none
patch to fix this by removing some uneeded code from document.close mjs: review+

Kevin Broderick
Reported 2005-08-09 17:19:35 PDT
As seen on bugtraq, the attached HTML file (mostly JS) can crash Safari. Bugtraq submitter reported it on 10.3.9 and Safari 1.3 (132); I've also seen it on 10.4.2 w/WebKit.App (ToT from 8 Aug 05).
Attachments
Javascript that crashes WebKit (264 bytes, text/html)
2005-08-09 17:20 PDT, Kevin Broderick 		no flags
Details
patch to fix this by removing some uneeded code from document.close (6.44 KB, patch)
2005-09-07 22:23 PDT, Darin Adler 		mjs: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Kevin Broderick
Comment 1 2005-08-09 17:20:08 PDT
Created attachment 3302 [details] Javascript that crashes WebKit
Mark Rowe (bdash)
Comment 2 2005-09-06 23:56:54 PDT
Confirmed with ToT WebKit. Bumping to P1 as it's a reproducible crash.
Darin Adler
Comment 3 2005-09-07 22:20:11 PDT
Simple problem in document logic; unnecessary code to destroy the tokenizer twice.
Darin Adler
Comment 4 2005-09-07 22:23:15 PDT
Created attachment 3806 [details] patch to fix this by removing some uneeded code from document.close
Maciej Stachowiak
Comment 5 2005-09-08 22:32:26 PDT
It's hard to see the actual code change, given all the formatting changes.
Maciej Stachowiak
Comment 6 2005-09-08 22:39:44 PDT
OK, r=me if the layout tests all still pass. Make sure to add the test case as a layout test.
Darin Adler
Comment 7 2005-09-10 13:44:37 PDT
Had to change the test quite a bit to land it as a layout test, but I came up with something.
Note You need to log in before you can comment on or make changes to this bug.