Bug 4367

Summary: Crash when executing setTimeout / Date / document.write Javascript (bugtraq)
Product: WebKit Reporter: Kevin Broderick <kbroderick>
Component: JavaScriptCoreAssignee: Darin Adler <darin>
Status: RESOLVED FIXED    
Severity: Normal CC: mrowe
Priority: P1    
Version: 420+   
Hardware: Mac   
OS: OS X 10.4   
Attachments:
Description Flags
Javascript that crashes WebKit
none
patch to fix this by removing some uneeded code from document.close mjs: review+

Description Kevin Broderick 2005-08-09 17:19:35 PDT 
As seen on bugtraq, the attached HTML file (mostly JS) can crash Safari.  Bugtraq submitter reported it on 
10.3.9 and Safari 1.3 (132); I've also seen it on 10.4.2 w/WebKit.App (ToT from 8 Aug 05).
Comment 1 Kevin Broderick 2005-08-09 17:20:08 PDT 
Created attachment 3302 [details]
Javascript that crashes WebKit
Comment 2 Mark Rowe (bdash) 2005-09-06 23:56:54 PDT 
Confirmed with ToT WebKit.  Bumping to P1 as it's a reproducible crash.
Comment 3 Darin Adler 2005-09-07 22:20:11 PDT 
Simple problem in document logic; unnecessary code to destroy the tokenizer twice.
Comment 4 Darin Adler 2005-09-07 22:23:15 PDT 
Created attachment 3806 [details]
patch to fix this by removing some uneeded code from document.close
Comment 5 Maciej Stachowiak 2005-09-08 22:32:26 PDT 
It's hard to see the actual code change, given all the formatting changes.
Comment 6 Maciej Stachowiak 2005-09-08 22:39:44 PDT 
OK, r=me if the layout tests all still pass. Make sure to add the test case as a layout test.
Comment 7 Darin Adler 2005-09-10 13:44:37 PDT 
Had to change the test quite a bit to land it as a layout test, but I came up with something.