Bug 6617

Summary: TOT REGRESSION: Crash in cloneChildNodes when clicking element
Product: WebKit Reporter: Denis Defreyne <amonre>
Component: DOMAssignee: Darin Adler <darin>
Status: RESOLVED FIXED    
Severity: Normal CC: andersca
Priority: P1    
Version: 420+   
Hardware: Mac   
OS: OS X 10.4   
URL: http://studwww.ugent.be/~ddfreyne/pub/webkit/1/wp-admin/kaboom.html
Attachments:
Description Flags
Crash log
none
use PassRefPtr for cloneNode -- made the bug go away sullivan: review+

Denis Defreyne
Reported 2006-01-17 12:34:53 PST
STEPS TO REPRODUCE: 1. Open <http://studwww.ugent.be/~ddfreyne/pub/webkit/1/wp-admin/kaboom.html> in a recent WebKit build. 2. Click and drag the blue horizontal "Discussion" bar on the right down. 3. Crash. ACTUAL RESULTS: The application crashes as soon as the drag operation starts. EXPECTED RESULTS: The item should be dragged down in all its JavaScript/DOM/whatever glory. BUILD DATE AND PLATFORM: WebKit-SVN-r12148.dmg (Tue Jan 17 10:33:08 GMT 2006) Crash does not occur on latest Safari release. NOTES: * I tried isolating the crash, but I didn't succeed. Since I don't really know what's causing the crash, I'm giving it a rather obscure summary, and guessing a component. Apologies. * That sample page is a WordPress 2 admin interface page. Just in case the lawyers pop in or something. * Crash report will follow in a minute.
Attachments
Crash log (10.64 KB, text/plain)
2006-01-17 12:35 PST, Denis Defreyne 		no flags
Details
use PassRefPtr for cloneNode -- made the bug go away (109.85 KB, patch)
2006-01-23 02:48 PST, Darin Adler 		sullivan: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Denis Defreyne
Comment 1 2006-01-17 12:35:32 PST
Created attachment 5740 [details] Crash log
Geoffrey Garen
Comment 2 2006-01-17 13:04:50 PST
Confirmed on TOT.
Geoffrey Garen
Comment 3 2006-01-17 13:14:00 PST
All you have to do to reproduce this crash is click the word "Discussion." It seems to have an onclick handler that does funny things.
Joost de Valk (AlthA)
Comment 4 2006-01-22 04:37:47 PST
Adding Regression keyword.
Darin Adler
Comment 5 2006-01-23 00:27:53 PST
I think I can fix this with some RefPtr. Working on it.
Darin Adler
Comment 6 2006-01-23 02:33:01 PST
I have a fix, but would be nice to have a test case for layout tests too.
Darin Adler
Comment 7 2006-01-23 02:48:57 PST
Created attachment 5866 [details] use PassRefPtr for cloneNode -- made the bug go away
Anders Carlsson
Comment 8 2006-01-23 03:40:29 PST
I could reproduce the crash by modifying fast/dom/clone-node-form-elements.html to make <input id="input2" type="checkbox"> read <input id="input2" type="checkbox" checked="checked">
John Sullivan
Comment 9 2006-01-23 07:32:41 PST
Comment on attachment 5866 [details] use PassRefPtr for cloneNode -- made the bug go away It might be a good idea to check for leaks in the layout tests. Otherwise r=me.
Darin Adler
Comment 10 2006-01-23 09:00:11 PST
I checked for leaks, and found and fixed one. There are more leaks remaining, but they don't relate to what I just changed.
Eric Seidel (no email)
Comment 11 2006-01-31 21:20:44 PST
Removing Regression keyword from bugs already fixed.
Note You need to log in before you can comment on or make changes to this bug.