Bug 11777 - Crash when using XMLSerializer.serializeToString() on documentless, DocumentType nodes.
Summary: Crash when using XMLSerializer.serializeToString() on documentless, DocumentT...
Alias: None
Product: WebKit
Classification: Unclassified
Component: DOM (show other bugs)
Version: 420+
Hardware: Mac OS X 10.4
: P1 Critical
Assignee: Sam Weinig
Depends on:
Reported: 2006-12-07 12:59 PST by Sam Weinig
Modified: 2019-02-06 09:04 PST (History)
1 user (show)

See Also:

testcase (1.01 KB, text/html)
2006-12-07 14:44 PST, Sam Weinig
no flags Details
another testcase (1.39 KB, text/html)
2006-12-07 15:11 PST, Sam Weinig
no flags Details
patch (9.83 KB, patch)
2006-12-07 16:48 PST, Sam Weinig
ggaren: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sam Weinig 2006-12-07 12:59:56 PST
If the DocumentType node does not have a Document associated with it, as in cases where you just created one from the DOMImplementation object, webkit crashes reliably.  This is a regression from the current shipping Safari.
Comment 1 Sam Weinig 2006-12-07 14:44:58 PST
Created attachment 11765 [details]

Testcase.  This will cause your browser to crash!
Comment 2 Sam Weinig 2006-12-07 15:11:33 PST
Created attachment 11766 [details]
another testcase

Another testcase that will crash ToT.
Comment 3 Sam Weinig 2006-12-07 16:48:52 PST
Created attachment 11767 [details]
Comment 4 Geoffrey Garen 2006-12-07 23:12:00 PST
Comment on attachment 11767 [details]

+    if (node->nodeType() == Node::DOCUMENT_TYPE_NODE && !node->document()) {

It's true that only the DocumentType node can have a NULL document, but I don't see any need to test for the node being a DocumentType node. !node->document() should do.

Comment 5 Sam Weinig 2006-12-08 15:58:55 PST
Landed in r18085.
Comment 6 Lucas Forschler 2019-02-06 09:04:03 PST
Mass moving XML DOM bugs to the "DOM" Component.