Bug 17367 - ASSERT in HTMLTokenizer::~HTMLTokenizer loading javascript URL
Summary: ASSERT in HTMLTokenizer::~HTMLTokenizer loading javascript URL
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: Mac OS X 10.5
: P1 Normal
Assignee: Cameron Zwarich (cpst)
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2008-02-14 15:42 PST by Geoffrey Garen
Modified: 2009-09-22 15:18 PDT (History)
5 users (show)

See Also:


Attachments
reduction (546 bytes, application/octet-stream)
2008-02-14 15:43 PST, Geoffrey Garen
no flags Details
Fix (without layout test) (1.25 KB, patch)
2009-02-05 06:44 PST, Cameron Zwarich (cpst)
no flags Details | Formatted Diff | Diff
Proposed patch (3.51 KB, patch)
2009-02-05 07:05 PST, Cameron Zwarich (cpst)
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Geoffrey Garen 2008-02-14 15:42:34 PST
STEPS TO REPRODUCE:
1. Load javascript-url-crash-tokenizer.html, attached
--> crash
Comment 1 Geoffrey Garen 2008-02-14 15:43:07 PST
Created attachment 19128 [details]
reduction
Comment 2 Geoffrey Garen 2008-02-14 15:47:35 PST
<rdar://problem/5744401>
Comment 3 Cameron Zwarich (cpst) 2009-02-05 06:44:10 PST
Created attachment 27346 [details]
Fix (without layout test)

Here's the obvious fix. I'll turn Geoff's example into a layout test and post it for review.
Comment 4 Cameron Zwarich (cpst) 2009-02-05 07:05:32 PST
Created attachment 27347 [details]
Proposed patch
Comment 5 Cameron Zwarich (cpst) 2009-02-05 08:21:29 PST
Comment on attachment 27347 [details]
Proposed patch

This doesn't leak the HTMLTokenizer entirely, but it only gets deleted from Document::removeLastRef(). I'll remove the review flag and look for a better solution.
Comment 6 Darin Adler 2009-09-22 15:18:02 PDT
Seems to have been fixed.