RESOLVED FIXED 19744
Crash caused by DOM modification 
https://bugs.webkit.org/show_bug.cgi?id=19744
Summary Crash caused by DOM modification
Berend-Jan Wever
Reported 2008-06-24 07:55:52 PDT
The below HTML causes an Access Violation in Safari 3.1.1: <BODY onload="go()"><SCRIPT> var i=0; function go() { document.body.outerHTML=""; var o = document.createElement("kbd"); o.innerHTML = '<frameSet></frameset><noBR><small><dir><link></dir></small></noBR>'; } </SCRIPT></BODY> The repro's of a bunch of the bugs I filed recently (this one, 19516, 19517, 19536 and 19537) all look very similar. Though they all crash in different locations, they may be different manifestations of the same problem.
Attachments
Add attachment proposed patch, testcase, etc.
Jon@Chromium
Comment 1 2008-10-27 11:45:00 PDT
Tracked at Chromium as http://code.google.com/p/chromium/issues/detail?id=3776
mitz
Comment 2 2008-10-27 12:21:38 PDT
This does not reproduce in TOT WebKit. I think this was fixed along with similar bugs.
Sam Weinig
Comment 3 2008-10-29 15:05:44 PDT
I don't think this is the correct usage of the GoogleBug, which is really meant to be a bug in a high profile google web product and not a Chromium issue.
David Kilzer (:ddkilzer)
Comment 4 2009-07-22 12:09:27 PDT
This appears to be fixed in ToT. Marking as RESOLVED/FIXED per Comment #2.
Note You need to log in before you can comment on or make changes to this bug.