RESOLVED FIXED 22378
Crash submitting a form when parsing an XHTML document 
https://bugs.webkit.org/show_bug.cgi?id=22378
Summary Crash submitting a form when parsing an XHTML document
Raghu
Reported 2008-11-20 00:35:52 PST
I have pasted the test content below. If this content is present in a .xhtml file, the webkit crashes. (Verified in Safari on Win XP with latest nightly, and in Chrome - It crashes there too.) But, if the same content is served in a .html file, It works fine. I am afraid, the XHTML content <--> JS bindings have serious issues in webkit. Here's the test content: ------------------------------- <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="content-type" content="application/xhtml+xml; charset=UTF-8"/> <title>Form access </title> </head> <body style="background-color:white;border-left:0px;border-top:0px;overflow:hidden;" > <form name="MyForm" method="POST" action="about:blank"> <input type="hidden" name="name" value=""></input> </form> <script type="text/javascript"> document.MyForm.name.value="test"; document.MyForm.setAttribute("action","about:blank"); document.MyForm.submit(); </script> </body> </html> ------------------------------------------------------------------
Attachments
test case as attachment -- did not crash for me (731 bytes, application/xhtml+xml)
2008-11-20 02:02 PST, Eric Seidel (no email) 		no flags
Details
Test content, that crashes the webkit (788 bytes, application/xhtml+xml)
2008-11-20 02:13 PST, Raghu 		no flags
Details
Test page: Form Submit action Doesn't work. (768 bytes, application/xhtml+xml)
2008-11-20 03:02 PST, Raghu 		no flags
Details
HTML: Asserts, may crash (768 bytes, text/html)
2008-11-20 03:04 PST, Raghu 		no flags
Details
some work in progress (24.40 KB, patch)
2009-03-25 10:09 PDT, Darin Adler 		no flags
DetailsFormatted DiffDiff
more work in progress (40.77 KB, patch)
2009-03-26 09:46 PDT, Darin Adler 		no flags
DetailsFormatted DiffDiff
more work in progress (124.04 KB, patch)
2009-03-27 11:31 PDT, Darin Adler 		no flags
DetailsFormatted DiffDiff
almost done (48.66 KB, patch)
2009-03-29 12:29 PDT, Darin Adler 		no flags
DetailsFormatted DiffDiff
event closer to done (79.41 KB, patch)
2009-03-31 18:01 PDT, Darin Adler 		no flags
DetailsFormatted DiffDiff
even closer (86.47 KB, patch)
2009-04-01 09:47 PDT, Darin Adler 		no flags
DetailsFormatted DiffDiff
patch (92.16 KB, patch)
2009-04-01 14:23 PDT, Darin Adler 		ggaren: review+
DetailsFormatted DiffDiff
Show Obsolete (8) View All Add attachment proposed patch, testcase, etc.
Eric Seidel (no email)
Comment 1 2008-11-20 02:02:25 PST
Created attachment 25305 [details] test case as attachment -- did not crash for me
Raghu
Comment 2 2008-11-20 02:13:50 PST
Created attachment 25306 [details] Test content, that crashes the webkit
Raghu
Comment 3 2008-11-20 02:34:24 PST
Hi All, You are right Eric. Sorry.. I found that, on Safari & Chrome... accessing forms as: document.forms.MyForm.name.value= "something"; causes the crash... But, document.MyForm.name.value= "something"; doesn't crash, but doesn't work either. I see that, the 'form submit' action is NOT happening in .xhtml file. If you change the file name to .html, it works.
Raghu
Comment 4 2008-11-20 03:02:49 PST
Created attachment 25309 [details] Test page: Form Submit action Doesn't work.
Raghu
Comment 5 2008-11-20 03:04:06 PST
Created attachment 25310 [details] HTML: Asserts, may crash
Alexey Proskuryakov
Comment 6 2008-11-20 05:23:02 PST
Confirmed with r38590. Marking attachments that do not demonstrate the problem as obsolete. This is not related to "document.MyForm" not being a proper way to access elements in XHTML documents in any way.
Alexey Proskuryakov
Comment 7 2008-11-20 05:48:31 PST
<rdar://problem/6388377>
Alexey Proskuryakov
Comment 8 2009-02-19 05:15:07 PST
Comment on attachment 25310 [details] HTML: Asserts, may crash In fact, the HTML version doesn't work right either - an assertion fails in debug builds, and looking at the code, we have the same problem with using a destroyed object.
Darin Adler
Comment 9 2009-03-25 10:09:30 PDT
Created attachment 28932 [details] some work in progress
Darin Adler
Comment 10 2009-03-26 09:46:38 PDT
Created attachment 28971 [details] more work in progress
Darin Adler
Comment 11 2009-03-27 11:31:45 PDT
Created attachment 29017 [details] more work in progress
Darin Adler
Comment 12 2009-03-27 14:18:47 PDT
Alexey thinks there may be security impact, so moving to the security product.
Darin Adler
Comment 13 2009-03-29 12:29:45 PDT
Created attachment 29047 [details] almost done This patch is almost ready to go. Here's what remains: 1) A few layout tests are failing. Two of them are failing because our behavior now matches Firefox, tests for a crash when submitting a form from an onunload handler. Not sure how to fix those two. One other is failing because back/forward is working differently. Not sure if it's a regression or progression, and how to fix it if it's a progression. 2) No change log yet. 3) Haven't changed the test case into a regression test yet.
Darin Adler
Comment 14 2009-03-31 18:01:14 PDT
Created attachment 29149 [details] event closer to done
Darin Adler
Comment 15 2009-04-01 09:47:30 PDT
Created attachment 29161 [details] even closer
Darin Adler
Comment 16 2009-04-01 14:23:51 PDT
Created attachment 29178 [details] patch
Geoffrey Garen
Comment 17 2009-04-01 14:47:05 PDT
Comment on attachment 29178 [details] patch r=me
Darin Adler
Comment 18 2009-04-01 18:02:29 PDT
http://trac.webkit.org/changeset/42158
Note You need to log in before you can comment on or make changes to this bug.