Bug 6617 - TOT REGRESSION: Crash in cloneChildNodes when clicking element
Summary: TOT REGRESSION: Crash in cloneChildNodes when clicking element
Alias: None
Product: WebKit
Classification: Unclassified
Component: DOM (show other bugs)
Version: 420+
Hardware: Mac OS X 10.4
: P1 Normal
Assignee: Darin Adler
URL: http://studwww.ugent.be/~ddfreyne/pub...
Depends on:
Reported: 2006-01-17 12:34 PST by Denis Defreyne
Modified: 2006-01-31 21:20 PST (History)
1 user (show)

See Also:

Crash log (10.64 KB, text/plain)
2006-01-17 12:35 PST, Denis Defreyne
no flags Details
use PassRefPtr for cloneNode -- made the bug go away (109.85 KB, patch)
2006-01-23 02:48 PST, Darin Adler
sullivan: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Denis Defreyne 2006-01-17 12:34:53 PST

1. Open <http://studwww.ugent.be/~ddfreyne/pub/webkit/1/wp-admin/kaboom.html> in a recent 
WebKit build.
2. Click and drag the blue horizontal "Discussion" bar on the right down.
3. Crash.


The application crashes as soon as the drag operation starts.


The item should be dragged down in all its JavaScript/DOM/whatever glory.


WebKit-SVN-r12148.dmg (Tue Jan 17 10:33:08 GMT 2006)
Crash does not occur on latest Safari release.


* I tried isolating the crash, but I didn't succeed. Since I don't really know what's causing the crash, I'm 
giving it a rather obscure summary, and guessing a component. Apologies.

* That sample page is a WordPress 2 admin interface page. Just in case the lawyers pop in or 

* Crash report will follow in a minute.
Comment 1 Denis Defreyne 2006-01-17 12:35:32 PST
Created attachment 5740 [details]
Crash log
Comment 2 Geoffrey Garen 2006-01-17 13:04:50 PST
Confirmed on TOT.
Comment 3 Geoffrey Garen 2006-01-17 13:14:00 PST
All you have to do to reproduce this crash is click the word "Discussion." It seems to have an onclick 
handler that does funny things.
Comment 4 Joost de Valk (AlthA) 2006-01-22 04:37:47 PST
Adding Regression keyword.
Comment 5 Darin Adler 2006-01-23 00:27:53 PST
I think I can fix this with some RefPtr. Working on it.
Comment 6 Darin Adler 2006-01-23 02:33:01 PST
I have a fix, but would be nice to have a test case for layout tests too.
Comment 7 Darin Adler 2006-01-23 02:48:57 PST
Created attachment 5866 [details]
use PassRefPtr for cloneNode -- made the bug go away
Comment 8 Anders Carlsson 2006-01-23 03:40:29 PST
I could reproduce the crash by modifying fast/dom/clone-node-form-elements.html to make

<input id="input2" type="checkbox">


<input id="input2" type="checkbox" checked="checked">
Comment 9 John Sullivan 2006-01-23 07:32:41 PST
Comment on attachment 5866 [details]
use PassRefPtr for cloneNode -- made the bug go away

It might be a good idea to check for leaks in the layout tests. Otherwise r=me.
Comment 10 Darin Adler 2006-01-23 09:00:11 PST
I checked for leaks, and found and fixed one. There are more leaks remaining, but they don't relate to what I just changed.
Comment 11 Eric Seidel (no email) 2006-01-31 21:20:44 PST
Removing Regression keyword from bugs already fixed.