STEPS TO REPRODUCE: 1. Open <http://studwww.ugent.be/~ddfreyne/pub/webkit/1/wp-admin/kaboom.html> in a recent WebKit build. 2. Click and drag the blue horizontal "Discussion" bar on the right down. 3. Crash. ACTUAL RESULTS: The application crashes as soon as the drag operation starts. EXPECTED RESULTS: The item should be dragged down in all its JavaScript/DOM/whatever glory. BUILD DATE AND PLATFORM: WebKit-SVN-r12148.dmg (Tue Jan 17 10:33:08 GMT 2006) Crash does not occur on latest Safari release. NOTES: * I tried isolating the crash, but I didn't succeed. Since I don't really know what's causing the crash, I'm giving it a rather obscure summary, and guessing a component. Apologies. * That sample page is a WordPress 2 admin interface page. Just in case the lawyers pop in or something. * Crash report will follow in a minute.
Created attachment 5740 [details] Crash log
Confirmed on TOT.
All you have to do to reproduce this crash is click the word "Discussion." It seems to have an onclick handler that does funny things.
Adding Regression keyword.
I think I can fix this with some RefPtr. Working on it.
I have a fix, but would be nice to have a test case for layout tests too.
Created attachment 5866 [details] use PassRefPtr for cloneNode -- made the bug go away
I could reproduce the crash by modifying fast/dom/clone-node-form-elements.html to make <input id="input2" type="checkbox"> read <input id="input2" type="checkbox" checked="checked">
Comment on attachment 5866 [details] use PassRefPtr for cloneNode -- made the bug go away It might be a good idea to check for leaks in the layout tests. Otherwise r=me.
I checked for leaks, and found and fixed one. There are more leaks remaining, but they don't relate to what I just changed.
Removing Regression keyword from bugs already fixed.