This bug is related to bug #7706. A JavaScript function is invoked through Flash' fscommand() method. This function appends an empty string to the innerHTML of the body element, which contains a Flash movie in an embed tag. Upon doing this, Safari crashes. See <http://tests.novemberborn.net/browsers/safari/fscommand-redraw/crash.html>. This bug was observed in Safari 417.8 with Flash 8.0.22. The nightly of March 10, 2006, did not invoke the JavaScript function, so the behaviour could not be observed.
Created attachment 6996 [details] Contains the testcase linked to in the description.
The problem with the nightlies has been addressed in bug #7708.
Created attachment 6999 [details] Crash report.
This bug also occurs in Firefox: <https://bugzilla.mozilla.org/show_bug.cgi?id=330100>
Confirmed with ToT (with a fix for bug 7708). Reproducible crash -> P1. Might be a bug in the plugin, though.
(In reply to comment #5) > Might be a bug in the plugin, though. Yes, but then, how would adding an empty string to the innerHTML crash the browser?
<rdar://problem/4483877>
Michelle Sintov from Macromedia has replied to the bug report at mozilla.org. See here: <https://bugzilla.mozilla.org/show_bug.cgi?id=330100#c5>
According to Michelle, it's not a bug in WebKit, but in Flash.
The bug no longer occurs in Safari 2.0.4 (419.3) with Flash 9 installed.