Bug 78207 - [crash] Dynamically inserting content element causes crashes.
Summary: [crash] Dynamically inserting content element causes crashes.
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: DOM (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-02-09 00:05 PST by Shinya Kawanaka
Modified: 2012-05-13 19:17 PDT (History)
6 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Alexey Proskuryakov 2012-02-09 10:15:05 PST 
Could you please post full bug details here? Making everyone click through to a 3rd party system just wastes time, and is unhelpful.
Comment 2 Shinya Kawanaka 2012-02-09 18:14:55 PST 
Sorry, Alexey.

Chromium's fuzzer system found a repro case.

<style>
.c4[class$="c4"] { display: table-column-group; -webkit-transform: rotate3d(0, 1, 1, 45deg);</style>
<script>
var nodes = Array();
function boom() {
try { nodes[32] = document.createElement('iframe'); } catch(e) {}
try { document.documentElement.appendChild(nodes[32]); } catch(e) {}
try { nodes[59] = document.createElement('content'); } catch(e) {}
try { nodes[32].appendChild(nodes[59]); } catch(e) {}
try { nodes[69] = document.createElement('iframe'); } catch(e) {}
try { nodes[69].setAttribute('class', 'c4'); } catch(e) {}
try { nodes[59].appendChild(nodes[69]); } catch(e) {}
}
window.onload = boom;
</script>
Comment 3 Shinya Kawanaka 2012-05-13 19:17:42 PDT 
This bug is already fixed.
Comment 4 Shinya Kawanaka 2012-05-13 19:17:56 PDT 
http://trac.webkit.org/changeset/108758