[Webkit-unassigned] [Bug 18392] Crash in KJS::ArrayInstance::inlineGetOwnPropertySlot viewing enhanced Wikipedia diff
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sat Apr 12 17:40:04 PDT 2008
http://bugs.webkit.org/show_bug.cgi?id=18392
------- Comment #6 from hartman at videolan.org 2008-04-12 17:40 PDT -------
I looked at the script in question today for a minute and spotted the
following:
// get diff table and version link cells
var tdArray = document.getElementsByTagName('TD');
var tdOld;
var tdNew;
for (var i = 0; i < tdArray.length; i ++) {
if (tdArray[i].className == 'diff-otitle') {
tdOld = tdArray[i];
}
else if (tdArray[i].className == 'diff-ntitle') {
tdNew = tdArray[i];
break;
}
}
if ( (tdOld == null) || (tdNew == null) ) {
return;
}
var oldVersion = null;
var newVersion = null;
var oldUrl;
var newUrl;
probably crashes on the line: if (tdArray[i].className == 'diff-otitle')
The problem being that getElementsByTagName returns a Nodelist and not an Array
object.
--
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list