[Webkit-unassigned] [Bug 16782] REGRESSION(r29266): Reproducible crash in fast/replaced/image-map.html
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Jan 8 16:08:47 PST 2008
http://bugs.webkit.org/show_bug.cgi?id=16782
------- Comment #6 from hk9565 at gmail.com 2008-01-08 16:08 PDT -------
We think we understand what is happening now. When the test calls
eventSender.mouseUp(), the mouse up event is sent synchronously instead of
unwinding the stack and sending the event from the main event loop.
HTMLAnchorElement then also loads the javascript: URL synchronously, which
replaces the current document. At this point, we're screwed because there is a
bunch of code on the stack that's not expecting the document to be ripped out
from under it.
I don't know if this bug can be triggered outside of a LayoutTest. I don't
know of a programmatic way to click an anchor element in WebKit (Opera provides
a click() method). document.location and window.open load asynchronously. The
remaining possibility is the submit() method on forms, which does run
synchronously, but I couldn't get it to crash (need to find code somewhere that
holds a stale pointer to a document).
Experiments on Firefox indicate that javascript: URLs run asynchronously.
It seems like the best route is to back out the part of the change that fixes
javascript URLs that return a non-undefined value and leave in the security
part of the change. There are a bunch of other correctness bugs with
javascript URLs, so it might make sense to fix them together.
--
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list