[Webkit-unassigned] [Bug 25096] CRASH in WebCore::appendChildToContainer
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Apr 9 02:18:27 PDT 2009
https://bugs.webkit.org/show_bug.cgi?id=25096
------- Comment #5 from eric at webkit.org 2009-04-09 02:18 PDT -------
This must be a regression.
The crashing test case is:
<script>
document.implementation.createDocument(null, "foo:bar", null);
</script>
Which it's hard for me to imagine that we've always crashed on. :)
The reason we crash is that createElementNS is strict about namespace URIs and
prefixes matching. I remember making this change:
http://trac.webkit.org/browser/trunk/WebCore/dom/Document.cpp#L753
We fail that check, thus return 0 from createElementNS, and the caller:
http://trac.webkit.org/browser/trunk/WebCore/dom/DOMImplementation.cpp#L253
doesn't null-check the return value like it should. :)
I suspect the caller lack of null check is the recent regression. However, I'm
not yet sure what our behavior here should be, so I need to make a more
comprehensive test first. :(
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list