[Webkit-unassigned] [Bug 41948] REGRESSION(r60392): Crash during page load inside JSObject::defaultValue
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sun Jul 11 03:18:12 PDT 2010
https://bugs.webkit.org/show_bug.cgi?id=41948
--- Comment #9 from Peter Speck <speck at vitality.dk> 2010-07-11 03:18:12 PST ---
Further reduction: now without iframe:
http://glimmerblocker.org/site/wkbug41948/noframe.html
This html page contains just:
abc
<script>
var href=new String(document.location.href);
eval('try { gyfle.gafle.gufle; } catch(e) {}');
var url='abc' + '&href='+escape(href.substring(0,1));
</script>
def
It doesn't crash if I do any of the following:
1) Changes 1st line to "var href=document.location.href;"
2) Unwraps eval.
3) Removes the "gyfle.gafle.gufle" so it doesn't throw an exception, or replaces it with "throw new Error();". (throw 42; still fails, though).
4) Combines the 2 static strings in "var url=..."
5) Removes substring(), so last line ends with "escape(href);"
6) Adds alert() inside the catch block, i.e. catch(e) { alert(42);}. Anywhere else, and it still crashes.
crash confirmed with new nigthly: r63031.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list