[Webkit-unassigned] [Bug 40670] New: Safari crashes wenn executing addEventListener() for touchevents in an invisible iframe on iphone OS 4.0 beta (8A293)

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Jun 16 04:13:18 PDT 2010 

https://bugs.webkit.org/show_bug.cgi?id=40670

           Summary: Safari crashes wenn executing addEventListener() for
                    touchevents in an invisible iframe on iphone OS 4.0
                    beta (8A293)
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Other
        OS/Version: Other
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: New Bugs
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: mihufnagl at gmail.com


If Javascript addEventListener() method is executed in an iframe which has style attribute "display:none" set on itself or on an parent element, then Safari crashes.

The method is invoked by the window onload listener

If style is set to display:block Safari does not crash

This behavior appears for registering on 'touchstart', 'touchmove', 'touchend' and 'touchcancel'

It does not appear when registering on 'click'

navigator.useragent for Safari on iphone returns:
 Mozilla/5.0 (iphone; U; CPU iPhone OS 4_0 like Mac OS X; en-us) AppleWebKit/532.9 (KHTML, like Gecko) Version/4.0.5 Mobile/8A293 Safari/6531.22.7

iphone OS Version: 4.0 (8A293)

Safari on Desktop for Windows does not crash (mozilla/5.0 (windows; u; windows nt 5.1; de-de) applewebkit/531.21.8 (khtml, like gecko) version/4.0.4 safari/531.21.10)


Here the testcode

iframe (code does not change in crashing version and not crashing version):

<html><head>
</head>
<body>
    IFRAME
<script>

console.log('crash safari test');
window.addEventListener('load', function() {
    // adding eventlistener crashes safari
    document.body.addEventListener('touchcancel', function() {
        // do nothing
    }, false);

});
</script>
</body>
</html>

html which loads iframe:

crashing version

<html><head>
<title>Safari crash test</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0, minimum-scale=1.0,
maximum-scale=1.0">
</head><body>
<div>
    Safari crash test
<!-- iframe with style display:none crashes the browser -->
<iframe style="display:none;" src="iframe.htm"></iframe>
</div>
</body></html>

not crashing version

<html><head>
<title>Safari crash test</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0, minimum-scale=1.0,
maximum-scale=1.0">
</head><body>
<div>
    Safari crash test
<!-- iframe with style display:none crashes the browser -->
<iframe style="display:block;" src="iframe.htm"></iframe>
</div>
</body></html>

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list