[Webkit-unassigned] [Bug 40742] New: WebCore crashes when removing a link element in a beforeload handler
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Jun 16 15:34:40 PDT 2010
https://bugs.webkit.org/show_bug.cgi?id=40742
Summary: WebCore crashes when removing a link element in a
beforeload handler
Product: WebKit
Version: 528+ (Nightly build)
Platform: All
OS/Version: All
Status: NEW
Keywords: HasReduction, InRadar
Severity: Major
Priority: P1
Component: Page Loading
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: aestes at apple.com
Created an attachment (id=58941)
--> (https://bugs.webkit.org/attachment.cgi?id=58941)
test case
If a page has a beforeload handler that removes a stylesheet <link> element, WebCore will crash with the following backtrace:
Crash is in WebCore::Node::createRendererIfNeeded:
0 com.apple.WebCore 0x00007fff8808d6bd WebCore::Node::createRendererIfNeeded() + 45
1 com.apple.WebCore 0x00007fff8808d5a0 WebCore::Element::attach() + 32
2 com.apple.WebCore 0x00007fff8808cbb1 WebCore::HTMLParser::insertNode(WebCore::Node*, bool) + 369
3 com.apple.WebCore 0x00007fff88110fd4 WebCore::HTMLParser::parseToken(WebCore::Token*) + 868
4 com.apple.WebCore 0x00007fff8808c621 WebCore::HTMLTokenizer::processToken() + 657
5 com.apple.WebCore 0x00007fff8810d786 WebCore::HTMLTokenizer::parseTag(WebCore::SegmentedString&, WebCore::HTMLTokenizer::State) + 4950
6 com.apple.WebCore 0x00007fff8810bc60 WebCore::HTMLTokenizer::write(WebCore::SegmentedString const&, bool) + 2720
7 com.apple.WebCore 0x00007fff8826607e WebCore::HTMLTokenizer::executeExternalScriptsIfReady() + 1694
8 com.apple.WebCore 0x00007fff882147fc WebCore::CachedScript::checkNotify() + 76
9 com.apple.WebCore 0x00007fff881e9226 WebCore::Loader::Host::didFinishLoading(WebCore::SubresourceLoader*) + 358
10 com.apple.WebCore 0x00007fff881e9021 WebCore::SubresourceLoader::didFinishLoading() + 49
The attached .html file demonstrates the crash.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list