[Webkit-unassigned] [Bug 40742] New: WebCore crashes when removing a link element in a beforeload handler

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Jun 16 15:34:40 PDT 2010 

https://bugs.webkit.org/show_bug.cgi?id=40742

           Summary: WebCore crashes when removing a link element in a
                    beforeload handler
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
        OS/Version: All
            Status: NEW
          Keywords: HasReduction, InRadar
          Severity: Major
          Priority: P1
         Component: Page Loading
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: aestes at apple.com


Created an attachment (id=58941)
 --> (https://bugs.webkit.org/attachment.cgi?id=58941)
test case

If a page has a beforeload handler that removes a stylesheet <link> element, WebCore will crash with the following backtrace:

Crash is in WebCore::Node::createRendererIfNeeded:

0   com.apple.WebCore                 0x00007fff8808d6bd WebCore::Node::createRendererIfNeeded() + 45
1   com.apple.WebCore                 0x00007fff8808d5a0 WebCore::Element::attach() + 32
2   com.apple.WebCore                 0x00007fff8808cbb1 WebCore::HTMLParser::insertNode(WebCore::Node*, bool) + 369
3   com.apple.WebCore                 0x00007fff88110fd4 WebCore::HTMLParser::parseToken(WebCore::Token*) + 868
4   com.apple.WebCore                 0x00007fff8808c621 WebCore::HTMLTokenizer::processToken() + 657
5   com.apple.WebCore                 0x00007fff8810d786 WebCore::HTMLTokenizer::parseTag(WebCore::SegmentedString&, WebCore::HTMLTokenizer::State) + 4950
6   com.apple.WebCore                 0x00007fff8810bc60 WebCore::HTMLTokenizer::write(WebCore::SegmentedString const&, bool) + 2720
7   com.apple.WebCore                 0x00007fff8826607e WebCore::HTMLTokenizer::executeExternalScriptsIfReady() + 1694
8   com.apple.WebCore                 0x00007fff882147fc WebCore::CachedScript::checkNotify() + 76
9   com.apple.WebCore                 0x00007fff881e9226 WebCore::Loader::Host::didFinishLoading(WebCore::SubresourceLoader*) + 358
10  com.apple.WebCore                 0x00007fff881e9021 WebCore::SubresourceLoader::didFinishLoading() + 49

The attached .html file demonstrates the crash.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list