[Webkit-unassigned] [Bug 41281] HTML5 Regression: Crash in insert()
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Jun 28 10:06:59 PDT 2010
https://bugs.webkit.org/show_bug.cgi?id=41281
Adam Barth <abarth at webkit.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
AssignedTo|abarth at webkit.org |webkit-unassigned at lists.web
| |kit.org
--- Comment #4 from Adam Barth <abarth at webkit.org> 2010-06-28 10:06:59 PST ---
Well, I can create this call stack using the following test case:
== repro.html ==
<link rel="stylesheet" href="http://webblaze.org/">
<body>
1
<script src="ext.js"></script>
5
Done!
== ext.js ==
document.write(2);
document.write(" <script>document.write(3)</script> ");
document.write(4);
However, nothing bad happens. My theory is as follows: instead of 3, we do something that tricks endIfDelayed into actually calling end(), which deletes the HTMLDocumentParser, which causes the decrement of the script nesting level to be twiddling unallocated memory. I'm pretty sure there's a bug on that line of code, so I'm going to post a patch to fix it.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list