[Webkit-unassigned] [Bug 25567] Crash when writing into a detached TITLE element
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Mar 30 00:24:43 PDT 2010
https://bugs.webkit.org/show_bug.cgi?id=25567
--- Comment #13 from MORITA Hajime <morrita at google.com> 2010-03-30 00:24:43 PST ---
ap, thank you to give a comment.
> What exactly is the bug here? Is it that having a detached title causes a
> crash, or that the title becomes detached, in the first place?
This bug is about assertion failure.
I think a summary line is irrelevant.
<title> element is not detached. Its new children is detached
and failed to attach() because it is not on the tree.
For following example:
document.write("<title>x");
document.title = "y";
document.write("");
The child text node "x" is detached because when adding "x",
there already another child text node "y",
which is made by document.title setter,
and code looks not assume such case.
By trying to append "x" trigger HTMLTitleElement to concatinating its child,
and the concatination process removes "x" from <title>.
(and new child "yx" remains.)
About HTML5, It says
- setting document.title should create <title> element unless there already is.
- existing children should be removed on setting documen.title
http://www.whatwg.org/specs/web-apps/current-work/multipage/dom.html#document.title
But it is not clear if we care "x" as inserted into the tree or not when
accessing title property.
Another idea is flushing pending stream when setting document.title.
But I think it would break another part of the DOM...
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list