[Webkit-unassigned] [Bug 25567] Crash when writing into a detached TITLE element
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Mar 30 11:25:34 PDT 2010
https://bugs.webkit.org/show_bug.cgi?id=25567
--- Comment #15 from Alexey Proskuryakov <ap at webkit.org> 2010-03-30 11:25:33 PST ---
Created an attachment (id=52058)
--> (https://bugs.webkit.org/attachment.cgi?id=52058)
test case for flushing
> But it is not clear if we care "x" as inserted into the tree or not when
> accessing title property.
I think that we should care somewhat. It makes sense to at least investigate
what HTML5 says about this - it's important to have HTML5 say sensible things
about parsing, because otherwise, we wouldn't be able to make our parser more
standard compliant in the future.
I'm attaching a test case that shows largely inconsistent behavior in Safari
and Firefox. Safari never flushes the text content, but creates the nodes (see
bug 8961). Firefox doesn't even create the <title> node at first (which is why
it ends up having two title nodes in original test case). It flushes input
stream for <p>, though.
You mentioned that with this patch, we'll be getting "yx" as title. This
behavior seems counter-intuitive.
+It is OK not to crash. Mixing document.write() and docuent.title make the
title child node orphan, which did cause a crash.
As mentioned in another bug, "It is OK not to crash" doesn't describe the test
expectation precisely enough.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list