[Webkit-unassigned] [Bug 78207] [crash] Dynamically inserting content element causes crashes.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Feb 9 18:14:55 PST 2012
https://bugs.webkit.org/show_bug.cgi?id=78207
--- Comment #2 from Shinya Kawanaka <shinyak at chromium.org> 2012-02-09 18:14:55 PST ---
Sorry, Alexey.
Chromium's fuzzer system found a repro case.
<style>
.c4[class$="c4"] { display: table-column-group; -webkit-transform: rotate3d(0, 1, 1, 45deg);</style>
<script>
var nodes = Array();
function boom() {
try { nodes[32] = document.createElement('iframe'); } catch(e) {}
try { document.documentElement.appendChild(nodes[32]); } catch(e) {}
try { nodes[59] = document.createElement('content'); } catch(e) {}
try { nodes[32].appendChild(nodes[59]); } catch(e) {}
try { nodes[69] = document.createElement('iframe'); } catch(e) {}
try { nodes[69].setAttribute('class', 'c4'); } catch(e) {}
try { nodes[59].appendChild(nodes[69]); } catch(e) {}
}
window.onload = boom;
</script>
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list