Bug 19745 - Crash caused by DOM modification
Summary: Crash caused by DOM modification
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: 525.x (Safari 3.1)
Hardware: PC Windows Vista
: P1 Normal
Assignee: Nobody
URL: http://skypher.com/SkyLined/Repro/Saf...
Keywords: HasReduction
Depends on:
Blocks:
 
Reported: 2008-06-24 08:12 PDT by Berend-Jan Wever
Modified: 2009-07-22 12:10 PDT (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Berend-Jan Wever 2008-06-24 08:12:36 PDT 
The following HTML causes an Access Violation in Safari 3.1.1:

<BODY onload="go()"><SCRIPT>
    function go() {
		document.body.outerHTML='';
		document.createElement('map').innerHTML='<frameSet></frameSet><em><div><link></div></em><head></head><html>';
    }
</SCRIPT></BODY>
Comment 1 David Kilzer (:ddkilzer) 2009-07-22 12:10:53 PDT 
This does not reproduce in ToT WebKit.  Marking as RESOLVED/FIXED.