22590 2008-12-02 08:30:11 -0800 empty fragment href's crashes browser. 2011-03-08 11:57:31 -0800 1 1 1 Unclassified WebKit Page Loading 528+ (Nightly build) PC Linux RESOLVED DUPLICATE 20342 InRadar P2 Normal --- 1 maheshk webkit-unassigned ddkilzer koivisto laszlo.gombos maheshk oldest_to_newest 101005 0 maheshk 2008-12-02 08:30:11 -0800 On empty fragment url's, document::gotoanchor crashes browser. for ex: <A href="#"> link </a> Default behavior of empty fragment is to first check if cssTarget is specified, if not goto first element. In case if this cssTarget node is delete by Javascript, browser crashes clicking on "link" in the example. 101006 1 25670 maheshk 2008-12-02 08:44:37 -0800 Created attachment 25670 fix for empty fragment URL crash assigning m_cssTarget to null if that node is getting deleted. 101064 2 koivisto 2008-12-02 13:38:05 -0800 Could you provide a test case as well? 101100 3 mrowe 2008-12-02 16:02:09 -0800 *** Bug 22591 has been marked as a duplicate of this bug. *** 101213 4 25712 maheshk 2008-12-03 09:29:22 -0800 Created attachment 25712 test case test case. click on first link, then click second and finally on third link! 101337 5 25670 darin 2008-12-04 09:32:12 -0800 Comment on attachment 25670 fix for empty fragment URL crash The fix looks fine. Now we need a regression test for this. 102329 6 maheshk 2008-12-11 23:33:32 -0800 Please let me know what is the next thing I can do ? 102342 7 ddkilzer 2008-12-12 04:47:15 -0800 (In reply to comment #6) > Please let me know what is the next thing I can do ? See the "Regression Tests" section on this page: http://webkit.org/coding/contributing.html You must have a platform where layout tests are currently supported. See this page for a list of ports that currently support the tests: http://build.webkit.org/waterfall 104832 8 ddkilzer 2009-01-07 19:22:55 -0800 (In reply to comment #4) > Created an attachment (id=25712) [review] > test case > > test case. click on first link, then click second and finally on third link! The test case doesn't crash for me on Safari 3.2 or with the most recent WebKit nightly build r39682. Which build of WebKit do you see this crash in? 106590 9 maheshk 2009-01-22 04:15:12 -0800 its a very much platform dependent crash. This case was crashing in nokia mobile browser, because there is a clear corrupt/deleted node* left behind. 112837 10 darin 2009-03-09 09:51:12 -0700 The reason the test case doesn't crash on Mac OS X WebKit is that navigating to a new URL results in a call to gotoAnchor in FrameLoader, and that function calls setCSSTarget(0) when you click on the second link. At that time, the object is still not deleted. I'll figure out why. 112841 11 darin 2009-03-09 09:56:56 -0700 By adding a missing "preventDefault" to the test case I was able to reproduce a crash when MallocScribble is on, on Mac OS X. 112842 12 28415 darin 2009-03-09 09:57:28 -0700 Created attachment 28415 test case with preventDefault added 112843 13 darin 2009-03-09 10:00:35 -0700 Someone needs to turn that test case into a regression test for the layout tests directory, and then make a patch that includes both the bug fix and the test case. To make it so the test will show a crash without setting MallocScribble, at least in Debug builds, maybe we can add some code to the setChanged function in an assert. If that function called a virtual function, then I suspect we'd see a crash every time. 114800 14 25670 adele 2009-03-23 11:15:10 -0700 Comment on attachment 25670 fix for empty fragment URL crash R-'ing the patch until the test case is included as Darin described. 156817 15 ap 2009-10-22 00:11:33 -0700 <rdar://problem/7325983> 157177 16 ap 2009-10-23 10:09:06 -0700 I cannot reproduce the crash with ToT. Actually, the code that sets CSS target to 0 was added in <http://trac.webkit.org/changeset/29311>, which was long before this bug was filed. The code was moved around, and sometimes even removed (but it seems to have been present and functional when this bug was filed). Unfortunately, the original test that came with r29311 is currently disabled, which is tracked as bug 20342. 364077 17 maheshk 2011-03-08 11:57:31 -0800 Marking this as fixed/duplicate of 20342 as it was fixed by Yael for qtWebkit. *** This bug has been marked as a duplicate of bug 20342 *** 25670 2008-12-02 08:44:37 -0800 2010-06-10 19:23:44 -0700 fix for empty fragment URL crash document.patch text/plain 1019 maheshk SW5kZXg6IFdlYkNvcmUvZG9tL0RvY3VtZW50LmNwcAo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBXZWJDb3JlL2Rv bS9Eb2N1bWVudC5jcHAJKHJldmlzaW9uIDM4NDIwKQorKysgV2ViQ29yZS9kb20vRG9jdW1lbnQu Y3BwCSh3b3JraW5nIGNvcHkpCkBAIC0yNTQ5LDYgKzI1NDksOSBAQAogICAgICAgICBmcmFtZS0+ c2VsZWN0aW9uKCktPm5vZGVXaWxsQmVSZW1vdmVkKG4pOwogICAgICAgICBmcmFtZS0+ZHJhZ0Nh cmV0Q29udHJvbGxlcigpLT5ub2RlV2lsbEJlUmVtb3ZlZChuKTsKICAgICB9CisKKyAgICBpZiAo bV9jc3NUYXJnZXQgPT0gbikKKyAgICAgICAgbV9jc3NUYXJnZXQgPSAwOwogfQogCiB2b2lkIERv Y3VtZW50Ojp0ZXh0SW5zZXJ0ZWQoTm9kZSogdGV4dCwgdW5zaWduZWQgb2Zmc2V0LCB1bnNpZ25l ZCBsZW5ndGgpCkluZGV4OiBXZWJDb3JlL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBXZWJDb3Jl L0NoYW5nZUxvZwkocmV2aXNpb24gMzg0MjApCisrKyBXZWJDb3JlL0NoYW5nZUxvZwkod29ya2lu ZyBjb3B5KQpAQCAtMSwzICsxLDEzIEBACisyMDA4LTEyLTAyICBNYWhlc2ggS3Vsa2FybmkgIDxt YWhlc2gua3Vsa2FybmlAbm9raWEuY29tPgorCisgICAgICAgIFJldmlld2VkIGJ5IC4KKworICAg ICAgICBJbiBjYXNlIG9mIGVtcHR5IGZyYWdtZW50IGxpbmssIGlmIG1fY3NzVGFyZ2V0IGlzIGRl bGV0ZWQgdGhlbiB3ZSBoYXZlIHRvIHNldCBtX2Nzc1RhcmdldCBub2RlIHRvIE5VTEwuCisKKyAg ICAgICAgKiBkb20vRG9jdW1lbnQuY3BwOgorICAgICAgICAoV2ViQ29yZTo6RG9jdW1lbnQ6Om5v ZGVXaWxsQmVSZW1vdmVkKToKKworCiAyMDA4LTExLTE0ICBHcmVnIEJvbHNpbmdhICA8Ym9sc2lu Z2FAYXBwbGUuY29tPgogCiAgICAgICAgIFJldmlld2VkIGJ5IERhcmluIEFkbGVyLgo= 25712 2008-12-03 09:29:22 -0800 2009-03-09 09:57:28 -0700 test case test.html text/html 347 maheshk PGh0bWw+CjxoZWFkPgo8c2NyaXB0PgpmdW5jdGlvbiBkZWxldGVNZSgpCnsKICAgIHZhciBmaXJz dE5vZGUgPSBkb2N1bWVudC5nZXRFbGVtZW50QnlJZCgiY29udGFpbmVyIik7CiAgICBmaXJzdE5v ZGUuaW5uZXJIVE1MID0gIiI7Cn0KPC9zY3JpcHQ+CjwvaGVhZD4KPGJvZHk+CjxkaXYgaWQ9ImNv bnRhaW5lciI+CjxhIGlkPSJtZW1lIiBocmVmPSIjbWVtZSIgPiBjbGljayBtZSBmaXJzdCA8L2E+ CjwvZGl2Pgo8YSBocmVmPSIjIiBvbmNsaWNrPSJkZWxldGVNZSgpIj4gYW5kIHNlY29uZCBjbGlj ayA8L2E+PC9icj4KPGEgaHJlZj0iIyI+IGFuZCB0aGlyZCBjbGljayA8L2E+CjwvYm9keT4KPC9o dG1sPgo= 28415 2009-03-09 09:57:28 -0700 2009-03-09 09:57:28 -0700 test case with preventDefault added test.html text/html 371 darin PGh0bWw+CjxoZWFkPgo8c2NyaXB0PgpmdW5jdGlvbiBkZWxldGVNZSgpCnsKICAgIHZhciBmaXJz dE5vZGUgPSBkb2N1bWVudC5nZXRFbGVtZW50QnlJZCgiY29udGFpbmVyIik7CiAgICBmaXJzdE5v ZGUuaW5uZXJIVE1MID0gIiI7Cn0KPC9zY3JpcHQ+CjwvaGVhZD4KPGJvZHk+CjxkaXYgaWQ9ImNv bnRhaW5lciI+CjxhIGlkPSJtZW1lIiBocmVmPSIjbWVtZSIgPiBjbGljayBtZSBmaXJzdCA8L2E+ CjwvZGl2Pgo8YSBocmVmPSIjIiBvbmNsaWNrPSJkZWxldGVNZSgpOyBldmVudC5wcmV2ZW50RGVm YXVsdCgpIj4gYW5kIHNlY29uZCBjbGljayA8L2E+PC9icj4KPGEgaHJlZj0iIyI+IGFuZCB0aGly ZCBjbGljayA8L2E+CjwvYm9keT4KPC9odG1sPgo=