[webkit-dev] Possible crash in FrameView::endDeferredRepaints()
Kenneth Christiansen
kenneth.christiansen at openbossa.org
Wed Dec 17 13:35:45 PST 2008
Hi there,
I had a crash the other day and found some code that looks wrong to me.
The affected method is FrameView::endDeferredRepaints() found in
WebCore/page/FrameView.cpp
unsigned size = d->m_repaintRects.size();
for (unsigned i = 0; i < size; i++)
repaintContentRectangle(d->m_repaintRects[i], false);
The problem here is that repaintContentRectangle auments
(d->m_repaintRects.append(r)) the items in m_repaintRects or clears it
(d->m_repaintRects.clear()), thus the size of m_repaintRects[] changes while
iterating it, which can result in a crash.
Cheers,
Kenneth
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20081217/b8495b16/attachment.html>
More information about the webkit-dev
mailing list