[webkit-dev] Possible crash in FrameView::endDeferredRepaints()
Darin Adler
darin at apple.com
Wed Dec 17 15:06:45 PST 2008
On Dec 17, 2008, at 1:35 PM, Kenneth Christiansen wrote:
> I had a crash the other day and found some code that looks wrong to
> me.
>
> The affected method is FrameView::endDeferredRepaints() found in
> WebCore/page/FrameView.cpp
>
> unsigned size = d->m_repaintRects.size();
> for (unsigned i = 0; i < size; i++)
> repaintContentRectangle(d->m_repaintRects[i], false);
>
> The problem here is that repaintContentRectangle auments (d-
> >m_repaintRects.append(r)) the items in m_repaintRects or clears it
> (d->m_repaintRects.clear()), thus the size of m_repaintRects[]
> changes while iterating it, which can result in a crash.
That sure does look wrong! Would you be willing to write a bug report
about this?
-- Darin
More information about the webkit-dev
mailing list