[webkit-reviews] review granted: [Bug 40742] WebCore crashes when removing a link element in a beforeload handler : [Attachment 59074] Patch
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Jun 18 00:45:57 PDT 2010
mitz at webkit.org has granted Andy Estes <aestes at apple.com>'s request for review:
Bug 40742: WebCore crashes when removing a link element in a beforeload handler
https://bugs.webkit.org/show_bug.cgi?id=40742
Attachment 59074: Patch
https://bugs.webkit.org/attachment.cgi?id=59074&action=review
------- Additional Comments from mitz at webkit.org
> + Postpone loading of link elements until after they have been
inserted into the DOM and
> + attached. This prevents mutation events triggered by beforeload
handlers from firing in the
> + midst of DOM insertion, which can lead to assertion failures and
crashes.
Is the problem here really the mutation events, or merely the fact that the
beforeload handler mutates the DOM during insertion of the link element?
> +void HTMLLinkElement::processCallback(Node* n)
> +{
> + static_cast<HTMLLinkElement*>(n)->process();
> +}
I would assert (or ASSERT_ARG) that n is a link element before casting it.
> + <link rel="stylesheet" href="">
href="" means that the base URL (the .html file in this case) will be loaded as
the stylesheet in this case. Not a big deal, but perhaps href="data:text/css,"
is cleaner (if it doesn’t invalidate the test).
More information about the webkit-reviews
mailing list