[Webkit-unassigned] [Bug 11557] REGRESSION: Crash in WebCore::RenderObject::recalcMinMaxWidths()
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sun Nov 12 02:50:09 PST 2006
http://bugs.webkit.org/show_bug.cgi?id=11557
------- Comment #4 from mitz at webkit.org 2006-11-12 02:50 PDT -------
Created an attachment (id=11493)
--> (http://bugs.webkit.org/attachment.cgi?id=11493&action=view)
Reduction
Here's what I think the problem is: RenderCounter's m_counter is initialized
with a pointer to CounterData that comes from the parent's 'before' pseudo
RenderStyle. When the parent's style changes, that RenderStyle and the
CounterData are deleted, and new ones are created (if there's still 'before'
content with a counter), but updatePseudoChildForObject() doesn't update the
RenderCounter's m_counter pointer. Eventually RenderCounter::calcMinMaxWidth()
is called and tries to use the deleted CounterData.
On a release build, this doesn't crash right away, but if you play with the
text size in Safari (Command + and Command -) you might see the counter change
randomly from a number to a bullet.
--
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list