[Webkit-unassigned] [Bug 10785] Safari(417.9.3) crashes on .innerhtml, if the script element, inside a div element, redefines the document body.
bugzilla-daemon at opendarwin.org
bugzilla-daemon at opendarwin.org
Fri Sep 8 07:35:02 PDT 2006
http://bugzilla.opendarwin.org/show_bug.cgi?id=10785
------- Comment #4 from zbujtas at gmail.com 2006-09-08 07:35 PDT -------
unable to reproduce it on TOT. the refcounting of the nodes in the htmlparser
has changed a lot since tiger and now each and every node in the
htmlstack(HTMLStackElem) is refcounted and not just the current element.
i was going to port the changes back to the tiger branch but it did not look
feasible(regression risk). in the s60 branch, I proposed a fix where an extra
refcount is added to each node in HTMLStackElem constructor.
class HTMLStackElem
{
public:
HTMLStackElem( int _id,
int _level,
DOM::NodeImpl *_node,
HTMLStackElem * _next
)
:
id(_id),
level(_level),
strayTableContent(false),
node(_node),
next(_next)
{ if(node) node->ref(); }
~HTMLStackElem() { if(node) node->deref(); }
void replaceNode( DOM::NodeImpl *_node ) {
if(node) node->deref();
node=_node;
if(node) node->ref();
}
int id;
int level;
bool strayTableContent;
NodeImpl *node;
HTMLStackElem *next;
};
my understanding is that each node that is pushed to the stack needs
refcounting so it looked to me easier to do it in the HTMLStackElem class ( and
not in the parsing code.) Still, i had to make some changes in the parser code,
where nodes were replaced directly (prevElem->node = currElem->node;). for
that, replaceNode () is introduced.
--
Configure bugmail: http://bugzilla.opendarwin.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list