[Webkit-unassigned] [Bug 11010] REGRESSION: Repro crash in <script> onload event dispatch
bugzilla-daemon at opendarwin.org
bugzilla-daemon at opendarwin.org
Sun Sep 24 23:33:50 PDT 2006
http://bugzilla.opendarwin.org/show_bug.cgi?id=11010
------- Comment #1 from opendarwin.org at mitzpettel.com 2006-09-24 23:33 PDT -------
The problem appears to be a script that deletes its own <script> element. Looks
like the fix is for
HTMLScriptElement::notifyFinished() to protect itself with a ref()/deref() (it
will also be cleaner to change the cs->deref(this) to
m_cachedScript->deref(this) only if m_cachedScript is still non-0). Other
callers to HTMLScriptElement::evaluateScript() appear to be safe, since it's
the last thing they call.
--
Configure bugmail: http://bugzilla.opendarwin.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list