[Webkit-unassigned] [Bug 14895] New: [Crash] FrameTree::uniqueChildName generates non-unique names

Tue Aug 7 10:56:24 PDT 2007

http://bugs.webkit.org/show_bug.cgi?id=14895

           Summary: [Crash] FrameTree::uniqueChildName generates non-unique
                    names
           Product: WebKit
           Version: 522+ (nightly)
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Frames
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: marv.decker at gmail.com

I am seeing a hard-to-reproduce crash on a number of sites including
  http://www.jrj.com.cn/
The crash is in EventHandler::passWheelEventToWidget (and presumably other
input events) when you use the scroll wheel over certain iframes (seems to
depend on timing) because the widget for the RenderWidget is NULL

The widget is NULL because the iframe is never initialized properly. The iframe
is never initialized properly because the redirect timer was canceled by
another iframe that got the same "unique" internal frame name.

FrameTree::uniqueChildName uses childCount() to generate a "unique" name for a
child frame. However, this value can repeat if frames are removed from the
parent.

-- 
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.