[Webkit-unassigned] [Bug 12310] Crash on refresh when using SVG as background image
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Feb 6 03:01:32 PST 2007
http://bugs.webkit.org/show_bug.cgi?id=12310
macdome at opendarwin.org changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |ggaren at apple.com
------- Comment #9 from macdome at opendarwin.org 2007-02-06 03:01 PDT -------
gmalloc is not needed. The crash is the same without it.
Finally found the damn bug. removeAllChildren uses static variables (node
lists and a bool) which are not safe across documents. the "isTopLevel" bool
won't get set right for the second-level document, thus its nodes will get
destroyed at the wrong time.
http://paste.lisp.org/display/36465#6
That has an assert which demonstrates the problem.
The fix is unclear.
The bug comes because the RenderStyle in the HTMLDocument, references the
CachedObject (CachedImage) which holds the SVGImage, when the RenderStyle goes
away, the CacheObject is released, and the SVGDocument is destroyed while the
HTMLDocument is also in the middle of destruction, and the above mentioned bug
is hit.
--
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list