[Webkit-unassigned] [Bug 13563] REGRESSION: Crash loading message in Yahoo! Mail

Thu May 3 09:45:17 PDT 2007

http://bugs.webkit.org/show_bug.cgi?id=13563

ddkilzer at webkit.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |hyatt at apple.com

------- Comment #8 from ddkilzer at webkit.org  2007-05-03 09:45 PDT -------
Using this interesting hack:

 StringImpl::~StringImpl()
 {
+fprintf(stderr, ">>> StringImpl::~StringImpl() %p '%s'\n", this,
ascii().data());
     if (m_inTable)
         AtomicString::remove(this);
     deleteUCharVector(m_data);
 }

I discovered that this interesting bit of JavaScript from function
rmvScroll(msg) in the body of the main page was being run during page layout:

if ( newWidth > 0 || newHeight > 0 ) {
    var ssxyzzy = document.getElementById( "ssxyzzy" );
    var cssAttribs = ['#message {'];
    if ( newWidth > 0 ) cssAttribs.push( 'width:' + newWidth + 'px;' );
    if ( newHeight > 0 ) cssAttribs.push( ' height:' + newHeight + 'px;' );
    cssAttribs.push( '}' );
    try {
        ssxyzzy.sheet.deleteRule( 0 );  // DURING LAYOUT!
        ssxyzzy.sheet.insertRule( cssAttribs.join(""), 0 );
    } catch( e ){}
}

It would appear that the CSS rules are being deleted by JavaScript during
layout!  It's not good to be deleting rules from stylesheets when you're
running CSSStyleSelector::matchRulesForList() in cssstyleselector.cpp.

Haven't had time to figure out how to create a reproducible test case (or a
fix), but the problem is quite obvious now.

-- 
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.