[Webkit-unassigned] [Bug 13563] REGRESSION: Crash loading message in Yahoo! Mail
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed May 16 23:31:13 PDT 2007
http://bugs.webkit.org/show_bug.cgi?id=13563
------- Comment #19 from ddkilzer at webkit.org 2007-05-16 23:31 PDT -------
Okay, I've been doing too much guessing.
By adding specific debugging output, I can confirm that:
- the rmvScroll(msg) JavaScript function on the page fires
- which calls ssxyzzy.sheet.deleteRule(0)
- which deletes a CSSStyleRule object
- which deletes a CSSSelector
- which then causes deleted pointers to be accessed through
CSSStyleSelector::matchRulesForList()
- which causes a crash.
The timing of when ssxyzzy.sheet.deleteRule(0) is critical. Most times when
the page loads, it happens to "early". It's only when the rmvScroll(msg)
JavaScript function fires many times that the crash is likely to occur.
Still investigating.
--
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list