[Webkit-unassigned] [Bug 13792] REGRESSION: WebKit doesn't show this javascript screenshot page (And crash after click on it's "hidden link")
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu May 24 01:33:04 PDT 2007
http://bugs.webkit.org/show_bug.cgi?id=13792
------- Comment #2 from mitz at webkit.org 2007-05-24 01:33 PDT -------
Created an attachment (id=14697)
--> (http://bugs.webkit.org/attachment.cgi?id=14697&action=view)
Reduction for the crash. Will crash the next time you open a document
The reduction queues up post-attach callback which is not dispatched. When you
open another document and it attaches, the callback is dispatched, but its
target has already been deleted, and you crash.
The way the reduction manages to queue the callback but avoid dispatch is that
the body element changes from being in the document to not being in the
document during dispatchChildInsertionEvents() in appendChild(). This means
that the appended children get insertedIntoDocument() (so the iframe element
queues up the callback), but never attached.
--
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list