[Webkit-unassigned] [Bug 18585] Frame::ownerRenderer() is likely causing strange crashes

[bugzilla-daemon at webkit.org]

http://bugs.webkit.org/show_bug.cgi?id=18585





------- Comment #4 from eric at webkit.org  2008-04-18 10:44 PDT -------
I think this is caused by <object> elements not disassociating themselves with
the frames that they created when they decide to render fallback content (or
any other content).  I imagine if you were to change an <object> from pointing
at an .html file to pointing at a .png, it might crash in a similar manner.

It looks like there are only a few clients of ownerRenderer():

WebCore/page/FrameView.cpp:        RenderPart* renderer =
m_frame->ownerRenderer();
WebCore/page/FrameView.cpp:        if (RenderPart* renderer =
m_frame->ownerRenderer())
WebKit/gtk/WebCoreSupport/FrameLoaderClientGtk.cpp:    if
(frame->ownerRenderer())
WebKit/gtk/WebCoreSupport/FrameLoaderClientGtk.cpp:       
frame->ownerRenderer()->setWidget(frameView);
WebKit/mac/WebView/WebFrameView.mm:    if (RenderPart* owner =
frame->ownerRenderer()) {
WebKit/qt/WebCoreSupport/FrameLoaderClientQt.cpp:    if
(m_frame->ownerRenderer())
WebKit/qt/WebCoreSupport/FrameLoaderClientQt.cpp:       
m_frame->ownerRenderer()->setWidget(frameView);
WebKit/win/WebCoreSupport/WebFrameLoaderClient.cpp:    if
(frame->ownerRenderer())
WebKit/win/WebCoreSupport/WebFrameLoaderClient.cpp:       
frame->ownerRenderer()->setWidget(frameView);

It looks safe to return 0 from ownerRenderer() so I'm going to fix this
potential crash by doing so.  I'm not sure it's right for HTMLObjectElements to
remain the ownerElement for these canceled/errored frames so long... but I
guess we can deal with that later.


-- 
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.