[Webkit-unassigned] [Bug 17164] REGRESSION: JavaScript pop-up menu appears at wrong location when hovering image at http://news.chinatimes.com/
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sun Feb 3 21:34:51 PST 2008
http://bugs.webkit.org/show_bug.cgi?id=17164
------- Comment #11 from cwzwarich at uwaterloo.ca 2008-02-03 21:34 PDT -------
I found the likely cause of the bug. In the body of
ReadModifyLocalVarNode::evaluate(), the slot is retrieved from the localStorage
before calling valueForReadModifyAssignment(), which then would cause a
tear-off by evaluating the call to eval. Similar problems (albeit more obscure
ones) probably exist in the other callers of valueForReadModifyAssignment().
The most straightforward fix is to modify all of the callers of
valueForReadModifyAssignment() to simply get the slot in which they will be
storing the value one more time. A similar issue came up in the development of
the tear-off patch, where using f.arguments could cause a tear-off that would
require a slot to be retrieved again, and that's how I fixed it.
--
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list