[Webkit-unassigned] [Bug 16782] REGRESSION(r29266): Reproducible crash in fast/replaced/image-map.html
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Jan 8 14:30:05 PST 2008
http://bugs.webkit.org/show_bug.cgi?id=16782
------- Comment #5 from hk9565 at gmail.com 2008-01-08 14:30 PDT -------
Haven't been able to reproduce the crash on Linux. I'll try on Mac shortly.
The test has a bug:
... href="javascript:document.getElementById('result').innerHTML='area
clicked'"
This javascript: URI evaluates to a non-undefined value and so replaces the
current document after it sets the innerHTML property as of r29051 (matching
Firefox and others).
It looks like someone is pointing to the old Document after it gets
deallocated.
--
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list