[Webkit-unassigned] [Bug 17313] querySelectorAll() causing crashes when called via dojo.query() wrapper
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Mar 3 04:06:54 PST 2008
http://bugs.webkit.org/show_bug.cgi?id=17313
------- Comment #13 from mrowe at apple.com 2008-03-03 04:06 PDT -------
I've been debugging this for a few hours now and the situation seems quite
bizarre. It crashes consistently within RenderText::deleteTextBoxes while
attempting to destroy a InlineTextBox. This is due to the RenderText's
m_firstTextBox having a bogus m_nextLine pointer. This m_nextLine pointer is
being set from CSSStyleSelector.cpp:1665. Yes, that seems crazy, but at that
point CSSStyleSelector's m_style/childStyle points to the same memory that is
used by the InlineTextBox. childStyle->setFirstChildState() ends up setting
m_nextLine to 0x1000 rather than setting the bitfield member it intends to. As
to *why* a single memory location is being treated as a RenderStyle and
InlineTextBox simultaneously... I have no idea at this point!
--
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list