[Webkit-unassigned] [Bug 18135] Crash in Frame::tree appending iframe
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Mar 27 12:42:46 PDT 2008
http://bugs.webkit.org/show_bug.cgi?id=18135
minatoar at gmail.com changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |minatoar at gmail.com
------- Comment #5 from minatoar at gmail.com 2008-03-27 12:42 PDT -------
I'm not an onload expert, but the ordering that the events are dispatched looks
wrong
Notably, appending the iframe to parent is triggering the parent window's
onload handler!
Here is the specific order of events I observe in the reduced test-case:
(1) mainFrame attaches load handler on its window
(2) subFrame attaches load handler on its window
(3) subFrame's window load handler invoked
..(4) append an iframe "x" to mainFrame's body (top.document.body)
....(5) mainFrame's window load handler invoked synchronously
......(6) remove iframe "x"
[CRASH]
Step (5) looks wrong.
The more plausible ordering which I get when running in Firefox is:
(1) mainFrame attaches load handler on its window
(2) subFrame attaches load handler on its window
(3) subFrame's window load handler invoked
..(4) append an iframe "x" to mainFrame's body
(5) mainFrame's window load handler invoked
..(6) remove iframe "x"
..(7) add back iframe "x"
--
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list