[Webkit-unassigned] [Bug 21329] REGRESSION: crash in ScriptElement::notifyFinished
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Oct 3 01:16:14 PDT 2008
https://bugs.webkit.org/show_bug.cgi?id=21329
------- Comment #2 from darin at chromium.org 2008-10-03 01:16 PDT -------
This patch, which essentially just rolls back part of the original change,
seems to resolve the bug. I'll work on a layout test, but it may be
challenging since it is dependent on GC running at the right time.
Index: ScriptElement.cpp
===================================================================
--- ScriptElement.cpp (revision 2802)
+++ ScriptElement.cpp (working copy)
@@ -180,10 +180,13 @@
CachedScript* cs = static_cast<CachedScript*>(o);
ASSERT(cs == m_cachedScript);
+ // Evaluating the script could lead to a garbage collection which can
+ // delete the script element so we need to protect it.
+ RefPtr<Element> protector(m_element);
+
if (cs->errorOccurred())
m_scriptElement->dispatchErrorEvent();
else {
- RefPtr<Element> protector(m_element);
evaluateScript(cs->url(), cs->script());
m_scriptElement->dispatchLoadEvent();
}
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list