[Webkit-unassigned] [Bug 28697] WebKit crash on WebCore::Node::nodeIndex()
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Aug 24 17:39:52 PDT 2009
https://bugs.webkit.org/show_bug.cgi?id=28697
--- Comment #2 from yaar at google.com 2009-08-24 17:39:52 PDT ---
Digging into the bug, I suspect that the crashes happen when
m_childBeforeBoundary is a deallocated node, or a sibling of a deallocated
node.
I believe that there are code paths that deallocate nodes without notifying the
range objects.
One thing that caught my eye is that RangeBoundaryPoint::m_childBeforeBoundary
is a Node *, while m_containerNode is a RefPtr<Node>. Shouldn't
m_childBeforeBoundary be RefPtr<Node> too?
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list