[Webkit-unassigned] [Bug 27634] Give toJS a JSDOMGlobalObject parameter
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Jul 23 18:15:13 PDT 2009
https://bugs.webkit.org/show_bug.cgi?id=27634
--- Comment #4 from Eric Seidel <eric at webkit.org> 2009-07-23 18:15:13 PDT ---
In the crash I'm seeing, this call:
Structure* getCachedDOMStructure(JSDOMGlobalObject* globalObject, const
ClassInfo* classInfo)
{
JSDOMStructureMap& structures = globalObject->structures();
return structures.get(classInfo).get(); // CRASHING LINE
}
structures is junk.
I'm not sure when structures would be junk.
In gc-6.html, the frame is navigated, but the global object should still be
alive:
function doit()
{
var frame = document.getElementById("frame");
spanB = frame.contentDocument.getElementById("span-B");
spanB.customProperty = "B";
frame.onload = frameLoaded;
frame.src = "about:blank";
}
frameLoaded() does a GC and then does:
output.innerHTML += spanB.parentNode + "<BR>";
(which is where we're crashing).
I expect that now that spanB.parentNode would be (correctly) trying to use the
prototype chain off of the previous window. Maybe somehow we've destroyed that
previous window?
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list