[Webkit-unassigned] [Bug 26044] Crash at Node::nodeIndex()
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Jun 4 09:47:04 PDT 2009
https://bugs.webkit.org/show_bug.cgi?id=26044
------- Comment #22 from eric at webkit.org 2009-06-04 09:47 PDT -------
(In reply to comment #20)
> (In reply to comment #19)
> > Sure thing. I can demonstrate m_start.container() becoming zero.
>
> This is where we need to concentrate our fixes. We need to fix the mutation
> hooks to work properly in all cases, with changes either at the call sites or
> in the Range class.
>
> Should be straightforward. Lets do it.
I disagree. :)
I did not find it straight-forward yesterday. I spent a while getting this
far. Although now that I'm pretty sure this is due to dead Ranges hanging
around in m_ranges on the Document, getting further should be easier.
I think the real broken-ness is using m_start.container() to mean "attached" or
"detached". Whether m_start.container() ever becomes invalid seems a separate
question from "does the document still have a pointer to me". One causes bad
behavior, one causes crashes. I'm trying to fix the crashes here, and ignoring
the bad behavior for the moment.
The code seemed to fan out enough for me to mentally figure out what cases
could be putting us into a bad state. Fixing design not to crash seemed like
the right approach. This bad state is already caught by *numerous* assertions,
but none of them are firing in release mode, and we have no reproducible case
with which to hit them in debug mode.
Please re-consider. I don't think patching this one case where someone uses
mutation events is likely to fix all the crashes we've seen from this code
(since my impression is so few sites use mutation events anyway). If you stare
at the code and see other case besides the mutation event one, I'm happy to fix
those too, but no others were obvious to me yesterday.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list