[Webkit-unassigned] [Bug 31084] Crash when a plugin removes itself from the DOM during paint
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Nov 3 14:04:40 PST 2009
https://bugs.webkit.org/show_bug.cgi?id=31084
--- Comment #1 from James Robinson <jamesr at chromium.org> 2009-11-03 14:04:40 PDT ---
Created an attachment (id=42416)
--> (https://bugs.webkit.org/attachment.cgi?id=42416)
LayoutTest that exhibits the behavior
Attached is a layout test (and modifications to the TestNetscapePlugin) with a
plugin that removes itself (by calling NPN_Evaluate() on a script that sets the
plugin's parent's innerHTML to '') during paint. This causes a crash in
RenderWidget.cpp. The problem is that setting innerHTML causes the previous
child Node objects to be destroyed, which causes the associated renderers to be
destroyed. The rendering code does not check for this case and dies.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list