[Webkit-unassigned] [Bug 28697] WebKit crash on WebCore::Node::nodeIndex()
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Nov 5 14:40:24 PST 2009
https://bugs.webkit.org/show_bug.cgi?id=28697
Eric Seidel <eric at webkit.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #42596|0 |1
is obsolete| |
--- Comment #13 from Eric Seidel <eric at webkit.org> 2009-11-05 14:40:24 PDT ---
Created an attachment (id=42598)
--> (https://bugs.webkit.org/attachment.cgi?id=42598)
Even better reduction with more source comments.
I think there are multiple bugs at play here. I expect that the range crasher
could be reproduced w/o needing any copy event, but I've not been able to do so
yet.
I think the cloneContents() is cloneing the <script> tag as well. I suspect
the document.write() From the script tag is executing during the appendChild(),
and possibly causing the rest of the document to "fail to insert". Thus the
Nodes may be being "removed from the document" in a way that the Range does not
expect and thus the range is never getting updated.
I'm not sure yet. Darin might have a theory. I'll CC him.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list