[Webkit-unassigned] [Bug 28697] WebKit crash on WebCore::Node::nodeIndex()
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Nov 25 19:58:06 PST 2009
https://bugs.webkit.org/show_bug.cgi?id=28697
--- Comment #15 from Eric Seidel <eric at webkit.org> 2009-11-25 19:58:03 PST ---
OK, so the Range definitely contains a pointer to a deleted Node. My current
theory is that Document::removeChildren() (which is actually
Container::removeChildren()) called from Document::implicitOpen() is removing
all the root children, but that the root's grandchildren are not having
willRemoveChild called, and thus the Document never learns that they're being
removed and thus ranges which point to anything deep in the tree end up with
invalid Node pointers.
I'll work to validate this theory tomorrow.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list