[Webkit-unassigned] [Bug 28697] WebKit crash on WebCore::Node::nodeIndex()
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Nov 25 20:18:15 PST 2009
https://bugs.webkit.org/show_bug.cgi?id=28697
--- Comment #16 from Eric Seidel <eric at webkit.org> 2009-11-25 20:18:14 PST ---
Ok, I found the bug.
In removeChildren():
// Do any prep work needed before actually starting to detach
// and remove... e.g. stop loading frames, fire unload events.
// FIXME: Adding new children from event handlers can cause an infinite
loop here.
for (RefPtr<Node> n = m_firstChild; n; n = n->nextSibling())
willRemoveChild(n.get());
willRemoveChild() is correctly calling void Range::nodeWillBeRemoved(Node*
node)
However, since it's removing all the nodes at once, when the matching node is
found:
boundary.setToBeforeChild(nodeToBeRemoved);
is called, which does:
m_childBeforeBoundary = child->previousSibling();
however, in this case, nodeToBeRemoved->previousSibling() is also being removed
(and in fact, just had willRemoveChild() called for it) but since
removeChildren is iterating from first to last node, Range will never notice,
and happily set m_childBeforeBoundary to a node which is about to be removed!
I'm not yet sure what the proper fix is.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list