[Webkit-unassigned] [Bug 44170] HTML5 TreeBuilder ASSERTs on <a><svg><tr><input></a>
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Aug 18 14:53:08 PDT 2010
https://bugs.webkit.org/show_bug.cgi?id=44170
Tony Gentilcore <tonyg at chromium.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
AssignedTo|tonyg at chromium.org |webkit-unassigned at lists.web
| |kit.org
--- Comment #11 from Tony Gentilcore <tonyg at chromium.org> 2010-08-18 14:53:08 PST ---
(In reply to comment #10)
> Eric and I chatted about this briefly on IRC. I'll take a look.
I'm releasing this bug for now so that I can focus on 44129 (which turned out to be more involved than I thought).
Eric, if you don't get to this first, I'm happy to pick it up again.
Here are my notes so far:
TreeBuilder has this branch:
if causesFosterParenting
tree.fosterParent()
else
commonAncestor.appendChild()
This case takes the fosterParent() route for the <svg> element which invokes attachAtSite() and calls parserAddChild(). That method doesn't handle reparenting.
Changing parserAddChild() to appendChild() fixes the crash because it handles reparenting. However, I'm positive that is not the solution in light of our discussion of mutation events. Perhaps the answer is to teach parserAddChild() about reparenting or in some other way address the FIXME in attach() about attachAtSite() not handling foster parenting.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list