[Webkit-unassigned] [Bug 41196] crash in FrameView::detachCustomScrollbars
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Jun 28 00:15:22 PDT 2010
https://bugs.webkit.org/show_bug.cgi?id=41196
Tony Chang (Google) <tony at chromium.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |hyatt at apple.com
--- Comment #3 from Tony Chang (Google) <tony at chromium.org> 2010-06-28 00:15:21 PST ---
Here's what's happening:
RenderScrollbar has a pointer to a RenderObject (frameRenderer) when constructed:
http://trac.webkit.org/browser/trunk/WebCore/page/FrameView.cpp#L395
When the iframe is hidden in the test case, the render box is deleted.
In deatchCustomScrollbars, we try to use the deleted pointers, causing the crash.
http://trac.webkit.org/browser/trunk/WebCore/page/FrameView.cpp#L278
Possible patch coming up.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list