[Webkit-unassigned] [Bug 45205] REGRESSION (r65213): Reproducible crash inside JavaScript GC when reloading http://en.wiktionary.org/wiki/choil
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Sep 10 16:30:16 PDT 2010
https://bugs.webkit.org/show_bug.cgi?id=45205
--- Comment #4 from Eric Seidel <eric at webkit.org> 2010-09-10 16:30:15 PST ---
Looks like the contract with StyleSheet is wrong. StyleSheet has a week pointer to m_parentNode, but StyleSheet is also RefCounted and can outlive its parentNode.
Since it's also valid to have a stylesheet with m_parentNode(0), just clearing it in the owning nodes destructor could lead to strange behavior. We may need to set m_parentNode to -1 after its cleared, or set some other flag that we can ASSERT with to make sure that StyleSheets get removed from the rest of WebCore when their parent node goes away (assuming that's the desired behavior).
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list