[Webkit-unassigned] [Bug 52449] Crash when logging into gmail.com with frame flattening turned on.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sat Jan 15 17:55:29 PST 2011
https://bugs.webkit.org/show_bug.cgi?id=52449
--- Comment #5 from Yael <yael.aharon at nokia.com> 2011-01-15 17:55:29 PST ---
This bug appears only with frame flattening turned on.
I can reproduce this crash very easily with this markup:
Main frame:
<!DOCTYPE html>
<html >
<head>
<style>
#My { background-color: blue; width: 100px; height: 100px; }
</style>
</head>
<body >
<iframe id="My" src="frm.html"></iframe>
</body></html>
IFrame:
<!DOCTYPE html>
<script>
function res() {
var i = document.getElementsByTagName('html')[0].clientWidth;
}
</script>
<style>
#p { border: 4px solid red;}
</style>
<body onresize="res();">
<div id='p'><br><br><br><br><br></div>
<script>
</script>
</body></html>
When we do frame flattening, after we "flatten" the frame, we schedule a relayout of all ancestors. See comment in FrameView::scheduleRelayout().
Then we send a resize event for the resized iframe while a new layout is pending for its parent.
Callbacks from the resize event handler to the DOM trigger the new layout recursively.
I think we should not send a resize event on iframes when we do frame flattening. The resize event is supposed to tell the JavaScript that the user resized the page or frame, not that the browser resized the frame programmatically.
Patch coming soon.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list