[Webkit-unassigned] [Bug 50312] Assertion failure in WebCore::HTMLFrameElementBase::insertedIntoDocument()
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Jan 3 14:23:09 PST 2012
https://bugs.webkit.org/show_bug.cgi?id=50312
--- Comment #11 from Eric Seidel <eric at webkit.org> 2012-01-03 14:23:09 PST ---
It's possible that we're creating a renderer, then trying to move the frame.
void HTMLFrameElementBase::willRemove()
{
if (m_remainsAliveOnRemovalFromTree)
return;
HTMLFrameOwnerElement::willRemove();
}
can block the zeroing of renderer(), but then
void HTMLFrameElementBase::insertedIntoDocument()
{
HTMLFrameOwnerElement::insertedIntoDocument();
if (m_remainsAliveOnRemovalFromTree) {
updateOnReparenting();
setRemainsAliveOnRemovalFromTree(false);
return;
}
should early-return with a different path (before the ASSERT).
It's possible that m_remainsAliveOnRemovalFromTree is somehow changing between when the remove happens and when it's added back... But I don't see how that would work (since m_remainsAliveOnRemovalFromTree is set by setRemainsAliveOnRemovalFromTree which is only called during Document::adoptNode)
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list