[Webkit-unassigned] [Bug 141380] WebCore Plugin Widget getOwnPropertySlot is not effect free
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Feb 9 15:20:37 PST 2015
https://bugs.webkit.org/show_bug.cgi?id=141380
--- Comment #1 from Saam Barati <saambarati1 at gmail.com> ---
(In reply to comment #0)
> Created attachment 246256 [details]
> stack trace
>
> Plugin Widget will cause a Document::updateLayout call from an overridden
> getOwnPropertySlot.
>
> If you look at the various renderWidgetLoadingPlugin() calls, they will
> update the layout of the document
> while JavaScript code is already running. An overridden getOwnPropertySlot
> will cause a call to renderWidgetLoadingPlugin()
> which causes a updateLayoutIgnorePendingStylesheets() call which then causes
> more JavaScript code to run.
>
> This should not be allowed because it causes getOwnPropertySlot to not be
> effect-free.
>
> Steps to reproducing:
> 1. Open http://gyazo.com/2bd3371d850484fe739b75b2ce8528b2
> 2. Open the inspector
> 3. Click on any JavaScript file
> 4. Make sure the type profiler is enabled by clicking the "T" button in the
> upper right.
> 5. Click the "Inspect" button
> 6. Navigate back to the gyazo page.
> 7. Reload the page while quickly moving your mouse over the different
> elements on the page causing the inspector overlay to update.
>
> This may have to be repeated several times, but it will eventually crash.
To make this more clear, just step 7 needs to be repeated multiple times to reproduce. After refreshing enough times while hovering the mouse around in "inspect" mode, the crash should reproduce.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150209/7918f60f/attachment-0002.html>
More information about the webkit-unassigned
mailing list