<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body>
<p>
<div>
<b><a class="bz_bug_link
bz_status_REOPENED "
title="REOPENED - Wheel event callback removing the window causes crash in WebCore."
href="https://bugs.webkit.org/show_bug.cgi?id=150871#c31">Comment # 31</a>
on <a class="bz_bug_link
bz_status_REOPENED "
title="REOPENED - Wheel event callback removing the window causes crash in WebCore."
href="https://bugs.webkit.org/show_bug.cgi?id=150871">bug 150871</a>
from <span class="vcard"><a class="email" href="mailto:bfulgham@webkit.org" title="Brent Fulgham <bfulgham@webkit.org>"> <span class="fn">Brent Fulgham</span></a>
</span></b>
<pre>(In reply to <a href="show_bug.cgi?id=150871#c22">comment #22</a>)
<span class="quote">> So, the main frame is deleted (and the destructor deletes the
> WheelEventDeltaFilter), then the Frame destructor is run that calls
> setView(nullptr) that calls EventHandler::clear(). And now that
> EventHandler::clear class clearLatchedState, we are using
> m_frame.mainFrame() that has already been deleted.</span >
I can see how this could be an issue if the Frame being destructed is a MainFrame, and that its MainFrame member is a reference to itself. In that case, the MainFrame portion of the object could have been destroyed before 'setView(nullptr)' was called.
It might work to call "setView(nullptr)" in the MainFrame destructor, and only call it in the Frame destructor for non-mainframes.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>