Bug 14895 - [Crash] FrameTree::uniqueChildName generates non-unique names
Summary: [Crash] FrameTree::uniqueChildName generates non-unique names
Status: RESOLVED DUPLICATE of bug 7899
Alias: None
Product: WebKit
Classification: Unclassified
Component: Frames (show other bugs)
Version: 523.x (Safari 3)
Hardware: All All
: P2 Normal
Assignee: Brett Wilson (Google)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-08-07 10:56 PDT by Brett Wilson (Google)
Modified: 2007-08-07 11:31 PDT (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Brett Wilson (Google) 2007-08-07 10:56:24 PDT
I am seeing a hard-to-reproduce crash on a number of sites including
  http://www.jrj.com.cn/
The crash is in EventHandler::passWheelEventToWidget (and presumably other input events) when you use the scroll wheel over certain iframes (seems to depend on timing) because the widget for the RenderWidget is NULL

The widget is NULL because the iframe is never initialized properly. The iframe is never initialized properly because the redirect timer was canceled by another iframe that got the same "unique" internal frame name.

FrameTree::uniqueChildName uses childCount() to generate a "unique" name for a child frame. However, this value can repeat if frames are removed from the parent.
Comment 1 Brett Wilson (Google) 2007-08-07 10:59:46 PDT
I have a patch for this.
Comment 2 Geoffrey Garen 2007-08-07 11:21:04 PDT
This is a dup, but I can't find the original right now. You might want to do some searching -- I remember past patches for this issue causing significant regressions.
Comment 3 Brett Wilson (Google) 2007-08-07 11:31:09 PDT

*** This bug has been marked as a duplicate of 7899 ***