Bug 4716 - NodeIterator will crash if the filter function removes the current node from the document
Summary: NodeIterator will crash if the filter function removes the current node from ...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: DOM (show other bugs)
Version: 420+
Hardware: Mac OS X 10.4
: P2 Normal
Assignee: Darin Adler
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-08-28 11:18 PDT by Darin Adler
Modified: 2019-02-06 09:02 PST (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Darin Adler 2005-08-28 11:18:38 PDT
Code inspection of functions like NodeIteratorImpl::findNextNode make it clear that the NodeIterator does 
not do correct memory management of the nodes. As it iterates through nodes, the function holds a node 
pointer across a call to arbitrary JavaScript without calling ref() on that node. Clearly that can lead to a 
crash.
Comment 1 Darin Adler 2008-01-08 22:52:26 PST
Bug 3492 now has a patch that addresses this.
Comment 2 Darin Adler 2008-02-08 02:36:13 PST
Committed revision 30089.
Comment 3 Lucas Forschler 2019-02-06 09:02:35 PST
Mass moving XML DOM bugs to the "DOM" Component.