Bug 14895
| Summary: | [Crash] FrameTree::uniqueChildName generates non-unique names | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Brett Wilson (Google) <brettw> |
| Component: | Frames | Assignee: | Brett Wilson (Google) <brettw> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | Normal | ||
| Priority: | P2 | ||
| Version: | 523.x (Safari 3) | ||
| Hardware: | All | ||
| OS: | All | ||
Brett Wilson (Google)
I am seeing a hard-to-reproduce crash on a number of sites including
http://www.jrj.com.cn/
The crash is in EventHandler::passWheelEventToWidget (and presumably other input events) when you use the scroll wheel over certain iframes (seems to depend on timing) because the widget for the RenderWidget is NULL
The widget is NULL because the iframe is never initialized properly. The iframe is never initialized properly because the redirect timer was canceled by another iframe that got the same "unique" internal frame name.
FrameTree::uniqueChildName uses childCount() to generate a "unique" name for a child frame. However, this value can repeat if frames are removed from the parent.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Brett Wilson (Google)
I have a patch for this.
Geoffrey Garen
This is a dup, but I can't find the original right now. You might want to do some searching -- I remember past patches for this issue causing significant regressions.
Brett Wilson (Google)
*** This bug has been marked as a duplicate of 7899 ***