Bug 18872

Summary: Crash using webkit-box-reflect and position:absolute
Product: WebKit Reporter: Thomas Steinacher <tom>
Component: CSSAssignee: Nobody <webkit-unassigned>
Status: RESOLVED INVALID    
Severity: Normal CC: bfulgham, hyatt, mitz
Priority: P1    
Version: 528+ (Nightly build)   
Hardware: Mac   
OS: OS X 10.5   
Attachments:
Description Flags
crash log none

Description Thomas Steinacher 2008-05-03 04:05:33 PDT 
Create the following page:

<meta http-equiv=refresh content=0.1>
<style type="text/css">
.outer { -webkit-box-reflect:below 1px; }
.inner { position:absolute; }
</style>
<div class="outer"><div class="inner"></div></div>

Leave it running for a few seconds. Latest WebKit will crash. Tested on both PPC and Intel.
Comment 1 Matt Lilek 2008-05-03 10:51:59 PDT 
This doesn't crash for me - can you attach a crash log?
Comment 2 Thomas Steinacher 2008-05-03 10:56:05 PDT 
Created attachment 20949 [details]
crash log
Comment 3 mitz 2008-05-03 23:15:26 PDT 
With guard malloc, I get a crash in RenderLayer::removeChild() when closing the page (even without the refresh).