Bug 4716
| Summary: | NodeIterator will crash if the filter function removes the current node from the document | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Darin Adler <darin> |
| Component: | DOM | Assignee: | Darin Adler <darin> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | cdumez, ian |
| Priority: | P2 | ||
| Version: | 420+ | ||
| Hardware: | Mac | ||
| OS: | OS X 10.4 | ||
Darin Adler
Code inspection of functions like NodeIteratorImpl::findNextNode make it clear that the NodeIterator does
not do correct memory management of the nodes. As it iterates through nodes, the function holds a node
pointer across a call to arbitrary JavaScript without calling ref() on that node. Clearly that can lead to a
crash.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Darin Adler
Bug 3492 now has a patch that addresses this.
Darin Adler
Committed revision 30089.
Lucas Forschler
Mass moving XML DOM bugs to the "DOM" Component.