Comment #6 on issue 22210 by [email protected]: Chrome: Crash Report - Stack Signature: WebCore::RenderWidget::paint(WebCore::RenderObject::PaintInfo &,int,int)-993BEF http://code.google.com/p/chromium/issues/detail?id=22210
If a plugin causes itself to be removed from the DOM (by, say, setting its parent's innerHTML to something else), then the plugin's DOM node's renderer is destroyed during the paint algorithm. This reliably causes a crash that matches this stacktrace exactly in both Chromium and Safari. I believe this is what the "execute_script_delete_in_paint" test is supposed to cover but it does not quite do the right thing and it is disabled. I'll update this test and provide a layout test to WebKit that exhibits this behavior. It should be pretty easily fixable at that point. -- You received this message because you are listed in the owner or CC fields of this issue, or because you starred this issue. You may adjust your issue notification preferences at: http://code.google.com/hosting/settings --~--~---------~--~----~------------~-------~--~----~ Automated mail from issue updates at http://crbug.com/ Subscription options: http://groups.google.com/group/chromium-bugs -~----------~----~----~----~------~----~------~--~---
