Evening,
The following input crashes NS on trunk:
$ cat test.html
<div style="background-image: url('foo.png')">
$
Preliminary investigation indicates the following:
1) box_get_style() retrieves the inline style for the node.
2) It then computes the style for the box.
3) It then destroys the inline style retrieved in (1).
The computed style obtained in (2) points at the interned 'foo.png', but
doesn't appear to hold a reference on that string. Thus, when the inline
style is destroyed in (3) and the style bytecode is destroyed, the
string is unreffed and freed.
Without further investigation, it looks to me as though libcss is
getting its reference counting wrong when generating computed styles.
J.
