Hi there, I had a crash the other day and found some code that looks wrong to me.
The affected method is FrameView::endDeferredRepaints() found in WebCore/page/FrameView.cpp unsigned size = d->m_repaintRects.size(); for (unsigned i = 0; i < size; i++) repaintContentRectangle(d->m_repaintRects[i], false); The problem here is that repaintContentRectangle auments (d->m_repaintRects.append(r)) the items in m_repaintRects or clears it (d->m_repaintRects.clear()), thus the size of m_repaintRects[] changes while iterating it, which can result in a crash. Cheers, Kenneth
_______________________________________________ webkit-dev mailing list webkit-dev@lists.webkit.org http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev