[webkit-reviews] review denied: [Bug 18971] Crash on sierpinski svg : [Attachment 21481] Now with testcase
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Jun 3 12:20:23 PDT 2008
Darin Adler <darin at apple.com> has denied Rob Buis <rwlbuis at gmail.com>'s request
for review:
Bug 18971: Crash on sierpinski svg
http://bugs.webkit.org/show_bug.cgi?id=18971
Attachment 21481: Now with testcase
http://bugs.webkit.org/attachment.cgi?id=21481&action=edit
------- Additional Comments from Darin Adler <darin at apple.com>
647 Node *child = element->firstChild();
648 while (child) {
649 PassRefPtr<Node> newChild = expandUseElementsInShadowTree(child);
650 if (newChild)
651 child = newChild.get();
652 else
653 child = child->nextSibling();
654 }
Why is it OK for child to not be a RefPtr? That looks wrong to me. It seems
like it could be deallocated before calling expandUseElementsInShadowTree
again.
Also newChild should just be a RefPtr, not a PassRefPtr.
More information about the webkit-reviews
mailing list