[webkit-reviews] review requested: [Bug 18859]
SVGRootInlineBox::buildTextChunks can do an invalid downcast
: [Attachment 20969] improved patch
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon May 5 09:20:45 PDT 2008
Jonathan Haas <myrdred at gmail.com> has asked for review:
Bug 18859: SVGRootInlineBox::buildTextChunks can do an invalid downcast
http://bugs.webkit.org/show_bug.cgi?id=18859
Attachment 20969: improved patch
http://bugs.webkit.org/attachment.cgi?id=20969&action=edit
------- Additional Comments from Jonathan Haas <myrdred at gmail.com>
Removed extraneous braces. I assume the braces around the body of the while
loop can stay?
There is no good test case for the original, unpatched code. The behavior of an
invalid downcast is undefined and implementation-dependent. In the case of MSVC
8, the return value from a call to textContent->textLength() on the invalid
pointer ends up pointing to the m_systemLanguage of SVGAElement::SVGTests. This
usually produces innocuous if bogus values. I suppose I might be able to
contrive a case where it forced an assert to trigger, but again, the behavior
is undefined and there's no guarantee that the same behavior would result in an
Xcode compilatior, or a gcc compilation, or even a different version of MSVC.
More information about the webkit-reviews
mailing list