[Webkit-unassigned] [Bug 15733] glyph-orientation-rounding-test crashes on TOT
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sat Dec 15 13:41:00 PST 2007
http://bugs.webkit.org/show_bug.cgi?id=15733
eric at webkit.org changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |sam at webkit.org,
| |mjs at apple.com,
| |ggaren at apple.com
Component|SVG |WebCore JavaScript
------- Comment #6 from eric at webkit.org 2007-12-15 13:41 PDT -------
WOW. This turns out to be a *really* bad bug. The problem is this generated
line of code in
JSCSSStyleDeclarationPrototypeFunctionGetPropertyCSSValue::callAsFunction:
KJS::JSValue* result = toJS(exec,
WTF::getPtr(imp->getPropertyCSSValue(propertyName)));
See anything wrong?
The crash is caused by the evilness that is:
template <typename T> inline T* getPtr(const PassRefPtr<T>& p)
We're grabbing the pointer out of a PassRefPtr, but by the time it's returned,
if that was the only ref to that pointer, the pointer has already been deleted
(since the original PassRefPtr has gone out of scope).
This is *bad*. Bad design. We'll need to educate the bindings about
PassRefPtrs, w/o using getPtr().
--
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list