[Webkit-unassigned] [Bug 22357] Crash when setting className via SVG className.baseVal
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Dec 22 13:00:38 PST 2008
https://bugs.webkit.org/show_bug.cgi?id=22357
darin at apple.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #26211|review? |review-
Flag| |
------- Comment #12 from darin at apple.com 2008-12-22 13:00 PDT -------
(From update of attachment 26211)
=> - if (namedAttrMap) {
> - if (i < length)
> - mappedAttributes()->setClass(newClassString);
> - else
> - mappedAttributes()->clearClass();
> - }
> + if (i < length) {
> + if (!namedAttrMap)
> + createAttributeMap();
> + mappedAttributes()->setClass(newClassString);
> + } else
> + mappedAttributes()->clearClass();
It's not correct to create an attribute map here. The map is supposed to be
created on demand in functions like Element::attributes, and a map should not
be created just because the class attribute was set on an element.
I need more information about when we're going to need the attribute map later,
and we should consider putting the call to create it at that site instead of
here. Or maybe when it's created the class isn't set up correctly in it? I need
more info about how the test case is failing to understand what the right fix
is.
This patch also introduces a null-dereferencing crash: The clearClass could
dereference 0 if namedAttrMap is 0.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list