[Webkit-unassigned] [Bug 18971] Crash on sierpinski svg
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Jun 3 12:20:23 PDT 2008
http://bugs.webkit.org/show_bug.cgi?id=18971
darin at apple.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #21481|review? |review-
Flag| |
------- Comment #7 from darin at apple.com 2008-06-03 12:20 PDT -------
(From update of attachment 21481)
647 Node *child = element->firstChild();
648 while (child) {
649 PassRefPtr<Node> newChild = expandUseElementsInShadowTree(child);
650 if (newChild)
651 child = newChild.get();
652 else
653 child = child->nextSibling();
654 }
Why is it OK for child to not be a RefPtr? That looks wrong to me. It seems
like it could be deallocated before calling expandUseElementsInShadowTree
again.
Also newChild should just be a RefPtr, not a PassRefPtr.
--
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list