[Webkit-unassigned] [Bug 18859] SVGRootInlineBox::buildTextChunks can do an invalid downcast
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon May 5 09:20:46 PDT 2008
http://bugs.webkit.org/show_bug.cgi?id=18859
myrdred at gmail.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #20969| |review?
Flag| |
------- Comment #3 from myrdred at gmail.com 2008-05-05 09:20 PDT -------
Created an attachment (id=20969)
--> (http://bugs.webkit.org/attachment.cgi?id=20969&action=view)
improved patch
Removed extraneous braces. I assume the braces around the body of the while
loop can stay?
There is no good test case for the original, unpatched code. The behavior of an
invalid downcast is undefined and implementation-dependent. In the case of MSVC
8, the return value from a call to textContent->textLength() on the invalid
pointer ends up pointing to the m_systemLanguage of SVGAElement::SVGTests. This
usually produces innocuous if bogus values. I suppose I might be able to
contrive a case where it forced an assert to trigger, but again, the behavior
is undefined and there's no guarantee that the same behavior would result in an
Xcode compilatior, or a gcc compilation, or even a different version of MSVC.
--
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list