[Webkit-unassigned] [Bug 25550] New: polyline.points.appendItem(null) -> NULL ptr

Mon May 4 11:31:14 PDT 2009

https://bugs.webkit.org/show_bug.cgi?id=25550

           Summary: polyline.points.appendItem(null) -> NULL ptr
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Windows Vista
            Status: NEW
          Keywords: GoogleBug
          Severity: Normal
          Priority: P1
         Component: SVG
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: skylined at chromium.org
                CC: eric at webkit.org

I found this with my fuzzer in the latest Chrome 1.x release, so the stack
dumps and such contain no symbols, which is why I'm not attaching them.
However, I can repro in latest Chrome 2.x ToT build. The repro is simple and
reliable, so you should have no problem tracking down the root cause.

Repro:
<SCRIPT>
  polyline = document.createElementNS("http://www.w3.org/2000/svg",
"polyline");
  polyline.points.appendItem(null);
</SCRIPT>

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.