[Webkit-unassigned] [Bug 40857] New: Altering the CSS class of an attached SVG element causes WebKit to crash
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Jun 18 14:00:03 PDT 2010
https://bugs.webkit.org/show_bug.cgi?id=40857
Summary: Altering the CSS class of an attached SVG element
causes WebKit to crash
Product: WebKit
Version: 528+ (Nightly build)
Platform: PC
OS/Version: Mac OS X 10.6
Status: UNCONFIRMED
Severity: Normal
Priority: P2
Component: HTML DOM
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: fsamuel at chromium.org
The attached html file causes WebKit-based browsers to crash (Safari/Chrome).
It will crash after you click ok in the javascript alert box.
I looked a bit into this:
The javascript line:
ellipse.className.baseVal = "cls1";
results in a call to StyledElement::classNames which then requests the classNames from the attribute map.
At the time, the attribute map does not exist. An assert fails because it has not yet been created.
It seems a simple fix is to create it if it hasn't been created.
Looking at other code, it appears that the attribute map is created lazily when needed.
According to Darin Adler, it’s not legal to call StyledElement::classNames without first checking hasClass. And if hasClass is true, then there will already be an attribute map. Calling mappedAttributes() or attributeMap() instead of calling attributes(false) is done for speed.
I am currently investigating this further.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list