[Webkit-unassigned] [Bug 48979] [Chromium] SVGListPropertyTearOff.h: function commitChange ASSERTs on Win & Mac

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Nov 4 09:02:01 PDT 2010


https://bugs.webkit.org/show_bug.cgi?id=48979





--- Comment #2 from Nikolas Zimmermann <zimmermann at kde.org>  2010-11-04 09:02:01 PST ---
Interessting, the garbage collection in v8 is freeing the SVGPropertyTearOff wrapper earlier than JSC, and thanks to that I found the bug:


    PassListItemTearOff removeItemValuesAndWrappers(AnimatedListPropertyTearOff* animatedList, unsigned index, ExceptionCode& ec)
    {
....
        // Detach the existing wrapper.
        RefPtr<ListItemTearOff>& oldItem = wrappers.at(index);
        if (oldItem) {
            oldItem->detachWrapper();
            wrappers.remove(index);
        }


The wrappers.remove(index) needs to be moved out of the if clause, otherwhise the list sizes don't match. Unfortunately I need to leave now :(
I think I can fix it tomorrow or tonight.
Or if anyone else wants to do that, here's how to fix :-)

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.



More information about the webkit-unassigned mailing list