[Webkit-unassigned] [Bug 48979] [Chromium] SVGListPropertyTearOff.h: function commitChange ASSERTs on Win & Mac

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Nov 4 09:02:01 PDT 2010


--- Comment #2 from Nikolas Zimmermann <zimmermann at kde.org>  2010-11-04 09:02:01 PST ---
Interessting, the garbage collection in v8 is freeing the SVGPropertyTearOff wrapper earlier than JSC, and thanks to that I found the bug:

    PassListItemTearOff removeItemValuesAndWrappers(AnimatedListPropertyTearOff* animatedList, unsigned index, ExceptionCode& ec)
        // Detach the existing wrapper.
        RefPtr<ListItemTearOff>& oldItem = wrappers.at(index);
        if (oldItem) {

The wrappers.remove(index) needs to be moved out of the if clause, otherwhise the list sizes don't match. Unfortunately I need to leave now :(
I think I can fix it tomorrow or tonight.
Or if anyone else wants to do that, here's how to fix :-)

Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list