[Webkit-unassigned] [Bug 48979] [Chromium] SVGListPropertyTearOff.h: function commitChange ASSERTs on Win & Mac
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Nov 4 09:02:01 PDT 2010
https://bugs.webkit.org/show_bug.cgi?id=48979
--- Comment #2 from Nikolas Zimmermann <zimmermann at kde.org> 2010-11-04 09:02:01 PST ---
Interessting, the garbage collection in v8 is freeing the SVGPropertyTearOff wrapper earlier than JSC, and thanks to that I found the bug:
PassListItemTearOff removeItemValuesAndWrappers(AnimatedListPropertyTearOff* animatedList, unsigned index, ExceptionCode& ec)
{
....
// Detach the existing wrapper.
RefPtr<ListItemTearOff>& oldItem = wrappers.at(index);
if (oldItem) {
oldItem->detachWrapper();
wrappers.remove(index);
}
The wrappers.remove(index) needs to be moved out of the if clause, otherwhise the list sizes don't match. Unfortunately I need to leave now :(
I think I can fix it tomorrow or tonight.
Or if anyone else wants to do that, here's how to fix :-)
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list