[Webkit-unassigned] [Bug 48555] New: ASSERT when SVGAnimatedProperty instance is assigned to multiple elements.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Oct 28 13:23:04 PDT 2010
https://bugs.webkit.org/show_bug.cgi?id=48555
Summary: ASSERT when SVGAnimatedProperty instance is assigned
to multiple elements.
Product: WebKit
Version: 528+ (Nightly build)
Platform: PC
OS/Version: Mac OS X 10.5
Status: NEW
Severity: Normal
Priority: P2
Component: SVG
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: jschuh at chromium.org
CC: zimmermann at kde.org, mdelaney at apple.com
Here's the repro:
<script>
var oFEConvolveMatrix = document.createElementNS("http://www.w3.org/2000/svg", "feConvolveMatrix");
document.createElementNS("http://www.w3.org/2000/svg", "altGlyph").x.baseVal.insertItemBefore(oFEConvolveMatrix.width.baseVal);
</script>
Inside SVGListPropertyTearOff::insertItemBefore we fail to remove the supplied item from its owning element before assigning it to a new element. The result is that the proprty ends up shared by two elements at once. The following ASSERT in SVGAnimatedProperty::removeItemFromList gets triggered when the property should be removed from the original owner:
virtual int removeItemFromList(SVGProperty*, bool)
{
ASSERT_NOT_REACHED();
return -1;
}
Originally reported here: http://code.google.com/p/chromium/issues/detail?id=61064
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list