[Webkit-unassigned] [Bug 46760] New: Webkit crashes during animation event processing
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Sep 28 15:59:39 PDT 2010
https://bugs.webkit.org/show_bug.cgi?id=46760
Summary: Webkit crashes during animation event processing
Product: WebKit
Version: 528+ (Nightly build)
Platform: PC
OS/Version: Windows 7
Status: UNCONFIRMED
Severity: Normal
Priority: P2
Component: Layout and Rendering
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: cabanier at adobe.com
While processing animation events, Webkit crashes in AnimationController.cpp:
Vector<EventToDispatch>::const_iterator eventsToDispatchEnd = m_eventsToDispatch.end();
for (Vector<EventToDispatch>::const_iterator it = m_eventsToDispatch.begin(); it != eventsToDispatchEnd; ++it) {
if (it->eventType == eventNames().webkitTransitionEndEvent)
it->element->dispatchEvent(WebKitTransitionEvent::create(it->eventType, it->name, it->elapsedTime));
else
it->element->dispatchEvent(WebKitAnimationEvent::create(it->eventType, it->name, it->elapsedTime)); <- CRASH
}
because it->element is invalid.
I suspect that the element was invalidated by one of the previous event handlers. Because the code doesn't check if it->element is still valid, webkit crashes.
It seems that the following change should fix the issue:
Vector<EventToDispatch>::const_iterator eventsToDispatchEnd = m_eventsToDispatch.end();
for (Vector<EventToDispatch>::const_iterator it = m_eventsToDispatch.begin(); it != eventsToDispatchEnd; ++it) {
if(!it->element)
continue;
if (it->eventType == eventNames().webkitTransitionEndEvent)
it->element->dispatchEvent(WebKitTransitionEvent::create(it->eventType, it->name, it->elapsedTime));
else
it->element->dispatchEvent(WebKitAnimationEvent::create(it->eventType, it->name, it->elapsedTime)); <-
}
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list