[Webkit-unassigned] [Bug 64104] SVG animation API crashes on SVGAnimateTransform

Thu Jul 14 05:20:29 PDT 2011

https://bugs.webkit.org/show_bug.cgi?id=64104

--- Comment #5 from Nikolas Zimmermann <zimmermann at kde.org>  2011-07-14 05:20:29 PST ---
(From update of attachment 100724)
View in context: https://bugs.webkit.org/attachment.cgi?id=100724&action=review

Patch looks great, still some questions before I can set r+/r-:

>> Source/WebCore/svg/SVGAnimateTransformElement.cpp:124
>> +        return static_cast<SVGStyledTransformableElement*>(element)->transformAnimated();
> 
> we don't want to have animVal but baseVal here.

This is not related. "fooAnimated()" gives back an SVGAnimatedProperty which holds both animVal and baseVal.

> Source/WebCore/svg/SVGAnimateTransformElement.cpp:154
> +        if (RefPtr<SVGAnimatedTransformList> list = animatedTransformListFor(targetElement)) {
> +            list->detachListWrappers(0);
> +            list->values().clear();
> +        }

This is just fine as-is. When we support animVal, we want to clear only the anim val wrappers and list here, not the baseVal.

> Source/WebCore/svg/SVGAnimateTransformElement.cpp:173
> +    if (!isAdditive()) {
> +        animatedList->detachListWrappers(0);
> +        animatedList->values().clear();
> +    }

Ditto.

> Source/WebCore/svg/SVGAnimateTransformElement.cpp:178
> +    animatedList->wrappers().append(static_cast<WebCore::SVGPropertyTearOff<SVGTransform> *>(0));

Why is passing 0 safe here?

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.