[Webkit-unassigned] [Bug 78700] New: SVG TRef/Use NULL ptr
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Feb 15 05:23:42 PST 2012
https://bugs.webkit.org/show_bug.cgi?id=78700
Summary: SVG TRef/Use NULL ptr
Product: WebKit
Version: 528+ (Nightly build)
Platform: PC
OS/Version: Windows Vista
Status: NEW
Severity: Normal
Priority: P1
Component: SVG
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: skylined at chromium.org
CC: eric at webkit.org, zimmermann at kde.org
http://code.google.com/p/chromium/issues/detail?id=114358
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<g id="g">
<animate id="animate">
</animate>
<tref xlink:href="#animate">
</tref>
</g>
<use xlink:href="#g">
</use>
</svg>
src\third_party\webkit\source\webcore\svg\svgtrefelement.cpp
void SVGTRefElement::buildPendingResource()
{
<<<snip>>>
m_eventListener = SubtreeModificationEventListener::create(this, id);
ASSERT(target->parentNode());
target->parentNode()->addEventListener(eventNames().DOMSubtreeModifiedEvent, m_eventListener.get(), false);
}
src\third_party\webkit\source\webcore\dom\node.cpp
bool Node::addEventListener(const AtomicString& eventType, PassRefPtr<EventListener> listener, bool useCapture)
{
<<<snip>>>
for (HashSet<SVGElementInstance*>::const_iterator it = instances.begin(); it != end; ++it) {
ASSERT((*it)->shadowTreeElement());
ASSERT((*it)->correspondingElement() == this);
RefPtr<EventListener> listenerForCurrentShadowTreeElement = listenerForShadowTree;
bool result = tryAddEventListener((*it)->shadowTreeElement(), eventType, listenerForCurrentShadowTreeElement.release(), useCapture);
<<<snip>>>
(*it) points to an SVGUseElement which doesn't have a shadowTreeElement, causing the NULL ptr.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list