This website requires JavaScript.
Explore
Help
Sign In
nephele
/
haikuwebkit
Watch
1
Star
0
Fork
You've already forked haikuwebkit
0
Code
Issues
Releases
Activity
haiku
haikuwebkit
/
LayoutTests
/
svg
/
custom
/
tref-clone-crash-expected.txt
2 lines
5 B
Plaintext
Raw
Permalink
Normal View
History
Unescape
Escape
use after free in WebCore::SVGTRefElement::updateReferencedText https://bugs.webkit.org/show_bug.cgi?id=67555 Patch by Rob Buis <rbuis@rim.com> on 2011-09-23 Reviewed by Nikolas Zimmermann. Source/WebCore: Event listeners can outlive the tref element that created them when the tref is cloned and then garbage collected, causing a dangling pointer to the tref. To fix this do not install event listener until the tref is inserted into the document. Test: svg/custom/tref-clone-crash.html * svg/SVGTRefElement.cpp: (WebCore::SVGTRefElement::svgAttributeChanged): (WebCore::SVGTRefElement::insertedIntoDocument): * svg/SVGTRefElement.h: LayoutTests: Test that cloned tref does not cause a crash. * svg/custom/tref-clone-crash-expected.txt: Added. * svg/custom/tref-clone-crash.html: Added. Canonical link: https://commits.webkit.org/84633@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@95791 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2011-09-23 10:56:23 +00:00
PASS