This code is wrong: HTMLTableRowsCollection::HTMLTableRowsCollection(PassRefPtr<HTMLTableElement> table) : HTMLCollection(table, OtherCollection, table->collectionCache()) { } If the first argument is evaluated first, then the second may dereference null because of the semantics of PassRefPtr. The fix is simple.
Created attachment 97533 [details] Patch
Committed r89096: <http://trac.webkit.org/changeset/89096>
Should the HTMLTableRowsCollection constructor just be changed to take a raw pointer?
(In reply to comment #3) > Should the HTMLTableRowsCollection constructor just be changed to take a raw pointer? Since the function does take ownership of a reference, the PassRefPtr optimization works, so I think it's good to take a smart pointer, even though in this case we can’t take advantage of it.
The only caller of HTMLTableRowsCollection::create() passes "this" to this function, and I don't see how any caller could possibly pass ownership of HTMLTableElement to HTMLTableRowsCollection.
(In reply to comment #5) > The only caller of HTMLTableRowsCollection::create() passes "this" to this function, and I don't see how any caller could possibly pass ownership of HTMLTableElement to HTMLTableRowsCollection. RefPtr implements a shared ownership model. The function does take ownership. On the other hand, if nobody ever takes advantage of it, I think it’s fine to use raw pointers instead.