RESOLVED FIXED 62836
REGRESSION (r89035): HTMLTableRowsCollection constructor crashes; depends on compiler order of evaluation 
https://bugs.webkit.org/show_bug.cgi?id=62836
Summary REGRESSION (r89035): HTMLTableRowsCollection constructor crashes; depends on ...
Darin Adler
Reported 2011-06-16 18:10:59 PDT
This code is wrong: HTMLTableRowsCollection::HTMLTableRowsCollection(PassRefPtr<HTMLTableElement> table) : HTMLCollection(table, OtherCollection, table->collectionCache()) { } If the first argument is evaluated first, then the second may dereference null because of the semantics of PassRefPtr. The fix is simple.
Attachments
Patch (1.68 KB, patch)
2011-06-16 18:15 PDT, Darin Adler 		mitz: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Darin Adler
Comment 1 2011-06-16 18:15:16 PDT
Created attachment 97533 [details] Patch
Darin Adler
Comment 2 2011-06-16 18:17:04 PDT
Committed r89096: <http://trac.webkit.org/changeset/89096>
Alexey Proskuryakov
Comment 3 2011-06-16 22:40:31 PDT
Should the HTMLTableRowsCollection constructor just be changed to take a raw pointer?
Darin Adler
Comment 4 2011-06-17 08:20:02 PDT
(In reply to comment #3) > Should the HTMLTableRowsCollection constructor just be changed to take a raw pointer? Since the function does take ownership of a reference, the PassRefPtr optimization works, so I think it's good to take a smart pointer, even though in this case we can’t take advantage of it.
Alexey Proskuryakov
Comment 5 2011-06-17 09:00:10 PDT
The only caller of HTMLTableRowsCollection::create() passes "this" to this function, and I don't see how any caller could possibly pass ownership of HTMLTableElement to HTMLTableRowsCollection.
Darin Adler
Comment 6 2011-06-17 09:25:49 PDT
(In reply to comment #5) > The only caller of HTMLTableRowsCollection::create() passes "this" to this function, and I don't see how any caller could possibly pass ownership of HTMLTableElement to HTMLTableRowsCollection. RefPtr implements a shared ownership model. The function does take ownership. On the other hand, if nobody ever takes advantage of it, I think it’s fine to use raw pointers instead.
Note You need to log in before you can comment on or make changes to this bug.