-
commit-queue@webkit.org authored
https://bugs.webkit.org/show_bug.cgi?id=67555 Patch by Rob Buis <rbuis@rim.com> on 2011-09-23 Reviewed by Nikolas Zimmermann. Source/WebCore: Event listeners can outlive the tref element that created them when the tref is cloned and then garbage collected, causing a dangling pointer to the tref. To fix this do not install event listener until the tref is inserted into the document. Test: svg/custom/tref-clone-crash.html * svg/SVGTRefElement.cpp: (WebCore::SVGTRefElement::svgAttributeChanged): (WebCore::SVGTRefElement::insertedIntoDocument): * svg/SVGTRefElement.h: LayoutTests: Test that cloned tref does not cause a crash. * svg/custom/tref-clone-crash-expected.txt: Added. * svg/custom/tref-clone-crash.html: Added. git-svn-id: http://svn.webkit.org/repository/webkit/trunk@95791 268f45cc-cd09-0410-ab3c-d52691b4dbfc
33937746