Diff
Modified: branches/safari-534.54-branch/LayoutTests/ChangeLog (103448 => 103449)
--- branches/safari-534.54-branch/LayoutTests/ChangeLog 2011-12-21 22:24:26 UTC (rev 103448)
+++ branches/safari-534.54-branch/LayoutTests/ChangeLog 2011-12-21 22:28:44 UTC (rev 103449)
@@ -1,5 +1,22 @@
2011-12-21 Lucas Forschler <lforsch...@apple.com>
+ Merge 94905
+
+ 2011-09-10 Ken Buchanan <ke...@chromium.org>
+
+ Crash due to bad data in SVGDocumentExtensions m_pendingResources.
+ https://bugs.webkit.org/show_bug.cgi?id=67488
+
+ Reviewed by Nikolas Zimmermann.
+
+ Test added: validating that the crash referenced in the bug is not present.
+
+ * svg/dom/SVGStyledElement-pendingResource-crash.html: Added.
+ * svg/dom/SVGStyledElement-pendingResource-crash-expected.txt: Added.
+ * svg/dom/resources/SVGStyledElement-pendingResource-crash.svg: Added.
+
+2011-12-21 Lucas Forschler <lforsch...@apple.com>
+
Merge 94857
2011-09-08 Abhishek Arya <infe...@chromium.org>
Copied: branches/safari-534.54-branch/LayoutTests/svg/dom/SVGStyledElement-pendingResource-crash-expected.txt (from rev 94905, trunk/LayoutTests/svg/dom/SVGStyledElement-pendingResource-crash-expected.txt) (0 => 103449)
--- branches/safari-534.54-branch/LayoutTests/svg/dom/SVGStyledElement-pendingResource-crash-expected.txt (rev 0)
+++ branches/safari-534.54-branch/LayoutTests/svg/dom/SVGStyledElement-pendingResource-crash-expected.txt 2011-12-21 22:28:44 UTC (rev 103449)
@@ -0,0 +1 @@
+PASS, if DumpRenderTree doesn't crash, and no assertion in a Debug build.
Copied: branches/safari-534.54-branch/LayoutTests/svg/dom/SVGStyledElement-pendingResource-crash.html (from rev 94905, trunk/LayoutTests/svg/dom/SVGStyledElement-pendingResource-crash.html) (0 => 103449)
--- branches/safari-534.54-branch/LayoutTests/svg/dom/SVGStyledElement-pendingResource-crash.html (rev 0)
+++ branches/safari-534.54-branch/LayoutTests/svg/dom/SVGStyledElement-pendingResource-crash.html 2011-12-21 22:28:44 UTC (rev 103449)
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html >
+ <script>
+ function body_start() {
+ var q = document.getElementById('root').contentDocument;
+ q.getElementsByTagName('svg')[0].replaceChild(q.getElementById('refImage'), q.getElementById('d'));
+ q.getElementsByTagName('use')[0].setAttribute('xlink:href', '#testName');
+ if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+ }
+ setTimeout(function () {
+ document.body.innerHTML = "PASS, if DumpRenderTree doesn't crash, and no assertion in a Debug build.";
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+ }, 0);
+ }
+ </script>
+ <object data="" id="root" _onload_="body_start();" type="image/svg+xml"/></object>
+</html>
Copied: branches/safari-534.54-branch/LayoutTests/svg/dom/resources/SVGStyledElement-pendingResource-crash.svg (from rev 94905, trunk/LayoutTests/svg/dom/resources/SVGStyledElement-pendingResource-crash.svg) (0 => 103449)
--- branches/safari-534.54-branch/LayoutTests/svg/dom/resources/SVGStyledElement-pendingResource-crash.svg (rev 0)
+++ branches/safari-534.54-branch/LayoutTests/svg/dom/resources/SVGStyledElement-pendingResource-crash.svg 2011-12-21 22:28:44 UTC (rev 103449)
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+ <image id="refImage"/>
+ <g>
+ <text id="testName">X</text>
+ <use xlink:href="" />
+ </g>
+ <defs id="d">
+ <g id="navigationGroup" fill='url(#testName)'>
+ <a stroke='url(#refImage)'><text id="ABC">A</text></a>
+ </g>
+ </defs>
+</svg>
Modified: branches/safari-534.54-branch/Source/WebCore/ChangeLog (103448 => 103449)
--- branches/safari-534.54-branch/Source/WebCore/ChangeLog 2011-12-21 22:24:26 UTC (rev 103448)
+++ branches/safari-534.54-branch/Source/WebCore/ChangeLog 2011-12-21 22:28:44 UTC (rev 103449)
@@ -1,5 +1,36 @@
2011-12-21 Lucas Forschler <lforsch...@apple.com>
+ Merge 94905
+
+ 2011-09-10 Ken Buchanan <ke...@chromium.org>
+
+ Crash due to bad data in SVGDocumentExtensions m_pendingResources
+ https://bugs.webkit.org/show_bug.cgi?id=67488
+
+ Reviewed by Nikolas Zimmermann.
+
+ Resolving a crash condition caused by the deletion of
+ elements while pending resource entries for those elements are still
+ recorded.
+
+ * rendering/svg/RenderSVGResourceContainer.cpp:
+ (WebCore::RenderSVGResourceContainer::registerResource)
+ * svg/SVGDocumentExtensions.h:
+ (WebCore::SVGDocumentExtensions::isElementInPendingResources)
+ * svg/SVGDocumentExtensions.cpp:
+ (WebCore::SVGDocumentExtensions::addPendingResource)
+ (WebCore::SVGDocumentExtensions::isElementInPendingResources)
+ (WebCore::SVGDocumentExtensions::removeElementFromPendingResources)
+ * svg/SVGStyledElement.h:
+ (WebCore::SVGStyledElement::clearHasPendingResourcesIfPossible)
+ * svg/SVGStyledElement.cpp:
+ (WebCore::SVGStyledElement::buildPendingResourcesIfNeeded)
+ (WebCore::SVGStyledElement::clearHasPendingResourcesIfPossible)
+ * svg/SVGUseElement.cpp:
+ (WebCore::SVGUseElement::svgAttributeChanged)
+
+2011-12-21 Lucas Forschler <lforsch...@apple.com>
+
Merge 94892
2011-09-09 Jessie Berlin <jber...@apple.com>
Modified: branches/safari-534.54-branch/Source/WebCore/rendering/svg/RenderSVGResourceContainer.cpp (103448 => 103449)
--- branches/safari-534.54-branch/Source/WebCore/rendering/svg/RenderSVGResourceContainer.cpp 2011-12-21 22:24:26 UTC (rev 103448)
+++ branches/safari-534.54-branch/Source/WebCore/rendering/svg/RenderSVGResourceContainer.cpp 2011-12-21 22:28:44 UTC (rev 103449)
@@ -168,7 +168,7 @@
const SVGDocumentExtensions::SVGPendingElements::const_iterator end = clients->end();
for (SVGDocumentExtensions::SVGPendingElements::const_iterator it = clients->begin(); it != end; ++it) {
ASSERT((*it)->hasPendingResources());
- (*it)->setHasPendingResources(false);
+ (*it)->clearHasPendingResourcesIfPossible();
RenderObject* renderer = (*it)->renderer();
if (!renderer)
continue;
Modified: branches/safari-534.54-branch/Source/WebCore/svg/SVGDocumentExtensions.cpp (103448 => 103449)
--- branches/safari-534.54-branch/Source/WebCore/svg/SVGDocumentExtensions.cpp 2011-12-21 22:24:26 UTC (rev 103448)
+++ branches/safari-534.54-branch/Source/WebCore/svg/SVGDocumentExtensions.cpp 2011-12-21 22:28:44 UTC (rev 103449)
@@ -227,7 +227,7 @@
m_pendingResources.add(id, set);
}
- element->setHasPendingResources(true);
+ element->setHasPendingResources();
}
bool SVGDocumentExtensions::hasPendingResources(const AtomicString& id) const
@@ -238,6 +238,24 @@
return m_pendingResources.contains(id);
}
+bool SVGDocumentExtensions::isElementInPendingResources(SVGStyledElement* element) const
+{
+ ASSERT(element);
+
+ if (m_pendingResources.isEmpty())
+ return false;
+
+ HashMap<AtomicString, SVGPendingElements*>::const_iterator end = m_pendingResources.end();
+ for (HashMap<AtomicString, SVGPendingElements*>::const_iterator it = m_pendingResources.begin(); it != end; ++it) {
+ SVGPendingElements* elements = it->second;
+ ASSERT(elements);
+
+ if (elements->contains(element))
+ return true;
+ }
+ return false;
+}
+
void SVGDocumentExtensions::removeElementFromPendingResources(SVGStyledElement* element)
{
ASSERT(element);
@@ -245,8 +263,6 @@
if (m_pendingResources.isEmpty() || !element->hasPendingResources())
return;
- element->setHasPendingResources(false);
-
Vector<AtomicString> toBeRemoved;
HashMap<AtomicString, SVGPendingElements*>::iterator end = m_pendingResources.end();
for (HashMap<AtomicString, SVGPendingElements*>::iterator it = m_pendingResources.begin(); it != end; ++it) {
@@ -259,6 +275,8 @@
toBeRemoved.append(it->first);
}
+ element->clearHasPendingResourcesIfPossible();
+
if (toBeRemoved.isEmpty())
return;
Property changes on: branches/safari-534.54-branch/Source/WebCore/svg/SVGDocumentExtensions.cpp
___________________________________________________________________
Added: svn:executable
Modified: branches/safari-534.54-branch/Source/WebCore/svg/SVGDocumentExtensions.h (103448 => 103449)
--- branches/safari-534.54-branch/Source/WebCore/svg/SVGDocumentExtensions.h 2011-12-21 22:24:26 UTC (rev 103448)
+++ branches/safari-534.54-branch/Source/WebCore/svg/SVGDocumentExtensions.h 2011-12-21 22:28:44 UTC (rev 103449)
@@ -81,6 +81,7 @@
// For instance, dynamically build gradients / patterns / clippers...
void addPendingResource(const AtomicString& id, SVGStyledElement*);
bool hasPendingResources(const AtomicString& id) const;
+ bool isElementInPendingResources(SVGStyledElement*) const;
void removeElementFromPendingResources(SVGStyledElement*);
PassOwnPtr<SVGPendingElements> removePendingResource(const AtomicString& id);
};
Property changes on: branches/safari-534.54-branch/Source/WebCore/svg/SVGDocumentExtensions.h
___________________________________________________________________
Added: svn:executable
Modified: branches/safari-534.54-branch/Source/WebCore/svg/SVGStyledElement.cpp (103448 => 103449)
--- branches/safari-534.54-branch/Source/WebCore/svg/SVGStyledElement.cpp 2011-12-21 22:24:26 UTC (rev 103448)
+++ branches/safari-534.54-branch/Source/WebCore/svg/SVGStyledElement.cpp 2011-12-21 22:28:44 UTC (rev 103449)
@@ -379,7 +379,7 @@
for (SVGDocumentExtensions::SVGPendingElements::const_iterator it = clients->begin(); it != end; ++it) {
ASSERT((*it)->hasPendingResources());
(*it)->buildPendingResource();
- (*it)->setHasPendingResources(false);
+ (*it)->clearHasPendingResourcesIfPossible();
}
}
@@ -445,11 +445,17 @@
return hasRareSVGData() && rareSVGData()->hasPendingResources();
}
-void SVGStyledElement::setHasPendingResources(bool value)
+void SVGStyledElement::setHasPendingResources()
{
- ensureRareSVGData()->setHasPendingResources(value);
+ ensureRareSVGData()->setHasPendingResources(true);
}
+void SVGStyledElement::clearHasPendingResourcesIfPossible()
+{
+ if (!document()->accessSVGExtensions()->isElementInPendingResources(this))
+ ensureRareSVGData()->setHasPendingResources(false);
+}
+
AffineTransform SVGStyledElement::localCoordinateSpaceTransform(SVGLocatable::CTMScope) const
{
// To be overriden by SVGStyledLocatableElement/SVGStyledTransformableElement (or as special case SVGTextElement)
Property changes on: branches/safari-534.54-branch/Source/WebCore/svg/SVGStyledElement.cpp
___________________________________________________________________
Added: svn:executable
Modified: branches/safari-534.54-branch/Source/WebCore/svg/SVGStyledElement.h (103448 => 103449)
--- branches/safari-534.54-branch/Source/WebCore/svg/SVGStyledElement.h 2011-12-21 22:24:26 UTC (rev 103448)
+++ branches/safari-534.54-branch/Source/WebCore/svg/SVGStyledElement.h 2011-12-21 22:28:44 UTC (rev 103449)
@@ -50,7 +50,8 @@
void setInstanceUpdatesBlocked(bool);
bool hasPendingResources() const;
- void setHasPendingResources(bool);
+ void setHasPendingResources();
+ void clearHasPendingResourcesIfPossible();
AnimatedAttributeType animatedPropertyTypeForCSSProperty(const QualifiedName&);
static bool isAnimatableCSSProperty(const QualifiedName&);
Property changes on: branches/safari-534.54-branch/Source/WebCore/svg/SVGStyledElement.h
___________________________________________________________________
Added: svn:executable
Modified: branches/safari-534.54-branch/Source/WebCore/svg/SVGUseElement.cpp (103448 => 103449)
--- branches/safari-534.54-branch/Source/WebCore/svg/SVGUseElement.cpp 2011-12-21 22:24:26 UTC (rev 103448)
+++ branches/safari-534.54-branch/Source/WebCore/svg/SVGUseElement.cpp 2011-12-21 22:28:44 UTC (rev 103449)
@@ -171,11 +171,11 @@
const SVGDocumentExtensions::SVGPendingElements::const_iterator end = clients->end();
for (SVGDocumentExtensions::SVGPendingElements::const_iterator it = clients->begin(); it != end; ++it) {
ASSERT((*it)->hasPendingResources());
- (*it)->setHasPendingResources(false);
+ (*it)->clearHasPendingResourcesIfPossible();
}
m_resourceId = String();
- setHasPendingResources(false);
+ clearHasPendingResourcesIfPossible();
}
invalidateShadowTree();
