[webkit-changes] [145942] branches/safari-536.30-branch

[lforschler]

Title: [145942] branches/safari-536.30-branch

Revision

145942

Author

lforsch...@apple.com

Date

2013-03-15 14:37:26 -0700 (Fri, 15 Mar 2013)

Log Message

Merged r132724.  <rdar://problem/13335007>

Modified Paths

branches/safari-536.30-branch/LayoutTests/ChangeLog
branches/safari-536.30-branch/Source/WebCore/ChangeLog
branches/safari-536.30-branch/Source/WebCore/svg/SVGAnimationElement.cpp
branches/safari-536.30-branch/Source/WebCore/svg/animation/SMILTime.h
branches/safari-536.30-branch/Source/WebCore/svg/animation/SVGSMILElement.cpp


Added Paths

branches/safari-536.30-branch/LayoutTests/svg/custom/elementTimeControl-nan-crash-expected.txt
branches/safari-536.30-branch/LayoutTests/svg/custom/elementTimeControl-nan-crash.html

Diff

Modified: branches/safari-536.30-branch/LayoutTests/ChangeLog (145941 => 145942)

--- branches/safari-536.30-branch/LayoutTests/ChangeLog	2013-03-15 21:30:31 UTC (rev 145941)
+++ branches/safari-536.30-branch/LayoutTests/ChangeLog	2013-03-15 21:37:26 UTC (rev 145942)
@@ -1,5 +1,19 @@
 2013-03-15  Lucas Forschler  <lforsch...@apple.com>
 
+        Merge r132724
+
+    2012-10-26  Philip Rogers  <p...@google.com>
+
+            Prevent NaN offset values in ElementTimeControl.
+            https://bugs.webkit.org/show_bug.cgi?id=100322
+
+            Reviewed by Abhishek Arya.
+
+            * svg/custom/elementTimeControl-nan-crash-expected.txt: Added.
+            * svg/custom/elementTimeControl-nan-crash.html: Added.
+
+2013-03-15  Lucas Forschler  <lforsch...@apple.com>
+
         Merge r132511
 
     2012-10-25  Tom Sepez  <tse...@chromium.org>

Copied: branches/safari-536.30-branch/LayoutTests/svg/custom/elementTimeControl-nan-crash-expected.txt (from rev 132724, trunk/LayoutTests/svg/custom/elementTimeControl-nan-crash-expected.txt) (0 => 145942)

--- branches/safari-536.30-branch/LayoutTests/svg/custom/elementTimeControl-nan-crash-expected.txt	                        (rev 0)
+++ branches/safari-536.30-branch/LayoutTests/svg/custom/elementTimeControl-nan-crash-expected.txt	2013-03-15 21:37:26 UTC (rev 145942)
@@ -0,0 +1 @@
+Test for WK100322: ElementTimeControl should check for invalid values. This test passes if it does not crash.

Copied: branches/safari-536.30-branch/LayoutTests/svg/custom/elementTimeControl-nan-crash.html (from rev 132724, trunk/LayoutTests/svg/custom/elementTimeControl-nan-crash.html) (0 => 145942)

--- branches/safari-536.30-branch/LayoutTests/svg/custom/elementTimeControl-nan-crash.html	                        (rev 0)
+++ branches/safari-536.30-branch/LayoutTests/svg/custom/elementTimeControl-nan-crash.html	2013-03-15 21:37:26 UTC (rev 145942)
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+    function crash() {
+        var animate = document.getElementById('animate');
+        var svg = document.getElementById('svg');
+        animate.endElementAt(NaN);
+        animate.beginElementAt(NaN);
+        svg.setCurrentTime(2);
+        if (window.testRunner)
+            testRunner.dumpAsText();
+    }
+</script>
+</head>
+<body _onload_="crash()">
+Test for WK100322: ElementTimeControl should check for invalid values. This test passes if it does not crash.
+
+<svg id="svg" width="200" height="200">
+    <rect x="0" y="0" width="100" height="100" fill="green">
+        <animate id="animate" attributeName="x" to="200" begin="3s"/>
+    </rect>
+</svg>
+</body>
+</html>

Modified: branches/safari-536.30-branch/Source/WebCore/ChangeLog (145941 => 145942)

--- branches/safari-536.30-branch/Source/WebCore/ChangeLog	2013-03-15 21:30:31 UTC (rev 145941)
+++ branches/safari-536.30-branch/Source/WebCore/ChangeLog	2013-03-15 21:37:26 UTC (rev 145942)
@@ -1,5 +1,38 @@
 2013-03-15  Lucas Forschler  <lforsch...@apple.com>
 
+        Merge r132724
+
+    2012-10-26  Philip Rogers  <p...@google.com>
+
+            Prevent NaN offset values in ElementTimeControl.
+            https://bugs.webkit.org/show_bug.cgi?id=100322
+
+            Reviewed by Abhishek Arya.
+
+            NaN values can cause ElementTimeControl to go back in time!
+            If a value of NaN is passed to ElementTimeControl::beginElementAt(offset),
+            subsequent sorting will cause an assert in SVGSMILElement::findInstanceTime
+            because NaN values are not properly sorted. NaN SMILTime values
+            should not be allowed at all, so this patch adds a check for them in
+            ElementTimeControl's setters.
+
+            This patch also adds preventative asserts to catch if SMILTime is ever
+            initialized with NaN, or if addEndTime/addBeginTime are ever called
+            with NaN values.
+
+            Test: svg/custom/elementTimeControl-nan-crash.html
+
+            * svg/SVGAnimationElement.cpp:
+            (WebCore::SVGAnimationElement::beginElementAt):
+            (WebCore::SVGAnimationElement::endElementAt):
+            * svg/animation/SMILTime.h:
+            (WebCore::SMILTime::SMILTime):
+            * svg/animation/SVGSMILElement.cpp:
+            (WebCore::SVGSMILElement::addBeginTime):
+            (WebCore::SVGSMILElement::addEndTime):
+
+2013-03-15  Lucas Forschler  <lforsch...@apple.com>
+
         Merge r132511
 
     2012-10-25  Tom Sepez  <tse...@chromium.org>

Modified: branches/safari-536.30-branch/Source/WebCore/svg/SVGAnimationElement.cpp (145941 => 145942)

--- branches/safari-536.30-branch/Source/WebCore/svg/SVGAnimationElement.cpp	2013-03-15 21:30:31 UTC (rev 145941)
+++ branches/safari-536.30-branch/Source/WebCore/svg/SVGAnimationElement.cpp	2013-03-15 21:37:26 UTC (rev 145942)
@@ -46,6 +46,7 @@
 #include "SVGURIReference.h"
 #include "SVGUseElement.h"
 #include "XLinkNames.h"
+#include <wtf/MathExtras.h>
 #include <wtf/StdLibExtras.h>
 
 using namespace std;
@@ -242,6 +243,8 @@
 
 void SVGAnimationElement::beginElementAt(float offset)
 {
+    if (isnan(offset)) 
+        return;
     SMILTime elapsed = this->elapsed();
     addBeginTime(elapsed, elapsed + offset, SMILTimeWithOrigin::ScriptOrigin);
 }
@@ -253,6 +256,8 @@
 
 void SVGAnimationElement::endElementAt(float offset)
 {
+    if (isnan(offset)) 
+        return;
     SMILTime elapsed = this->elapsed();
     addEndTime(elapsed, elapsed + offset, SMILTimeWithOrigin::ScriptOrigin);
 }

Modified: branches/safari-536.30-branch/Source/WebCore/svg/animation/SMILTime.h (145941 => 145942)

--- branches/safari-536.30-branch/Source/WebCore/svg/animation/SMILTime.h	2013-03-15 21:30:31 UTC (rev 145941)
+++ branches/safari-536.30-branch/Source/WebCore/svg/animation/SMILTime.h	2013-03-15 21:37:26 UTC (rev 145942)
@@ -29,13 +29,14 @@
 #if ENABLE(SVG)
 
 #include <algorithm>
+#include <wtf/MathExtras.h>
 
 namespace WebCore {
 
 class SMILTime {
 public:
     SMILTime() : m_time(0) { }
-    SMILTime(double time) : m_time(time) { }
+    SMILTime(double time) : m_time(time) { ASSERT(!isnan(time)); }
     SMILTime(const SMILTime& o) : m_time(o.m_time) { }
     
     static SMILTime unresolved() { return unresolvedValue; }

Modified: branches/safari-536.30-branch/Source/WebCore/svg/animation/SVGSMILElement.cpp (145941 => 145942)

--- branches/safari-536.30-branch/Source/WebCore/svg/animation/SVGSMILElement.cpp	2013-03-15 21:30:31 UTC (rev 145941)
+++ branches/safari-536.30-branch/Source/WebCore/svg/animation/SVGSMILElement.cpp	2013-03-15 21:37:26 UTC (rev 145942)
@@ -674,6 +674,7 @@
 
 void SVGSMILElement::addBeginTime(SMILTime eventTime, SMILTime beginTime, SMILTimeWithOrigin::Origin origin)
 {
+    ASSERT(!isnan(beginTime.value()));
     m_beginTimes.append(SMILTimeWithOrigin(beginTime, origin));
     sortTimeList(m_beginTimes);
     beginListChanged(eventTime);
@@ -681,6 +682,7 @@
 
 void SVGSMILElement::addEndTime(SMILTime eventTime, SMILTime endTime, SMILTimeWithOrigin::Origin origin)
 {
+    ASSERT(!isnan(endTime.value()));
     m_endTimes.append(SMILTimeWithOrigin(endTime, origin));
     sortTimeList(m_endTimes);
     endListChanged(eventTime);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes