- Revision
- 183085
- Author
- commit-qu...@webkit.org
- Date
- 2015-04-21 17:13:54 -0700 (Tue, 21 Apr 2015)
Log Message
SVGAnimateElementBase::calculateAnimatedValue() asserts when reinserting an SVG animating element within the same animation limits
https://bugs.webkit.org/show_bug.cgi?id=143994
Patch by Said Abou-Hallawa <sabouhall...@apple.com> on 2015-04-21
Reviewed by Simon Fraser.
Source/WebCore:
Make sure the SVG animation variables are reset cleanly such that if the
animation restarts it can rebuild its limit values reliably and correctly.
Tests: svg/animations/crash-reinsert-animate-length-same-limits.svg
svg/animations/crash-reinsert-animate-transform-same-limits.svg
* svg/SVGAnimateElementBase.h:
* svg/SVGAnimateElementBase.cpp:
(WebCore::SVGAnimateElementBase::resetAnimatedPropertyType):
Call the base class resetAnimatedPropertyType() from the derived class.
* svg/SVGAnimationElement.h:
* svg/SVGAnimationElement.cpp:
(WebCore::SVGAnimationElement::resetAnimatedPropertyType):
Make resetAnimatedPropertyType() virtual. The implementation of the base
class of this function resets the values of the animation limits. When
updateAnimation() is called, it will be forced to recalculate the animation
limits by calling calculateFromAndToValues() even if the limits have not
changed.
LayoutTests:
* svg/animations/crash-reinsert-animate-length-same-limits-expected.txt: Added.
* svg/animations/crash-reinsert-animate-length-same-limits.svg: Added.
* svg/animations/crash-reinsert-animate-transform-same-limits-expected.txt: Added.
* svg/animations/crash-reinsert-animate-transform-same-limits.svg: Added.
Make sure when removing an SVG animating element and reinserting it back
within the same animation length or transform limits, we do not crash.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (183084 => 183085)
--- trunk/LayoutTests/ChangeLog 2015-04-22 00:04:51 UTC (rev 183084)
+++ trunk/LayoutTests/ChangeLog 2015-04-22 00:13:54 UTC (rev 183085)
@@ -1,3 +1,17 @@
+2015-04-21 Said Abou-Hallawa <sabouhall...@apple.com>
+
+ SVGAnimateElementBase::calculateAnimatedValue() asserts when reinserting an SVG animating element within the same animation limits
+ https://bugs.webkit.org/show_bug.cgi?id=143994
+
+ Reviewed by Simon Fraser.
+
+ * svg/animations/crash-reinsert-animate-length-same-limits-expected.txt: Added.
+ * svg/animations/crash-reinsert-animate-length-same-limits.svg: Added.
+ * svg/animations/crash-reinsert-animate-transform-same-limits-expected.txt: Added.
+ * svg/animations/crash-reinsert-animate-transform-same-limits.svg: Added.
+ Make sure when removing an SVG animating element and reinserting it back
+ within the same animation length or transform limits, we do not crash.
+
2015-04-21 Jinwoo Song <jinwoo7.s...@samsung.com>
[EFL] Unreviewed gardening
Added: trunk/LayoutTests/svg/animations/crash-reinsert-animate-length-same-limits-expected.txt (0 => 183085)
--- trunk/LayoutTests/svg/animations/crash-reinsert-animate-length-same-limits-expected.txt (rev 0)
+++ trunk/LayoutTests/svg/animations/crash-reinsert-animate-length-same-limits-expected.txt 2015-04-22 00:13:54 UTC (rev 183085)
@@ -0,0 +1 @@
+PASS
Added: trunk/LayoutTests/svg/animations/crash-reinsert-animate-length-same-limits.svg (0 => 183085)
--- trunk/LayoutTests/svg/animations/crash-reinsert-animate-length-same-limits.svg (rev 0)
+++ trunk/LayoutTests/svg/animations/crash-reinsert-animate-length-same-limits.svg 2015-04-22 00:13:54 UTC (rev 183085)
@@ -0,0 +1,24 @@
+<svg xmlns="http://www.w3.org/2000/svg">
+ <circle id="lime-circle" fill="lime" cx="100" cy="100" r="90"/>
+ <circle id="yellow-circle" fill="yellow" cx="100" cy="100" r="90">
+ <animate attributeName="r" values="90; 30" dur="2s"/>
+ </circle>
+ <text x="100" y="100" text-anchor="middle" alignment-baseline="middle">PASS</text>
+ <script>
+ if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+ }
+ setTimeout(function() {
+ var limeCircle = document.getElementById("lime-circle");
+ var yellowCircle = document.getElementById("yellow-circle");
+ document.documentElement.insertBefore(yellowCircle, limeCircle);
+ // This timeout is needed to ensure that the animation timer is fired at
+ // least once before the test is done.
+ setTimeout(function() {
+ if (window.testRunner)
+ testRunner.notifyDone();
+ }, 0);
+ }, 0);
+ </script>
+</svg>
Added: trunk/LayoutTests/svg/animations/crash-reinsert-animate-transform-same-limits-expected.txt (0 => 183085)
--- trunk/LayoutTests/svg/animations/crash-reinsert-animate-transform-same-limits-expected.txt (rev 0)
+++ trunk/LayoutTests/svg/animations/crash-reinsert-animate-transform-same-limits-expected.txt 2015-04-22 00:13:54 UTC (rev 183085)
@@ -0,0 +1 @@
+PASS
Added: trunk/LayoutTests/svg/animations/crash-reinsert-animate-transform-same-limits.svg (0 => 183085)
--- trunk/LayoutTests/svg/animations/crash-reinsert-animate-transform-same-limits.svg (rev 0)
+++ trunk/LayoutTests/svg/animations/crash-reinsert-animate-transform-same-limits.svg 2015-04-22 00:13:54 UTC (rev 183085)
@@ -0,0 +1,24 @@
+<svg xmlns="http://www.w3.org/2000/svg">
+ <circle id="lime-circle" fill="lime" cx="100" cy="100" r="45"/>
+ <circle id="yellow-circle" fill="yellow" cx="100" cy="100" r="90">
+ <animateTransform attributeName="transform" type="scale" values="1; 0.5; 1" dur="2s"/>
+ </circle>
+ <text x="100" y="100" text-anchor="middle" alignment-baseline="middle">PASS</text>
+ <script>
+ if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+ }
+ setTimeout(function() {
+ var limeCircle = document.getElementById("lime-circle");
+ var yellowCircle = document.getElementById("yellow-circle");
+ document.documentElement.insertBefore(yellowCircle, limeCircle);
+ // This timeout is needed to ensure that the animation timer is fired at
+ // least once before the test is done.
+ setTimeout(function() {
+ if (window.testRunner)
+ testRunner.notifyDone();
+ }, 0);
+ }, 0);
+ </script>
+</svg>
Modified: trunk/Source/WebCore/ChangeLog (183084 => 183085)
--- trunk/Source/WebCore/ChangeLog 2015-04-22 00:04:51 UTC (rev 183084)
+++ trunk/Source/WebCore/ChangeLog 2015-04-22 00:13:54 UTC (rev 183085)
@@ -1,3 +1,30 @@
+2015-04-21 Said Abou-Hallawa <sabouhall...@apple.com>
+
+ SVGAnimateElementBase::calculateAnimatedValue() asserts when reinserting an SVG animating element within the same animation limits
+ https://bugs.webkit.org/show_bug.cgi?id=143994
+
+ Reviewed by Simon Fraser.
+
+ Make sure the SVG animation variables are reset cleanly such that if the
+ animation restarts it can rebuild its limit values reliably and correctly.
+
+ Tests: svg/animations/crash-reinsert-animate-length-same-limits.svg
+ svg/animations/crash-reinsert-animate-transform-same-limits.svg
+
+ * svg/SVGAnimateElementBase.h:
+ * svg/SVGAnimateElementBase.cpp:
+ (WebCore::SVGAnimateElementBase::resetAnimatedPropertyType):
+ Call the base class resetAnimatedPropertyType() from the derived class.
+
+ * svg/SVGAnimationElement.h:
+ * svg/SVGAnimationElement.cpp:
+ (WebCore::SVGAnimationElement::resetAnimatedPropertyType):
+ Make resetAnimatedPropertyType() virtual. The implementation of the base
+ class of this function resets the values of the animation limits. When
+ updateAnimation() is called, it will be forced to recalculate the animation
+ limits by calling calculateFromAndToValues() even if the limits have not
+ changed.
+
2015-04-21 Tim Horton <timothy_hor...@apple.com>
Long pause under _takeViewSnapshot when screen updates are disabled
Modified: trunk/Source/WebCore/svg/SVGAnimateElementBase.cpp (183084 => 183085)
--- trunk/Source/WebCore/svg/SVGAnimateElementBase.cpp 2015-04-22 00:04:51 UTC (rev 183084)
+++ trunk/Source/WebCore/svg/SVGAnimateElementBase.cpp 2015-04-22 00:13:54 UTC (rev 183085)
@@ -431,6 +431,7 @@
void SVGAnimateElementBase::resetAnimatedPropertyType()
{
+ SVGAnimationElement::resetAnimatedPropertyType();
ASSERT(!m_animatedType);
m_fromType = nullptr;
m_toType = nullptr;
Modified: trunk/Source/WebCore/svg/SVGAnimateElementBase.h (183084 => 183085)
--- trunk/Source/WebCore/svg/SVGAnimateElementBase.h 2015-04-22 00:04:51 UTC (rev 183084)
+++ trunk/Source/WebCore/svg/SVGAnimateElementBase.h 2015-04-22 00:13:54 UTC (rev 183085)
@@ -53,11 +53,11 @@
virtual void setTargetElement(SVGElement*) override;
virtual void setAttributeName(const QualifiedName&) override;
+ virtual void resetAnimatedPropertyType() override;
AnimatedPropertyType m_animatedPropertyType;
private:
- void resetAnimatedPropertyType();
SVGAnimatedTypeAnimator* ensureAnimator();
bool animatedPropertyTypeSupportsAddition() const;
Modified: trunk/Source/WebCore/svg/SVGAnimationElement.cpp (183084 => 183085)
--- trunk/Source/WebCore/svg/SVGAnimationElement.cpp 2015-04-22 00:04:51 UTC (rev 183084)
+++ trunk/Source/WebCore/svg/SVGAnimationElement.cpp 2015-04-22 00:13:54 UTC (rev 183085)
@@ -674,6 +674,11 @@
if (inheritsFromProperty(targetElement, attributeName, to))
m_toPropertyValueType = InheritValue;
}
+void SVGAnimationElement::resetAnimatedPropertyType()
+{
+ m_lastValuesAnimationFrom = String();
+ m_lastValuesAnimationTo = String();
+}
void SVGAnimationElement::setTargetElement(SVGElement* target)
{
Modified: trunk/Source/WebCore/svg/SVGAnimationElement.h (183084 => 183085)
--- trunk/Source/WebCore/svg/SVGAnimationElement.h 2015-04-22 00:04:51 UTC (rev 183084)
+++ trunk/Source/WebCore/svg/SVGAnimationElement.h 2015-04-22 00:13:54 UTC (rev 183085)
@@ -168,6 +168,7 @@
void computeCSSPropertyValue(SVGElement*, CSSPropertyID, String& value);
virtual void determinePropertyValueTypes(const String& from, const String& to);
+ virtual void resetAnimatedPropertyType();
static bool isSupportedAttribute(const QualifiedName&);
virtual void parseAttribute(const QualifiedName&, const AtomicString&) override;
