Title: [133208] branches/safari-536.28-branch
- Revision
- 133208
- Author
- lforsch...@apple.com
- Date
- 2012-11-01 12:03:28 -0700 (Thu, 01 Nov 2012)
Log Message
Merged r121491. <rdar://problem/12536496>
Modified Paths
Added Paths
Diff
Modified: branches/safari-536.28-branch/LayoutTests/ChangeLog (133207 => 133208)
--- branches/safari-536.28-branch/LayoutTests/ChangeLog 2012-11-01 19:02:16 UTC (rev 133207)
+++ branches/safari-536.28-branch/LayoutTests/ChangeLog 2012-11-01 19:03:28 UTC (rev 133208)
@@ -1,5 +1,19 @@
2012-10-31 Lucas Forschler <lforsch...@apple.com>
+ Merge r121491
+
+ 2012-06-28 Philip Rogers <p...@google.com>
+
+ Prevent crash in animate resource handling
+ https://bugs.webkit.org/show_bug.cgi?id=90042
+
+ Reviewed by Abhishek Arya.
+
+ * svg/custom/animate-reference-crash-expected.txt: Added.
+ * svg/custom/animate-reference-crash.html: Added.
+
+2012-10-31 Lucas Forschler <lforsch...@apple.com>
+
Merge r121003
2012-06-21 Ryosuke Niwa <rn...@webkit.org>
@@ -10518,3 +10532,4 @@
.
.
.
+.
Copied: branches/safari-536.28-branch/LayoutTests/svg/custom/animate-reference-crash-expected.txt (from rev 121491, trunk/LayoutTests/svg/custom/animate-reference-crash-expected.txt) (0 => 133208)
--- branches/safari-536.28-branch/LayoutTests/svg/custom/animate-reference-crash-expected.txt (rev 0)
+++ branches/safari-536.28-branch/LayoutTests/svg/custom/animate-reference-crash-expected.txt 2012-11-01 19:03:28 UTC (rev 133208)
@@ -0,0 +1 @@
+PASS
Copied: branches/safari-536.28-branch/LayoutTests/svg/custom/animate-reference-crash.html (from rev 121491, trunk/LayoutTests/svg/custom/animate-reference-crash.html) (0 => 133208)
--- branches/safari-536.28-branch/LayoutTests/svg/custom/animate-reference-crash.html (rev 0)
+++ branches/safari-536.28-branch/LayoutTests/svg/custom/animate-reference-crash.html 2012-11-01 19:03:28 UTC (rev 133208)
@@ -0,0 +1,24 @@
+<!DOCTYPE HTML>
+<!-- Test for WK90042 - Passes if there is no crash and "PASS" is displayed. -->
+<html>
+<body>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+var textElement = document.createElementNS("http://www.w3.org/2000/svg", "text");
+document.documentElement.appendChild(textElement);
+var aElement = document.createElementNS("http://www.w3.org/2000/svg", "a");
+var animateElement = document.createElementNS("http://www.w3.org/2000/svg", "animate");
+aElement.appendChild(animateElement);
+document.implementation.createDocument("", "", null).adoptNode(aElement);
+for (something in animateElement)
+ animateElement[something];
+textElement.appendChild(animateElement);
+textElement.parentNode.removeChild(textElement);
+
+// Not crashing at this point means we PASS.
+document.body.innerHTML = "PASS";
+</script>
+</body>
+</html>
Modified: branches/safari-536.28-branch/Source/WebCore/ChangeLog (133207 => 133208)
--- branches/safari-536.28-branch/Source/WebCore/ChangeLog 2012-11-01 19:02:16 UTC (rev 133207)
+++ branches/safari-536.28-branch/Source/WebCore/ChangeLog 2012-11-01 19:03:28 UTC (rev 133208)
@@ -1,5 +1,31 @@
2012-10-31 Lucas Forschler <lforsch...@apple.com>
+ Merge r121491
+
+ 2012-06-28 Philip Rogers <p...@google.com>
+
+ Prevent crash in animate resource handling
+ https://bugs.webkit.org/show_bug.cgi?id=90042
+
+ Reviewed by Abhishek Arya.
+
+ This patch adds a check that we are in a document before registering animation
+ resources and creating a target element in SVGSMILElement. This prevents a crash where
+ we would register resources and create the target when we were not in a document
+ but fail to deregister / reset the target when we were removed from a document.
+ In failing to reset the target, we can crash when trying to deregister resources that
+ were not created after being inserted into a document and then removed.
+
+ The existence of m_targetResources and registered animation resources is now
+ tied to being in a document.
+
+ Test: svg/custom/animate-reference-crash.html
+
+ * svg/animation/SVGSMILElement.cpp:
+ (WebCore::SVGSMILElement::targetElement):
+
+2012-10-31 Lucas Forschler <lforsch...@apple.com>
+
Merge r121003
2012-06-21 Ryosuke Niwa <rn...@webkit.org>
@@ -205654,3 +205680,4 @@
.
.
.
+.
Modified: branches/safari-536.28-branch/Source/WebCore/svg/animation/SVGSMILElement.cpp (133207 => 133208)
--- branches/safari-536.28-branch/Source/WebCore/svg/animation/SVGSMILElement.cpp 2012-11-01 19:02:16 UTC (rev 133207)
+++ branches/safari-536.28-branch/Source/WebCore/svg/animation/SVGSMILElement.cpp 2012-11-01 19:03:28 UTC (rev 133208)
@@ -552,6 +552,9 @@
if (m_targetElement)
return m_targetElement;
+ if (!inDocument())
+ return 0;
+
String href = ""
ContainerNode* target = href.isEmpty() ? parentNode() : SVGURIReference::targetElementFromIRIString(href, document());
if (!target || !target->isSVGElement())
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes
