Diff
Modified: branches/safari-536.28-branch/LayoutTests/ChangeLog (133209 => 133210)
--- branches/safari-536.28-branch/LayoutTests/ChangeLog 2012-11-01 19:08:05 UTC (rev 133209)
+++ branches/safari-536.28-branch/LayoutTests/ChangeLog 2012-11-01 19:13:25 UTC (rev 133210)
@@ -1,5 +1,19 @@
2012-10-31 Lucas Forschler <lforsch...@apple.com>
+ Merge r122278
+
+ 2012-07-10 Philip Rogers <p...@google.com>
+
+ Crash due to SVG animation element not removed from target (before reset)
+ https://bugs.webkit.org/show_bug.cgi?id=90750
+
+ Reviewed by Abhishek Arya.
+
+ * svg/animations/dynamic-modify-attributename-crash2-expected.txt: Added.
+ * svg/animations/dynamic-modify-attributename-crash2.svg: Added.
+
+2012-10-31 Lucas Forschler <lforsch...@apple.com>
+
Merge r121930
2012-07-05 Hayato Ito <hay...@chromium.org>
@@ -10548,3 +10562,4 @@
.
.
.
+.
Copied: branches/safari-536.28-branch/LayoutTests/svg/animations/dynamic-modify-attributename-crash2-expected.txt (from rev 122278, trunk/LayoutTests/svg/animations/dynamic-modify-attributename-crash2-expected.txt) (0 => 133210)
--- branches/safari-536.28-branch/LayoutTests/svg/animations/dynamic-modify-attributename-crash2-expected.txt (rev 0)
+++ branches/safari-536.28-branch/LayoutTests/svg/animations/dynamic-modify-attributename-crash2-expected.txt 2012-11-01 19:13:25 UTC (rev 133210)
@@ -0,0 +1 @@
+PASS
Copied: branches/safari-536.28-branch/LayoutTests/svg/animations/dynamic-modify-attributename-crash2.svg (from rev 122278, trunk/LayoutTests/svg/animations/dynamic-modify-attributename-crash2.svg) (0 => 133210)
--- branches/safari-536.28-branch/LayoutTests/svg/animations/dynamic-modify-attributename-crash2.svg (rev 0)
+++ branches/safari-536.28-branch/LayoutTests/svg/animations/dynamic-modify-attributename-crash2.svg 2012-11-01 19:13:25 UTC (rev 133210)
@@ -0,0 +1,26 @@
+<!-- Test for WK90750 - this should not crash or say FAIL. -->
+<svg version="1.1" xmlns="http://www.w3.org/2000/svg">
+ <set id="set"></set>
+ <text id="status" x="100" y="100">FAIL</text>
+ <script>
+ if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+ }
+
+ if (location.hash != "#done") {
+ setTimeout(function() {
+ document.getElementById("set").setAttribute("attributeName", "points");
+ document.implementation.createDocument("", "", null).adoptNode(document.getElementById("set"));
+ location.hash = "#done";
+ window.location.reload();
+ }, 0);
+ } else {
+ if (window.testRunner)
+ gc();
+ document.getElementById("status").textContent = "PASS";
+ if (window.testRunner)
+ testRunner.notifyDone();
+ }
+ </script>
+</svg>
Modified: branches/safari-536.28-branch/Source/WebCore/ChangeLog (133209 => 133210)
--- branches/safari-536.28-branch/Source/WebCore/ChangeLog 2012-11-01 19:08:05 UTC (rev 133209)
+++ branches/safari-536.28-branch/Source/WebCore/ChangeLog 2012-11-01 19:13:25 UTC (rev 133210)
@@ -1,5 +1,47 @@
2012-10-31 Lucas Forschler <lforsch...@apple.com>
+ Merge r122278
+
+ 2012-07-10 Philip Rogers <p...@google.com>
+
+ Crash due to SVG animation element not removed from target (before reset)
+ https://bugs.webkit.org/show_bug.cgi?id=90750
+
+ Reviewed by Abhishek Arya.
+
+ Previously we were not removing an animation element from
+ SVGDocumentExtensions::m_animatedElements which led to a crash.
+ This change properly removes animation elements in resetTargetElement
+ which both fixes this bug and will prevent others from hitting it in
+ the future.
+
+ Test: svg/animations/dynamic-modify-attributename-crash2.svg
+
+ * svg/SVGDocumentExtensions.cpp:
+ (WebCore::SVGDocumentExtensions::removeAllAnimationElementsFromTarget):
+
+ removeAllAnimationElementsFromTarget now adds all the animation elements
+ to a vector and iterates over it because the changes to resetTargetElement
+ would have caused us to modify the underlying hashset as we iterated. Note that
+ before we deleted animationElementsForTarget in removeAllAnimationElementsFromTarget
+ but that logic is now handled in removeAnimationElementFromTarget which is called
+ during resetTargetElement.
+
+ * svg/animation/SVGSMILElement.cpp:
+ (WebCore::SVGSMILElement::removedFrom):
+
+ Because of the changes in resetTargetElement, removedFrom was able to be
+ refactored. This patch changes removedFrom to call resetTargetElement rather
+ than have duplicated logic. There is a very small change in logic here:
+ animationAttributeChanged() is now called in removedFrom().
+
+ (WebCore::SVGSMILElement::resetTargetElement):
+
+ resetTargetElement now fully resets the target, including removing it from
+ m_animatedElements. This will prevent future instances of this bug.
+
+2012-10-31 Lucas Forschler <lforsch...@apple.com>
+
Merge r121930
2012-07-05 Hayato Ito <hay...@chromium.org>
@@ -205708,3 +205750,4 @@
.
.
.
+.
Modified: branches/safari-536.28-branch/Source/WebCore/svg/SVGDocumentExtensions.cpp (133209 => 133210)
--- branches/safari-536.28-branch/Source/WebCore/svg/SVGDocumentExtensions.cpp 2012-11-01 19:08:05 UTC (rev 133209)
+++ branches/safari-536.28-branch/Source/WebCore/svg/SVGDocumentExtensions.cpp 2012-11-01 19:13:25 UTC (rev 133210)
@@ -169,14 +169,20 @@
void SVGDocumentExtensions::removeAllAnimationElementsFromTarget(SVGElement* targetElement)
{
ASSERT(targetElement);
- HashSet<SVGSMILElement*>* animationElementsForTarget = m_animatedElements.take(targetElement);
- if (!animationElementsForTarget)
+ HashMap<SVGElement*, HashSet<SVGSMILElement*>* >::iterator it = m_animatedElements.find(targetElement);
+ if (it == m_animatedElements.end())
return;
- HashSet<SVGSMILElement*>::iterator it = animationElementsForTarget->begin();
+
+ HashSet<SVGSMILElement*>* animationElementsForTarget = it->second;
+ Vector<SVGSMILElement*> toBeReset;
+
HashSet<SVGSMILElement*>::iterator end = animationElementsForTarget->end();
- for (; it != end; ++it)
- (*it)->resetTargetElement();
- delete animationElementsForTarget;
+ for (HashSet<SVGSMILElement*>::iterator it = animationElementsForTarget->begin(); it != end; ++it)
+ toBeReset.append(*it);
+
+ Vector<SVGSMILElement*>::iterator vectorEnd = toBeReset.end();
+ for (Vector<SVGSMILElement*>::iterator vectorIt = toBeReset.begin(); vectorIt != vectorEnd; ++vectorIt)
+ (*vectorIt)->resetTargetElement();
}
// FIXME: Callers should probably use ScriptController::eventHandlerLineNumber()
Modified: branches/safari-536.28-branch/Source/WebCore/svg/animation/SVGSMILElement.cpp (133209 => 133210)
--- branches/safari-536.28-branch/Source/WebCore/svg/animation/SVGSMILElement.cpp 2012-11-01 19:08:05 UTC (rev 133209)
+++ branches/safari-536.28-branch/Source/WebCore/svg/animation/SVGSMILElement.cpp 2012-11-01 19:13:25 UTC (rev 133210)
@@ -231,11 +231,8 @@
disconnectConditions();
// Clear target now, because disconnectConditions calls targetElement() which will recreate the target if we removed it sooner.
- if (m_targetElement) {
- document()->accessSVGExtensions()->removeAnimationElementFromTarget(this, m_targetElement);
- targetElementWillChange(m_targetElement, 0);
- m_targetElement = 0;
- }
+ if (m_targetElement)
+ resetTargetElement();
m_attributeName = anyQName();
}
@@ -576,6 +573,7 @@
void SVGSMILElement::resetTargetElement()
{
+ document()->accessSVGExtensions()->removeAnimationElementFromTarget(this, m_targetElement);
targetElementWillChange(m_targetElement, 0);
m_targetElement = 0;
animationAttributeChanged();
