Skip to site navigation (Press enter)

[webkit-changes] [137701] trunk

pdr Thu, 13 Dec 2012 19:27:00 -0800

Title: [137701] trunk

Revision: 137701
Author: p...@google.com
Date: 2012-12-13 19:28:45 -0800 (Thu, 13 Dec 2012)

Log Message

Clear m_timeContainer on SVGSMILElement removal.
https://bugs.webkit.org/show_bug.cgi?id=104972


Reviewed by Abhishek Arya.

Source/WebCore:

This patch fixes a regression introduced by r137509 where we did not clear
m_timeContainer in SVGSMILElement::removedFrom.

Test: svg/custom/removed-from-animation-crash.html

* svg/animation/SVGSMILElement.cpp:
(WebCore::SVGSMILElement::removedFrom):

LayoutTests:

* svg/custom/removed-from-animation-crash-expected.txt: Added.
* svg/custom/removed-from-animation-crash.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/svg/animation/SVGSMILElement.cpp

Added Paths

trunk/LayoutTests/svg/custom/removed-from-animation-crash-expected.txt
trunk/LayoutTests/svg/custom/removed-from-animation-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (137700 => 137701)


--- trunk/LayoutTests/ChangeLog	2012-12-14 03:24:28 UTC (rev 137700)
+++ trunk/LayoutTests/ChangeLog	2012-12-14 03:28:45 UTC (rev 137701)
@@ -1,3 +1,13 @@
+2012-12-13  Philip Rogers  <p...@google.com>
+
+        Clear m_timeContainer on SVGSMILElement removal.
+        https://bugs.webkit.org/show_bug.cgi?id=104972
+
+        Reviewed by Abhishek Arya.
+
+        * svg/custom/removed-from-animation-crash-expected.txt: Added.
+        * svg/custom/removed-from-animation-crash.html: Added.
+
 2012-12-13  Filip Pizlo  <fpi...@apple.com>
 
         Named lookups on HTML documents produce inconsistent results in _javascript_Core bindings

Added: trunk/LayoutTests/svg/custom/removed-from-animation-crash-expected.txt (0 => 137701)


--- trunk/LayoutTests/svg/custom/removed-from-animation-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/svg/custom/removed-from-animation-crash-expected.txt	2012-12-14 03:28:45 UTC (rev 137701)
@@ -0,0 +1 @@
+PASS: test did not crash

Added: trunk/LayoutTests/svg/custom/removed-from-animation-crash.html (0 => 137701)


--- trunk/LayoutTests/svg/custom/removed-from-animation-crash.html	                        (rev 0)
+++ trunk/LayoutTests/svg/custom/removed-from-animation-crash.html	2012-12-14 03:28:45 UTC (rev 137701)
@@ -0,0 +1,35 @@
+<!DOCTYPE html>
+<html>
+<!-- Test for WK104972: this test passes if it does not crash. -->
+<body id="body" _onload_="crash()">
+  <svg width="100" height="100">
+    <rect id="rect1">
+      <animateMotion>
+        <g id="g1"></g>
+        <g id="g2"></g>
+        <set id="animate"></set>
+      </animateMotion>
+    </rect>
+  </svg>
+<script>
+  if (window.testRunner) {
+    testRunner.waitUntilDone();
+    testRunner.dumpAsText();
+  }
+
+  function crash() {
+    var notInDocRect = document.createElementNS("http://www.w3.org/2000/svg", "rect");
+    setTimeout(function() {
+      var g2 = document.getElementById('g2');
+      g2.parentNode.removeChild(g2);
+      document.getElementById('g1').appendChild(document.getElementById('animate'));
+      notInDocRect.appendChild(document.getElementById('rect1'));
+      document.getElementById('body').innerHTML = "PASS: test did not crash";
+
+      if (window.testRunner)
+        testRunner.notifyDone();
+    }, 1);
+  }
+</script>
+</body>
+</html>
\ No newline at end of file

Modified: trunk/Source/WebCore/ChangeLog (137700 => 137701)


--- trunk/Source/WebCore/ChangeLog	2012-12-14 03:24:28 UTC (rev 137700)
+++ trunk/Source/WebCore/ChangeLog	2012-12-14 03:28:45 UTC (rev 137701)
@@ -1,3 +1,18 @@
+2012-12-13  Philip Rogers  <p...@google.com>
+
+        Clear m_timeContainer on SVGSMILElement removal.
+        https://bugs.webkit.org/show_bug.cgi?id=104972
+
+        Reviewed by Abhishek Arya.
+
+        This patch fixes a regression introduced by r137509 where we did not clear
+        m_timeContainer in SVGSMILElement::removedFrom.
+
+        Test: svg/custom/removed-from-animation-crash.html
+
+        * svg/animation/SVGSMILElement.cpp:
+        (WebCore::SVGSMILElement::removedFrom):
+
 2012-12-13  Filip Pizlo  <fpi...@apple.com>
 
         Named lookups on HTML documents produce inconsistent results in _javascript_Core bindings

Modified: trunk/Source/WebCore/svg/animation/SVGSMILElement.cpp (137700 => 137701)


--- trunk/Source/WebCore/svg/animation/SVGSMILElement.cpp	2012-12-14 03:24:28 UTC (rev 137700)
+++ trunk/Source/WebCore/svg/animation/SVGSMILElement.cpp	2012-12-14 03:28:45 UTC (rev 137701)
@@ -278,6 +278,7 @@
         setTargetElement(0);
         setAttributeName(anyQName());
         animationAttributeChanged();
+        m_timeContainer = 0;
     }
 
     SVGElement::removedFrom(rootParent);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes