[webkit-changes] [140520] trunk

Wed, 23 Jan 2013 00:36:15 -0800

Title: [140520] trunk
Revision
140520
Author
morr...@google.com
Date
2013-01-23 00:37:56 -0800 (Wed, 23 Jan 2013)

Log Message

Invalidated SVG shadow tree should be always detached.
https://bugs.webkit.org/show_bug.cgi?id=107634

Reviewed by Ryosuke Niwa.

Source/WebCore:

SVGUseElement::clearResourceReferences() uses removeAllChildren() for
clearing its shadow DOM, but this is wrong.
removeAllChildren() is designed for removing children of an out-of-document Node.
For efficiency, it skips a series of cleanup sequences like detach().

For removing SVG shadow tree which is in Document, removeChildren() should be used.
It does proper cleanup for the chilren.

Test: svg/custom/use-invalidate-click-crash.xhtml

* svg/SVGUseElement.cpp:
(WebCore::SVGUseElement::clearResourceReferences):

LayoutTests:

* svg/custom/use-invalidate-click-crash-expected.txt: Added.
* svg/custom/use-invalidate-click-crash.xhtml: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (140519 => 140520)


--- trunk/LayoutTests/ChangeLog	2013-01-23 08:34:16 UTC (rev 140519)
+++ trunk/LayoutTests/ChangeLog	2013-01-23 08:37:56 UTC (rev 140520)
@@ -1,3 +1,13 @@
+2013-01-23  Hajime Morrita  <morr...@google.com>
+
+        Invalidated SVG shadow tree should be always detached.
+        https://bugs.webkit.org/show_bug.cgi?id=107634
+
+        Reviewed by Ryosuke Niwa.
+
+        * svg/custom/use-invalidate-click-crash-expected.txt: Added.
+        * svg/custom/use-invalidate-click-crash.xhtml: Added.
+
 2013-01-23  Seokju Kwon  <seokju.k...@gmail.com>
 
         [EFL] Gardening for some inspector tests

Added: trunk/LayoutTests/svg/custom/use-invalidate-click-crash-expected.txt (0 => 140520)


--- trunk/LayoutTests/svg/custom/use-invalidate-click-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/svg/custom/use-invalidate-click-crash-expected.txt	2013-01-23 08:37:56 UTC (rev 140520)
@@ -0,0 +1 @@
+PASS

Added: trunk/LayoutTests/svg/custom/use-invalidate-click-crash.xhtml (0 => 140520)


--- trunk/LayoutTests/svg/custom/use-invalidate-click-crash.xhtml	                        (rev 0)
+++ trunk/LayoutTests/svg/custom/use-invalidate-click-crash.xhtml	2013-01-23 08:37:56 UTC (rev 140520)
@@ -0,0 +1,32 @@
+<html>
+<body id="body">
+<svg xmlns:xlink="http://www.w3.org/1999/xlink" xmlns="http://www.w3.org/2000/svg">
+
+<symbol id="target">
+  <text font-size="172cm">YYYYYYYYY</text>
+</symbol>
+<use xlink:href="" 
+
+<script><![CDATA[
+function keyDownMouseClick(x1, y1, x2, y2)
+{
+    if (!window.eventSender)
+        return;
+    eventSender.mouseDown();
+    eventSender.mouseMoveTo(x2, y2);
+    eventSender.mouseUp();
+}
+
+if (window.testRunner)
+   testRunner.dumpAsText();
+
+var target = document.getElementById("target");
+keyDownMouseClick(333, 357, 155, 174);
+target.textContent = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";
+keyDownMouseClick(115, 317, -16, -2);
+
+document.getElementById("body").textContent = "PASS"
+]]></script>
+</svg>
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (140519 => 140520)


--- trunk/Source/WebCore/ChangeLog	2013-01-23 08:34:16 UTC (rev 140519)
+++ trunk/Source/WebCore/ChangeLog	2013-01-23 08:37:56 UTC (rev 140520)
@@ -1,3 +1,23 @@
+2013-01-23  Hajime Morrita  <morr...@google.com>
+
+        Invalidated SVG shadow tree should be always detached.
+        https://bugs.webkit.org/show_bug.cgi?id=107634
+
+        Reviewed by Ryosuke Niwa.
+
+        SVGUseElement::clearResourceReferences() uses removeAllChildren() for
+        clearing its shadow DOM, but this is wrong.
+        removeAllChildren() is designed for removing children of an out-of-document Node.
+        For efficiency, it skips a series of cleanup sequences like detach().
+
+        For removing SVG shadow tree which is in Document, removeChildren() should be used.
+        It does proper cleanup for the chilren.
+
+        Test: svg/custom/use-invalidate-click-crash.xhtml
+
+        * svg/SVGUseElement.cpp:
+        (WebCore::SVGUseElement::clearResourceReferences):
+
 2013-01-23  Huang Dongsung  <luxte...@company100.net>
 
         [TexMap] Don't call GraphicsLayer::setNeedsDisplay() from TextureMapperLayer.

Modified: trunk/Source/WebCore/svg/SVGUseElement.cpp (140519 => 140520)


--- trunk/Source/WebCore/svg/SVGUseElement.cpp	2013-01-23 08:34:16 UTC (rev 140519)
+++ trunk/Source/WebCore/svg/SVGUseElement.cpp	2013-01-23 08:37:56 UTC (rev 140520)
@@ -400,7 +400,7 @@
 {
     // FIXME: We should try to optimize this, to at least allow partial reclones.
     if (ShadowRoot* shadowTreeRootElement =  shadow()->oldestShadowRoot())
-        shadowTreeRootElement->removeAllChildren();
+        shadowTreeRootElement->removeChildren();
 
     if (m_targetElementInstance) {
         m_targetElementInstance->detach();

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to