Title: [142899] trunk
- Revision
- 142899
- Author
- [email protected]
- Date
- 2013-02-14 12:16:48 -0800 (Thu, 14 Feb 2013)
Log Message
Prevent inconsistent firstChild during document destruction
https://bugs.webkit.org/show_bug.cgi?id=106530
Reviewed by Abhishek Arya.
Source/WebCore:
During document destruction, addChildNodesToDeletionQueue can allow a container
node to have an invalid first child, causing a crash. This patch updates
addChildNodesToDeletionQueue to maintain a valid value for firstChild() even
while updating its children.
Test: svg/custom/animateMotion-path-change-crash.svg
* dom/ContainerNodeAlgorithms.h:
(WebCore::Private::addChildNodesToDeletionQueue):
To ensure prevoiusSibling() is also valid, this code was slightly refactored
to call setPreviousSibling(0) on the next node instead of the current node.
LayoutTests:
* svg/custom/animateMotion-path-change-crash-expected.txt: Added.
* svg/custom/animateMotion-path-change-crash.svg: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (142898 => 142899)
--- trunk/LayoutTests/ChangeLog 2013-02-14 20:15:30 UTC (rev 142898)
+++ trunk/LayoutTests/ChangeLog 2013-02-14 20:16:48 UTC (rev 142899)
@@ -1,3 +1,13 @@
+2013-02-14 Philip Rogers <[email protected]>
+
+ Prevent inconsistent firstChild during document destruction
+ https://bugs.webkit.org/show_bug.cgi?id=106530
+
+ Reviewed by Abhishek Arya.
+
+ * svg/custom/animateMotion-path-change-crash-expected.txt: Added.
+ * svg/custom/animateMotion-path-change-crash.svg: Added.
+
2013-02-14 Bear Travis <[email protected]>
Make outside-shape the default value for shape-inside
Added: trunk/LayoutTests/svg/custom/animateMotion-path-change-crash-expected.txt (0 => 142899)
--- trunk/LayoutTests/svg/custom/animateMotion-path-change-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/svg/custom/animateMotion-path-change-crash-expected.txt 2013-02-14 20:16:48 UTC (rev 142899)
@@ -0,0 +1 @@
+Test for WK106530: This test passes if it does not crash.
Added: trunk/LayoutTests/svg/custom/animateMotion-path-change-crash.svg (0 => 142899)
--- trunk/LayoutTests/svg/custom/animateMotion-path-change-crash.svg (rev 0)
+++ trunk/LayoutTests/svg/custom/animateMotion-path-change-crash.svg 2013-02-14 20:16:48 UTC (rev 142899)
@@ -0,0 +1,25 @@
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+<text x="0" y="10">Test for WK106530: This test passes if it does not crash.</text>
+<animateMotion dur="2s" begin="animateMotion1.begin" id="animateMotion2" ><animateMotion id="animateMotion1" />
+ <mpath xlink:href=""
+ <path id="curve"/>
+</animateMotion>
+<script type="text/_javascript_"><![CDATA[
+ if (window.testRunner)
+ testRunner.waitUntilDone();
+
+ var animateMotion2El = document.getElementById("animateMotion2");
+ var curveEl = document.getElementById("curve");
+
+ setTimeout(function(){
+ curveEl.appendChild(animateMotion2El.cloneNode(true));
+ animateMotion2El.appendChild(curveEl.cloneNode(true));
+ curveEl.parentNode.removeChild(curveEl);
+ if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.notifyDone();
+ }
+ }, 1);
+]]></script>
+</svg>
+
Modified: trunk/Source/WebCore/ChangeLog (142898 => 142899)
--- trunk/Source/WebCore/ChangeLog 2013-02-14 20:15:30 UTC (rev 142898)
+++ trunk/Source/WebCore/ChangeLog 2013-02-14 20:16:48 UTC (rev 142899)
@@ -1,3 +1,22 @@
+2013-02-14 Philip Rogers <[email protected]>
+
+ Prevent inconsistent firstChild during document destruction
+ https://bugs.webkit.org/show_bug.cgi?id=106530
+
+ Reviewed by Abhishek Arya.
+
+ During document destruction, addChildNodesToDeletionQueue can allow a container
+ node to have an invalid first child, causing a crash. This patch updates
+ addChildNodesToDeletionQueue to maintain a valid value for firstChild() even
+ while updating its children.
+
+ Test: svg/custom/animateMotion-path-change-crash.svg
+
+ * dom/ContainerNodeAlgorithms.h:
+ (WebCore::Private::addChildNodesToDeletionQueue):
+ To ensure prevoiusSibling() is also valid, this code was slightly refactored
+ to call setPreviousSibling(0) on the next node instead of the current node.
+
2013-02-14 Julien Chaffraix <[email protected]>
[CSS Grid Layout] Add an internal 2D grid representation to RenderGrid
Modified: trunk/Source/WebCore/dom/ContainerNodeAlgorithms.h (142898 => 142899)
--- trunk/Source/WebCore/dom/ContainerNodeAlgorithms.h 2013-02-14 20:15:30 UTC (rev 142898)
+++ trunk/Source/WebCore/dom/ContainerNodeAlgorithms.h 2013-02-14 20:16:48 UTC (rev 142899)
@@ -162,9 +162,11 @@
ASSERT(!n->m_deletionHasBegun);
next = n->nextSibling();
- n->setPreviousSibling(0);
n->setNextSibling(0);
n->setParentOrShadowHostNode(0);
+ container->setFirstChild(next);
+ if (next)
+ next->setPreviousSibling(0);
if (!n->refCount()) {
#ifndef NDEBUG
@@ -184,7 +186,6 @@
}
}
- container->setFirstChild(0);
container->setLastChild(0);
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
