Diff
Modified: branches/safari-600.4.10-branch/LayoutTests/ChangeLog (180322 => 180323)
--- branches/safari-600.4.10-branch/LayoutTests/ChangeLog 2015-02-19 00:02:15 UTC (rev 180322)
+++ branches/safari-600.4.10-branch/LayoutTests/ChangeLog 2015-02-19 00:06:18 UTC (rev 180323)
@@ -1,5 +1,25 @@
2015-02-18 Lucas Forschler <lforsch...@apple.com>
+ Merge r179963
+
+ 2015-02-11 Lucas Forschler <lforsch...@apple.com>
+
+ Merge r179772
+
+ 2015-02-06 Said Abou-Hallawa <sabouhall...@apple.com>
+
+ Invalid cast in WebCore::SVGAnimateElement::calculateAnimatedValue.
+ https://bugs.webkit.org/show_bug.cgi?id=135171.
+
+ Reviewed by Dean Jackson.
+
+ * svg/animations/animate-montion-invalid-attribute-expected.svg: Added.
+ * svg/animations/animate-montion-invalid-attribute.svg: Added.
+ Make sure that adding the same attribute to <animateMotion> and <animate>, which both
+ animate the same target element, will be ignored and we won't crash.
+
+2015-02-18 Lucas Forschler <lforsch...@apple.com>
+
Merge r179968
2015-02-11 Lucas Forschler <lforsch...@apple.com>
Copied: branches/safari-600.4.10-branch/LayoutTests/svg/animations/animate-montion-invalid-attribute-expected.svg (from rev 179963, branches/safari-600.5-branch/LayoutTests/svg/animations/animate-montion-invalid-attribute-expected.svg) (0 => 180323)
--- branches/safari-600.4.10-branch/LayoutTests/svg/animations/animate-montion-invalid-attribute-expected.svg (rev 0)
+++ branches/safari-600.4.10-branch/LayoutTests/svg/animations/animate-montion-invalid-attribute-expected.svg 2015-02-19 00:06:18 UTC (rev 180323)
@@ -0,0 +1,4 @@
+<svg xmlns="http://www.w3.org/2000/svg">
+ <circle cx="60" cy="60" r="50" fill="Lime"/>
+ <circle cx="160" cy="160" r="50" fill="Green"/>
+</svg>
Copied: branches/safari-600.4.10-branch/LayoutTests/svg/animations/animate-montion-invalid-attribute.svg (from rev 179963, branches/safari-600.5-branch/LayoutTests/svg/animations/animate-montion-invalid-attribute.svg) (0 => 180323)
--- branches/safari-600.4.10-branch/LayoutTests/svg/animations/animate-montion-invalid-attribute.svg (rev 0)
+++ branches/safari-600.4.10-branch/LayoutTests/svg/animations/animate-montion-invalid-attribute.svg 2015-02-19 00:06:18 UTC (rev 180323)
@@ -0,0 +1,38 @@
+<svg xmlns="http://www.w3.org/2000/svg">
+ <circle cx="60" cy="60" r="50" fill="DarkRed">
+ <!-- animateMotion should not have animation attribute target attributes -->
+ <animateMotion attributeName="fill"
+ path="M 0 0 L 100 100"
+ begin="0ms"
+ dur="100ms"
+ fill="freeze"/>
+ <animateColor attributeName="fill"
+ attributeType="XML"
+ from="DarkRed"
+ to="Green"
+ begin="0ms"
+ dur="100ms"
+ fill="freeze"/>
+ </circle>
+ <circle cx="160" cy="160" r="50" fill="Red">
+ <!-- animateMotion should not have animation attribute target attributes -->
+ <animateMotion attributeName="fill"
+ path="M 0 0 L -100 -100"
+ begin="0ms"
+ dur="100ms"
+ fill="freeze"/>
+ <animate attributeName="fill"
+ attributeType="XML"
+ from="Red"
+ to="Lime"
+ begin="0ms"
+ dur="100ms"
+ fill="freeze"/>
+ </circle>
+ <script>
+ if (window.testRunner) {
+ testRunner.waitUntilDone();
+ window.setTimeout(function() { testRunner.notifyDone(); }, 500);
+ }
+ </script>
+</svg>
Modified: branches/safari-600.4.10-branch/Source/WebCore/ChangeLog (180322 => 180323)
--- branches/safari-600.4.10-branch/Source/WebCore/ChangeLog 2015-02-19 00:02:15 UTC (rev 180322)
+++ branches/safari-600.4.10-branch/Source/WebCore/ChangeLog 2015-02-19 00:06:18 UTC (rev 180323)
@@ -1,5 +1,48 @@
2015-02-18 Lucas Forschler <lforsch...@apple.com>
+ Merge r179963
+
+ 2015-02-11 Lucas Forschler <lforsch...@apple.com>
+
+ Merge r179772
+
+ 2015-02-06 Said Abou-Hallawa <sabouhall...@apple.com>
+
+ Invalid cast in WebCore::SVGAnimateElement::calculateAnimatedValue.
+ https://bugs.webkit.org/show_bug.cgi?id=135171.
+
+ Reviewed by Dean Jackson.
+
+ The bug happens when an SVG element is animated by <animateMotion> followed by an
+ <animateColor> or an <animate> and the values of the "attributeName" in both elements
+ are the same. The problem is <animateMotion> should not have an attribute to animate.
+ If it does by fuzz or by mistake, then we assume the <animateMotion> and the <animate>
+ animate the same attribute for the same element target. Therefore we schedule them in
+ the same AnimationVector in SMILTimeContainer::schedule(). When we call
+ SVGAnimateElementBase::calculateAnimatedValue() for an SVGAnimateColorElement and the
+ resultElement is SVGAnimateMotionElement, we fail to cast it to SVGAnimateElementBase
+ because SVGAnimateMotionElement is derived from SVGAnimationElement which is the base
+ class of all animate elements including SVGAnimateElementBase.
+
+ The fix is to nullify setting "attributeName" of an SVGAnimationElement. By doing so,
+ "attributeName" and its value will be ignored from the <animateMotion> which is correct.
+
+ Tests: svg/animations/animate-montion-invalid-attribute.svg.
+
+ * svg/SVGAnimateElementBase.cpp:
+ (WebCore::SVGAnimateElementBase::setAttributeName):
+ Do not call SVGAnimationElement::setAttributeName() since SVGAnimationElement should
+ not have an attribute to animate. We prevent this by bypassing the parent in the class
+ hierarchy: SVGAnimationElement and calling SVGSMILElement::setAttributeName() directly.
+
+ * svg/SVGAnimationElement.cpp:
+ (WebCore::SVGAnimationElement::setAttributeName): Deleted.
+ * svg/SVGAnimationElement.h:
+ SVGAnimationElement should not have an attribute to animate. So implement its
+ setAttributeName() as a null function.
+
+2015-02-18 Lucas Forschler <lforsch...@apple.com>
+
Merge r179969
2015-02-11 Lucas Forschler <lforsch...@apple.com>
Modified: branches/safari-600.4.10-branch/Source/WebCore/svg/SVGAnimateElement.cpp (180322 => 180323)
--- branches/safari-600.4.10-branch/Source/WebCore/svg/SVGAnimateElement.cpp 2015-02-19 00:02:15 UTC (rev 180322)
+++ branches/safari-600.4.10-branch/Source/WebCore/svg/SVGAnimateElement.cpp 2015-02-19 00:06:18 UTC (rev 180323)
@@ -425,7 +425,8 @@
void SVGAnimateElement::setAttributeName(const QualifiedName& attributeName)
{
- SVGAnimationElement::setAttributeName(attributeName);
+ SVGSMILElement::setAttributeName(attributeName);
+ checkInvalidCSSAttributeType(targetElement());
resetAnimatedPropertyType();
}
Modified: branches/safari-600.4.10-branch/Source/WebCore/svg/SVGAnimationElement.cpp (180322 => 180323)
--- branches/safari-600.4.10-branch/Source/WebCore/svg/SVGAnimationElement.cpp 2015-02-19 00:02:15 UTC (rev 180322)
+++ branches/safari-600.4.10-branch/Source/WebCore/svg/SVGAnimationElement.cpp 2015-02-19 00:06:18 UTC (rev 180323)
@@ -682,12 +682,6 @@
checkInvalidCSSAttributeType(target);
}
-void SVGAnimationElement::setAttributeName(const QualifiedName& attributeName)
-{
- SVGSMILElement::setAttributeName(attributeName);
- checkInvalidCSSAttributeType(targetElement());
-}
-
void SVGAnimationElement::checkInvalidCSSAttributeType(SVGElement* target)
{
m_hasInvalidCSSAttributeType = target && hasValidAttributeName() && attributeType() == AttributeTypeCSS && !isTargetAttributeCSSProperty(target, attributeName());
Modified: branches/safari-600.4.10-branch/Source/WebCore/svg/SVGAnimationElement.h (180322 => 180323)
--- branches/safari-600.4.10-branch/Source/WebCore/svg/SVGAnimationElement.h 2015-02-19 00:02:15 UTC (rev 180322)
+++ branches/safari-600.4.10-branch/Source/WebCore/svg/SVGAnimationElement.h 2015-02-19 00:06:18 UTC (rev 180323)
@@ -193,8 +193,9 @@
AnimatedPropertyValueType m_toPropertyValueType;
virtual void setTargetElement(SVGElement*) override;
- virtual void setAttributeName(const QualifiedName&) override;
+ virtual void setAttributeName(const QualifiedName&) override { }
bool hasInvalidCSSAttributeType() const { return m_hasInvalidCSSAttributeType; }
+ void checkInvalidCSSAttributeType(SVGElement*);
virtual void updateAnimationMode();
void setAnimationMode(AnimationMode animationMode) { m_animationMode = animationMode; }
@@ -204,8 +205,6 @@
virtual void animationAttributeChanged() override;
void setAttributeType(const AtomicString&);
- void checkInvalidCSSAttributeType(SVGElement*);
-
virtual bool calculateToAtEndOfDurationValue(const String& toAtEndOfDurationString) = 0;
virtual bool calculateFromAndToValues(const String& fromString, const String& toString) = 0;
virtual bool calculateFromAndByValues(const String& fromString, const String& byString) = 0;
