Title: [91653] trunk
- Revision
- 91653
- Author
- [email protected]
- Date
- 2011-07-24 19:16:57 -0700 (Sun, 24 Jul 2011)
Log Message
2011-07-24 Rob Buis <[email protected]>
Crash in SVGUseElement::updateContainerOffsets on <use> with no parent
https://bugs.webkit.org/show_bug.cgi?id=63646
Reviewed by Darin Adler.
Prevent using invalid targetElementInstance->shadowTreeElement after shadow render tree recreation. This situation can
only occur when there was a valid shadowTreeElement before setting xlink:href to empty/invalid.
Test: svg/custom/use-shadow-root-parent-removal.svg
* svg/SVGUseElement.cpp:
(WebCore::SVGUseElement::svgAttributeChanged):
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (91652 => 91653)
--- trunk/LayoutTests/ChangeLog 2011-07-25 01:27:05 UTC (rev 91652)
+++ trunk/LayoutTests/ChangeLog 2011-07-25 02:16:57 UTC (rev 91653)
@@ -1,3 +1,13 @@
+2011-07-24 Rob Buis <[email protected]>
+
+ Crash in SVGUseElement::updateContainerOffsets on <use> with no parent
+ https://bugs.webkit.org/show_bug.cgi?id=63646
+
+ Reviewed by Darin Adler.
+
+ * svg/custom/use-shadow-root-parent-removal-expected.txt: Added.
+ * svg/custom/use-shadow-root-parent-removal.svg: Added.
+
2011-07-24 Balazs Kelemen <[email protected]>
Yet another unreviewed Qt fixery for the weekend.
Added: trunk/LayoutTests/svg/custom/use-shadow-root-parent-removal-expected.txt (0 => 91653)
--- trunk/LayoutTests/svg/custom/use-shadow-root-parent-removal-expected.txt (rev 0)
+++ trunk/LayoutTests/svg/custom/use-shadow-root-parent-removal-expected.txt 2011-07-25 02:16:57 UTC (rev 91653)
@@ -0,0 +1 @@
+PASS without crash in debug mode.
Added: trunk/LayoutTests/svg/custom/use-shadow-root-parent-removal.svg (0 => 91653)
--- trunk/LayoutTests/svg/custom/use-shadow-root-parent-removal.svg (rev 0)
+++ trunk/LayoutTests/svg/custom/use-shadow-root-parent-removal.svg 2011-07-25 02:16:57 UTC (rev 91653)
@@ -0,0 +1,17 @@
+<?xml version="1.0"?>
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+
+<text id="foreign"/>
+<use y="50" id="test" xlink:href="" />
+<use xlink:href="" />
+
+<text x="10" y= "30">PASS without crash in debug mode.</text>
+
+<script>
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+ var elem = document.getElementById("test");
+ elem.removeAttribute("xlink:href");
+ elem.setAttribute("x", 1);
+</script>
+</svg>
Modified: trunk/Source/WebCore/ChangeLog (91652 => 91653)
--- trunk/Source/WebCore/ChangeLog 2011-07-25 01:27:05 UTC (rev 91652)
+++ trunk/Source/WebCore/ChangeLog 2011-07-25 02:16:57 UTC (rev 91653)
@@ -1,3 +1,18 @@
+2011-07-24 Rob Buis <[email protected]>
+
+ Crash in SVGUseElement::updateContainerOffsets on <use> with no parent
+ https://bugs.webkit.org/show_bug.cgi?id=63646
+
+ Reviewed by Darin Adler.
+
+ Prevent using invalid targetElementInstance->shadowTreeElement after shadow render tree recreation. This situation can
+ only occur when there was a valid shadowTreeElement before setting xlink:href to empty/invalid.
+
+ Test: svg/custom/use-shadow-root-parent-removal.svg
+
+ * svg/SVGUseElement.cpp:
+ (WebCore::SVGUseElement::svgAttributeChanged):
+
2011-07-24 Patrick Gansterer <[email protected]>
Fix AtomicString vs. String usage in JSC binding
Modified: trunk/Source/WebCore/svg/SVGUseElement.cpp (91652 => 91653)
--- trunk/Source/WebCore/svg/SVGUseElement.cpp 2011-07-25 01:27:05 UTC (rev 91652)
+++ trunk/Source/WebCore/svg/SVGUseElement.cpp 2011-07-25 02:16:57 UTC (rev 91653)
@@ -227,6 +227,7 @@
setHasPendingResources(false);
}
+ m_targetElementInstance = 0;
invalidateShadowTree();
return;
}
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
