Title: [96050] branches/chromium/835
- Revision
- 96050
- Author
- [email protected]
- Date
- 2011-09-26 17:24:17 -0700 (Mon, 26 Sep 2011)
Log Message
Revert 96034 - Merge 95791 - use after free in WebCore::SVGTRefElement::updateReferencedText
BUG=95359
Review URL: http://codereview.chromium.org/8046025
[email protected]
Review URL: http://codereview.chromium.org/8041053
Modified Paths
Removed Paths
Diff
Deleted: branches/chromium/835/LayoutTests/svg/custom/tref-clone-crash-expected.txt (96049 => 96050)
--- branches/chromium/835/LayoutTests/svg/custom/tref-clone-crash-expected.txt 2011-09-27 00:23:31 UTC (rev 96049)
+++ branches/chromium/835/LayoutTests/svg/custom/tref-clone-crash-expected.txt 2011-09-27 00:24:17 UTC (rev 96050)
@@ -1 +0,0 @@
-PASS
Deleted: branches/chromium/835/LayoutTests/svg/custom/tref-clone-crash.html (96049 => 96050)
--- branches/chromium/835/LayoutTests/svg/custom/tref-clone-crash.html 2011-09-27 00:23:31 UTC (rev 96049)
+++ branches/chromium/835/LayoutTests/svg/custom/tref-clone-crash.html 2011-09-27 00:24:17 UTC (rev 96050)
@@ -1,33 +0,0 @@
-<svg xmlns:xlink="http://www.w3.org/1999/xlink" _onload_="runTest()">
- <defs>
- <style id="style"/>
- <text id="ref"></text>
- </defs>
- <g><use xlink:href=""
- <g><text><tref id="tref" xlink:href=""
- <script>
- function gc() {
- if (window.GCController)
- GCController.collect();
- else {
- for (var i = 0; i < 10000; ++i)
- new Object;
- }
- }
- if (window.layoutTestController) {
- layoutTestController.dumpAsText();
- layoutTestController.waitUntilDone();
- }
- function runTest() {
- var tref = document.getElementById("tref");
- tref.cloneNode(true);
- gc();
- var elem = document.getElementById("style");
- var parent = elem.parentNode;
- parent.insertBefore(document.createElement("source"), elem);
- document.body.innerHTML = "PASS";
- if (window.layoutTestController)
- layoutTestController.notifyDone();
- }
- </script>
-</svg>
Modified: branches/chromium/835/Source/WebCore/svg/SVGTRefElement.cpp (96049 => 96050)
--- branches/chromium/835/Source/WebCore/svg/SVGTRefElement.cpp 2011-09-27 00:23:31 UTC (rev 96049)
+++ branches/chromium/835/Source/WebCore/svg/SVGTRefElement.cpp 2011-09-27 00:24:17 UTC (rev 96050)
@@ -193,11 +193,9 @@
return;
}
updateReferencedText();
- if (inDocument()) {
- m_eventListener = SubtreeModificationEventListener::create(this, id);
- ASSERT(target->parentNode());
- target->parentNode()->addEventListener(eventNames().DOMSubtreeModifiedEvent, m_eventListener.get(), false);
- }
+ m_eventListener = SubtreeModificationEventListener::create(this, id);
+ ASSERT(target->parentNode());
+ target->parentNode()->addEventListener(eventNames().DOMSubtreeModifiedEvent, m_eventListener.get(), false);
if (RenderObject* renderer = this->renderer())
RenderSVGResource::markForLayoutAndParentResourceInvalidation(renderer);
return;
@@ -243,21 +241,6 @@
}
}
-void SVGTRefElement::insertedIntoDocument()
-{
- SVGStyledElement::insertedIntoDocument();
- String id;
- Element* target = SVGURIReference::targetElementFromIRIString(href(), document(), &id);
- if (!target) {
- document()->accessSVGExtensions()->addPendingResource(id, this);
- return;
- }
- updateReferencedText();
- m_eventListener = SubtreeModificationEventListener::create(this, id);
- ASSERT(target->parentNode());
- target->parentNode()->addEventListener(eventNames().DOMSubtreeModifiedEvent, m_eventListener.get(), false);
-}
-
void SVGTRefElement::removedFromDocument()
{
SVGStyledElement::removedFromDocument();
Modified: branches/chromium/835/Source/WebCore/svg/SVGTRefElement.h (96049 => 96050)
--- branches/chromium/835/Source/WebCore/svg/SVGTRefElement.h 2011-09-27 00:23:31 UTC (rev 96049)
+++ branches/chromium/835/Source/WebCore/svg/SVGTRefElement.h 2011-09-27 00:24:17 UTC (rev 96050)
@@ -47,7 +47,6 @@
virtual bool childShouldCreateRenderer(Node*) const;
virtual bool rendererIsNeeded(const NodeRenderingContext&);
- virtual void insertedIntoDocument();
virtual void removedFromDocument();
void updateReferencedText();
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
