Diff
Modified: trunk/LayoutTests/ChangeLog (94904 => 94905)
--- trunk/LayoutTests/ChangeLog 2011-09-10 08:33:43 UTC (rev 94904)
+++ trunk/LayoutTests/ChangeLog 2011-09-10 11:25:03 UTC (rev 94905)
@@ -1,3 +1,16 @@
+2011-09-10 Ken Buchanan <ke...@chromium.org>
+
+ Crash due to bad data in SVGDocumentExtensions m_pendingResources.
+ https://bugs.webkit.org/show_bug.cgi?id=67488
+
+ Reviewed by Nikolas Zimmermann.
+
+ Test added: validating that the crash referenced in the bug is not present.
+
+ * svg/dom/SVGStyledElement-pendingResource-crash.html: Added.
+ * svg/dom/SVGStyledElement-pendingResource-crash-expected.txt: Added.
+ * svg/dom/resources/SVGStyledElement-pendingResource-crash.svg: Added.
+
2011-09-09 Erik Arvidsson <a...@chromium.org>
Move Element.contains to Node
Property changes on: trunk/LayoutTests/ChangeLog
___________________________________________________________________
Added: svn:executable
Added: trunk/LayoutTests/svg/dom/SVGStyledElement-pendingResource-crash-expected.txt (0 => 94905)
--- trunk/LayoutTests/svg/dom/SVGStyledElement-pendingResource-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/svg/dom/SVGStyledElement-pendingResource-crash-expected.txt 2011-09-10 11:25:03 UTC (rev 94905)
@@ -0,0 +1 @@
+PASS, if DumpRenderTree doesn't crash, and no assertion in a Debug build.
Property changes on: trunk/LayoutTests/svg/dom/SVGStyledElement-pendingResource-crash-expected.txt
___________________________________________________________________
Added: svn:executable
Added: trunk/LayoutTests/svg/dom/SVGStyledElement-pendingResource-crash.html (0 => 94905)
--- trunk/LayoutTests/svg/dom/SVGStyledElement-pendingResource-crash.html (rev 0)
+++ trunk/LayoutTests/svg/dom/SVGStyledElement-pendingResource-crash.html 2011-09-10 11:25:03 UTC (rev 94905)
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html >
+ <script>
+ function body_start() {
+ var q = document.getElementById('root').contentDocument;
+ q.getElementsByTagName('svg')[0].replaceChild(q.getElementById('refImage'), q.getElementById('d'));
+ q.getElementsByTagName('use')[0].setAttribute('xlink:href', '#testName');
+ if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+ }
+ setTimeout(function () {
+ document.body.innerHTML = "PASS, if DumpRenderTree doesn't crash, and no assertion in a Debug build.";
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+ }, 0);
+ }
+ </script>
+ <object data="" id="root" _onload_="body_start();" type="image/svg+xml"/></object>
+</html>
Property changes on: trunk/LayoutTests/svg/dom/SVGStyledElement-pendingResource-crash.html
___________________________________________________________________
Added: svn:executable
Added: trunk/LayoutTests/svg/dom/resources/SVGStyledElement-pendingResource-crash.svg (0 => 94905)
--- trunk/LayoutTests/svg/dom/resources/SVGStyledElement-pendingResource-crash.svg (rev 0)
+++ trunk/LayoutTests/svg/dom/resources/SVGStyledElement-pendingResource-crash.svg 2011-09-10 11:25:03 UTC (rev 94905)
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+ <image id="refImage"/>
+ <g>
+ <text id="testName">X</text>
+ <use xlink:href="" />
+ </g>
+ <defs id="d">
+ <g id="navigationGroup" fill='url(#testName)'>
+ <a stroke='url(#refImage)'><text id="ABC">A</text></a>
+ </g>
+ </defs>
+</svg>
Property changes on: trunk/LayoutTests/svg/dom/resources/SVGStyledElement-pendingResource-crash.svg
___________________________________________________________________
Added: svn:executable
Modified: trunk/Source/WebCore/ChangeLog (94904 => 94905)
--- trunk/Source/WebCore/ChangeLog 2011-09-10 08:33:43 UTC (rev 94904)
+++ trunk/Source/WebCore/ChangeLog 2011-09-10 11:25:03 UTC (rev 94905)
@@ -1,3 +1,30 @@
+2011-09-10 Ken Buchanan <ke...@chromium.org>
+
+ Crash due to bad data in SVGDocumentExtensions m_pendingResources
+ https://bugs.webkit.org/show_bug.cgi?id=67488
+
+ Reviewed by Nikolas Zimmermann.
+
+ Resolving a crash condition caused by the deletion of
+ elements while pending resource entries for those elements are still
+ recorded.
+
+ * rendering/svg/RenderSVGResourceContainer.cpp:
+ (WebCore::RenderSVGResourceContainer::registerResource)
+ * svg/SVGDocumentExtensions.h:
+ (WebCore::SVGDocumentExtensions::isElementInPendingResources)
+ * svg/SVGDocumentExtensions.cpp:
+ (WebCore::SVGDocumentExtensions::addPendingResource)
+ (WebCore::SVGDocumentExtensions::isElementInPendingResources)
+ (WebCore::SVGDocumentExtensions::removeElementFromPendingResources)
+ * svg/SVGStyledElement.h:
+ (WebCore::SVGStyledElement::clearHasPendingResourcesIfPossible)
+ * svg/SVGStyledElement.cpp:
+ (WebCore::SVGStyledElement::buildPendingResourcesIfNeeded)
+ (WebCore::SVGStyledElement::clearHasPendingResourcesIfPossible)
+ * svg/SVGUseElement.cpp:
+ (WebCore::SVGUseElement::svgAttributeChanged)
+
2011-09-10 Adam Barth <aba...@webkit.org>
Remove DocumentWriter::deprecatedFrameEncoding()
Property changes on: trunk/Source/WebCore/ChangeLog
___________________________________________________________________
Added: svn:executable
Modified: trunk/Source/WebCore/rendering/svg/RenderSVGResourceContainer.cpp (94904 => 94905)
--- trunk/Source/WebCore/rendering/svg/RenderSVGResourceContainer.cpp 2011-09-10 08:33:43 UTC (rev 94904)
+++ trunk/Source/WebCore/rendering/svg/RenderSVGResourceContainer.cpp 2011-09-10 11:25:03 UTC (rev 94905)
@@ -168,7 +168,7 @@
const SVGDocumentExtensions::SVGPendingElements::const_iterator end = clients->end();
for (SVGDocumentExtensions::SVGPendingElements::const_iterator it = clients->begin(); it != end; ++it) {
ASSERT((*it)->hasPendingResources());
- (*it)->setHasPendingResources(false);
+ (*it)->clearHasPendingResourcesIfPossible();
RenderObject* renderer = (*it)->renderer();
if (!renderer)
continue;
Modified: trunk/Source/WebCore/svg/SVGDocumentExtensions.cpp (94904 => 94905)
--- trunk/Source/WebCore/svg/SVGDocumentExtensions.cpp 2011-09-10 08:33:43 UTC (rev 94904)
+++ trunk/Source/WebCore/svg/SVGDocumentExtensions.cpp 2011-09-10 11:25:03 UTC (rev 94905)
@@ -227,7 +227,7 @@
m_pendingResources.add(id, set);
}
- element->setHasPendingResources(true);
+ element->setHasPendingResources();
}
bool SVGDocumentExtensions::hasPendingResources(const AtomicString& id) const
@@ -238,6 +238,24 @@
return m_pendingResources.contains(id);
}
+bool SVGDocumentExtensions::isElementInPendingResources(SVGStyledElement* element) const
+{
+ ASSERT(element);
+
+ if (m_pendingResources.isEmpty())
+ return false;
+
+ HashMap<AtomicString, SVGPendingElements*>::const_iterator end = m_pendingResources.end();
+ for (HashMap<AtomicString, SVGPendingElements*>::const_iterator it = m_pendingResources.begin(); it != end; ++it) {
+ SVGPendingElements* elements = it->second;
+ ASSERT(elements);
+
+ if (elements->contains(element))
+ return true;
+ }
+ return false;
+}
+
void SVGDocumentExtensions::removeElementFromPendingResources(SVGStyledElement* element)
{
ASSERT(element);
@@ -245,8 +263,6 @@
if (m_pendingResources.isEmpty() || !element->hasPendingResources())
return;
- element->setHasPendingResources(false);
-
Vector<AtomicString> toBeRemoved;
HashMap<AtomicString, SVGPendingElements*>::iterator end = m_pendingResources.end();
for (HashMap<AtomicString, SVGPendingElements*>::iterator it = m_pendingResources.begin(); it != end; ++it) {
@@ -259,6 +275,8 @@
toBeRemoved.append(it->first);
}
+ element->clearHasPendingResourcesIfPossible();
+
if (toBeRemoved.isEmpty())
return;
Property changes on: trunk/Source/WebCore/svg/SVGDocumentExtensions.cpp
___________________________________________________________________
Added: svn:executable
Modified: trunk/Source/WebCore/svg/SVGDocumentExtensions.h (94904 => 94905)
--- trunk/Source/WebCore/svg/SVGDocumentExtensions.h 2011-09-10 08:33:43 UTC (rev 94904)
+++ trunk/Source/WebCore/svg/SVGDocumentExtensions.h 2011-09-10 11:25:03 UTC (rev 94905)
@@ -81,6 +81,7 @@
// For instance, dynamically build gradients / patterns / clippers...
void addPendingResource(const AtomicString& id, SVGStyledElement*);
bool hasPendingResources(const AtomicString& id) const;
+ bool isElementInPendingResources(SVGStyledElement*) const;
void removeElementFromPendingResources(SVGStyledElement*);
PassOwnPtr<SVGPendingElements> removePendingResource(const AtomicString& id);
};
Property changes on: trunk/Source/WebCore/svg/SVGDocumentExtensions.h
___________________________________________________________________
Added: svn:executable
Modified: trunk/Source/WebCore/svg/SVGStyledElement.cpp (94904 => 94905)
--- trunk/Source/WebCore/svg/SVGStyledElement.cpp 2011-09-10 08:33:43 UTC (rev 94904)
+++ trunk/Source/WebCore/svg/SVGStyledElement.cpp 2011-09-10 11:25:03 UTC (rev 94905)
@@ -389,7 +389,7 @@
for (SVGDocumentExtensions::SVGPendingElements::const_iterator it = clients->begin(); it != end; ++it) {
ASSERT((*it)->hasPendingResources());
(*it)->buildPendingResource();
- (*it)->setHasPendingResources(false);
+ (*it)->clearHasPendingResourcesIfPossible();
}
}
@@ -456,11 +456,17 @@
return hasRareSVGData() && rareSVGData()->hasPendingResources();
}
-void SVGStyledElement::setHasPendingResources(bool value)
+void SVGStyledElement::setHasPendingResources()
{
- ensureRareSVGData()->setHasPendingResources(value);
+ ensureRareSVGData()->setHasPendingResources(true);
}
+void SVGStyledElement::clearHasPendingResourcesIfPossible()
+{
+ if (!document()->accessSVGExtensions()->isElementInPendingResources(this))
+ ensureRareSVGData()->setHasPendingResources(false);
+}
+
AffineTransform SVGStyledElement::localCoordinateSpaceTransform(SVGLocatable::CTMScope) const
{
// To be overriden by SVGStyledLocatableElement/SVGStyledTransformableElement (or as special case SVGTextElement)
Property changes on: trunk/Source/WebCore/svg/SVGStyledElement.cpp
___________________________________________________________________
Added: svn:executable
Modified: trunk/Source/WebCore/svg/SVGStyledElement.h (94904 => 94905)
--- trunk/Source/WebCore/svg/SVGStyledElement.h 2011-09-10 08:33:43 UTC (rev 94904)
+++ trunk/Source/WebCore/svg/SVGStyledElement.h 2011-09-10 11:25:03 UTC (rev 94905)
@@ -50,7 +50,8 @@
void setInstanceUpdatesBlocked(bool);
bool hasPendingResources() const;
- void setHasPendingResources(bool);
+ void setHasPendingResources();
+ void clearHasPendingResourcesIfPossible();
virtual void animatedPropertyTypeForAttribute(const QualifiedName&, Vector<AnimatedPropertyType>&);
static bool isAnimatableCSSProperty(const QualifiedName&);
Property changes on: trunk/Source/WebCore/svg/SVGStyledElement.h
___________________________________________________________________
Added: svn:executable
Modified: trunk/Source/WebCore/svg/SVGUseElement.cpp (94904 => 94905)
--- trunk/Source/WebCore/svg/SVGUseElement.cpp 2011-09-10 08:33:43 UTC (rev 94904)
+++ trunk/Source/WebCore/svg/SVGUseElement.cpp 2011-09-10 11:25:03 UTC (rev 94905)
@@ -204,11 +204,11 @@
const SVGDocumentExtensions::SVGPendingElements::const_iterator end = clients->end();
for (SVGDocumentExtensions::SVGPendingElements::const_iterator it = clients->begin(); it != end; ++it) {
ASSERT((*it)->hasPendingResources());
- (*it)->setHasPendingResources(false);
+ (*it)->clearHasPendingResourcesIfPossible();
}
m_resourceId = String();
- setHasPendingResources(false);
+ clearHasPendingResourcesIfPossible();
}
m_targetElementInstance = 0;
