[webkit-changes] [180128] trunk

[said]

Title: [180128] trunk

Revision

180128

Author

s...@apple.com

Date

2015-02-15 16:13:16 -0800 (Sun, 15 Feb 2015)

Log Message

Crash when accessing an item in SVGLengthList and then replacing it with a previous item in the list.
https://bugs.webkit.org/show_bug.cgi?id=141552.

Reviewed by Darin Adler.

Source/WebCore:

Tests: LayoutTests/svg/dom/SVGLengthList-basics.xhtml: This test is modified to
include a new test case.

* svg/properties/SVGListPropertyTearOff.h: Commit the removal of the replacing item
before trying to detach the wrapper of the item which going to be replaced.

LayoutTests:

* svg/dom/SVGLengthList-basics-expected.txt:
* svg/dom/SVGLengthList-basics.xhtml: Add a new test case to this test. Have a
reference to an SVGLength in an SVGLengthList and then replace this SVGLength
with another one which comes before it in the SVGLengthList.

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/LayoutTests/svg/dom/SVGLengthList-basics-expected.txt
• trunk/LayoutTests/svg/dom/SVGLengthList-basics.xhtml
• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/svg/properties/SVGListPropertyTearOff.h

Diff

Modified: trunk/LayoutTests/ChangeLog (180127 => 180128)

--- trunk/LayoutTests/ChangeLog	2015-02-15 20:44:07 UTC (rev 180127)
+++ trunk/LayoutTests/ChangeLog	2015-02-16 00:13:16 UTC (rev 180128)
@@ -1,3 +1,15 @@
+2015-02-15  Said Abou-Hallawa  <sabouhall...@apple.com>
+
+        Crash when accessing an item in SVGLengthList and then replacing it with a previous item in the list.
+        https://bugs.webkit.org/show_bug.cgi?id=141552.
+
+        Reviewed by Darin Adler.
+
+        * svg/dom/SVGLengthList-basics-expected.txt:
+        * svg/dom/SVGLengthList-basics.xhtml: Add a new test case to this test. Have a
+        reference to an SVGLength in an SVGLengthList and then replace this SVGLength
+        with another one which comes before it in the SVGLengthList.
+
 2015-02-14  Benjamin Poulain  <benja...@webkit.org>
 
         Add the initial matching implementation for attribute selectors with case-insensitive value

Modified: trunk/LayoutTests/svg/dom/SVGLengthList-basics-expected.txt (180127 => 180128)

--- trunk/LayoutTests/svg/dom/SVGLengthList-basics-expected.txt	2015-02-15 20:44:07 UTC (rev 180127)
+++ trunk/LayoutTests/svg/dom/SVGLengthList-basics-expected.txt	2015-02-16 00:13:16 UTC (rev 180128)
@@ -119,6 +119,22 @@
 Set x='1 2 3 4' for text1
 PASS text1.setAttribute('x', '1 2 3 4') is undefined.
 
+Test overlapping edge cases for replaceItem()
+PASS text1.x.baseVal.replaceItem(text1.x.baseVal.getItem(0), 3) is text1.x.baseVal.getItem(2)
+PASS text1.x.baseVal.numberOfItems is 3
+PASS text1.x.baseVal.getItem(2).value is 2
+PASS text1.x.baseVal.replaceItem(text1.x.baseVal.getItem(0), 2) is text1.x.baseVal.getItem(1)
+PASS text1.x.baseVal.numberOfItems is 2
+PASS text1.x.baseVal.getItem(1).value is 4
+PASS text1.x.baseVal.replaceItem(text1.x.baseVal.getItem(0), 1) is text1.x.baseVal.getItem(0)
+PASS text1.x.baseVal.numberOfItems is 1
+PASS text1.x.baseVal.getItem(0).value is 6
+PASS text1.x.baseVal.replaceItem(text1.x.baseVal.getItem(0), 0) is text1.x.baseVal.getItem(0)
+PASS text1.x.baseVal.numberOfItems is 1
+
+Set x='1 2 3 4' for text1
+PASS text1.setAttribute('x', '1 2 3 4') is undefined.
+
 Test uncommon arguments for removeItem()
 PASS text1.x.baseVal.removeItem(30) threw exception Error: IndexSizeError: DOM Exception 1.
 PASS text1.x.baseVal.removeItem(0).value is 1

Modified: trunk/LayoutTests/svg/dom/SVGLengthList-basics.xhtml (180127 => 180128)

--- trunk/LayoutTests/svg/dom/SVGLengthList-basics.xhtml	2015-02-15 20:44:07 UTC (rev 180127)
+++ trunk/LayoutTests/svg/dom/SVGLengthList-basics.xhtml	2015-02-16 00:13:16 UTC (rev 180128)
@@ -155,6 +155,31 @@
     shouldBeUndefined("text1.setAttribute('x', '1 2 3 4')");
 
     debug("");
+    debug("Test overlapping edge cases for replaceItem()");
+    var item = text1.x.baseVal.getItem(3);
+    shouldBe("text1.x.baseVal.replaceItem(text1.x.baseVal.getItem(0), 3)", "text1.x.baseVal.getItem(2)");
+    shouldBe("text1.x.baseVal.numberOfItems", "3");    
+    item = text1.x.baseVal.getItem(2);
+    item.newValueSpecifiedUnits(item.unitType, item.value * 2);
+    shouldBe("text1.x.baseVal.getItem(2).value", "2");
+    shouldBe("text1.x.baseVal.replaceItem(text1.x.baseVal.getItem(0), 2)", "text1.x.baseVal.getItem(1)");
+    shouldBe("text1.x.baseVal.numberOfItems", "2");
+    item = text1.x.baseVal.getItem(1);
+    item.newValueSpecifiedUnits(item.unitType, item.value * 2);
+    shouldBe("text1.x.baseVal.getItem(1).value", "4");
+    shouldBe("text1.x.baseVal.replaceItem(text1.x.baseVal.getItem(0), 1)", "text1.x.baseVal.getItem(0)");
+    shouldBe("text1.x.baseVal.numberOfItems", "1");
+    item = text1.x.baseVal.getItem(0);
+    item.newValueSpecifiedUnits(item.unitType, item.value * 2);
+    shouldBe("text1.x.baseVal.getItem(0).value", "6");
+    shouldBe("text1.x.baseVal.replaceItem(text1.x.baseVal.getItem(0), 0)", "text1.x.baseVal.getItem(0)");
+    shouldBe("text1.x.baseVal.numberOfItems", "1");
+
+    debug("");
+    debug("Set x='1 2 3 4' for text1");
+    shouldBeUndefined("text1.setAttribute('x', '1 2 3 4')");
+
+    debug("");
     debug("Test uncommon arguments for removeItem()");
     shouldThrow("text1.x.baseVal.removeItem(30)");
 

Modified: trunk/Source/WebCore/ChangeLog (180127 => 180128)

--- trunk/Source/WebCore/ChangeLog	2015-02-15 20:44:07 UTC (rev 180127)
+++ trunk/Source/WebCore/ChangeLog	2015-02-16 00:13:16 UTC (rev 180128)
@@ -1,3 +1,16 @@
+2015-02-15  Said Abou-Hallawa  <sabouhall...@apple.com>
+
+        Crash when accessing an item in SVGLengthList and then replacing it with a previous item in the list.
+        https://bugs.webkit.org/show_bug.cgi?id=141552.
+
+        Reviewed by Darin Adler.
+
+        Tests: LayoutTests/svg/dom/SVGLengthList-basics.xhtml: This test is modified to
+        include a new test case.
+
+        * svg/properties/SVGListPropertyTearOff.h: Commit the removal of the replacing item
+        before trying to detach the wrapper of the item which going to be replaced.
+
 2015-02-15  David Kilzer  <ddkil...@apple.com>
 
         CoreText only needs to be soft-linked on Windows

Modified: trunk/Source/WebCore/svg/properties/SVGListPropertyTearOff.h (180127 => 180128)

--- trunk/Source/WebCore/svg/properties/SVGListPropertyTearOff.h	2015-02-15 20:44:07 UTC (rev 180127)
+++ trunk/Source/WebCore/svg/properties/SVGListPropertyTearOff.h	2015-02-16 00:13:16 UTC (rev 180128)
@@ -186,7 +186,7 @@
         if (!livesInOtherList && indexToModify && static_cast<unsigned>(indexToRemove) == *indexToModify)
             return false;
 
-        propertyTearOff->removeItemFromList(indexToRemove, livesInOtherList);
+        propertyTearOff->removeItemFromList(indexToRemove, true);
 
         if (!indexToModify)
             return true;

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes