Diff
Modified: branches/safari-604.5.100-branch/LayoutTests/ChangeLog (226142 => 226143)
--- branches/safari-604.5.100-branch/LayoutTests/ChangeLog 2017-12-19 22:36:21 UTC (rev 226142)
+++ branches/safari-604.5.100-branch/LayoutTests/ChangeLog 2017-12-19 23:00:41 UTC (rev 226143)
@@ -1,3 +1,18 @@
+2017-12-18 Jason Marcell <[email protected]>
+
+ Cherry-pick r226065. rdar://problem/36080415
+
+ 2017-12-18 Zalan Bujtas <[email protected]>
+
+ [SVG] Detach list wrappers before resetting the base value.
+ https://bugs.webkit.org/show_bug.cgi?id=180912
+ <rdar://problem/36017970>
+
+ Reviewed by Simon Fraser.
+
+ * svg/animations/crash-when-animation-is-running-while-getting-value-expected.txt: Added.
+ * svg/animations/crash-when-animation-is-running-while-getting-value.html: Added.
+
2017-12-04 Jason Marcell <[email protected]>
Cherry-pick r225381. rdar://problem/35839452
Added: branches/safari-604.5.100-branch/LayoutTests/svg/animations/crash-when-animation-is-running-while-getting-value-expected.txt (0 => 226143)
--- branches/safari-604.5.100-branch/LayoutTests/svg/animations/crash-when-animation-is-running-while-getting-value-expected.txt (rev 0)
+++ branches/safari-604.5.100-branch/LayoutTests/svg/animations/crash-when-animation-is-running-while-getting-value-expected.txt 2017-12-19 23:00:41 UTC (rev 226143)
@@ -0,0 +1,2 @@
+PASS if no crash.
+
Added: branches/safari-604.5.100-branch/LayoutTests/svg/animations/crash-when-animation-is-running-while-getting-value.html (0 => 226143)
--- branches/safari-604.5.100-branch/LayoutTests/svg/animations/crash-when-animation-is-running-while-getting-value.html (rev 0)
+++ branches/safari-604.5.100-branch/LayoutTests/svg/animations/crash-when-animation-is-running-while-getting-value.html 2017-12-19 23:00:41 UTC (rev 226143)
@@ -0,0 +1,16 @@
+PASS if no crash.
+<svg>
+<text x="1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1" id="textElement">
+<set attributeName="x" to="0"/>
+</svg>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+setTimeout(function() {
+ textElement.x.animVal.getItem(0);
+ if (window.testRunner)
+ testRunner.notifyDone();
+}, 0);
+</script>
Modified: branches/safari-604.5.100-branch/Source/WebCore/ChangeLog (226142 => 226143)
--- branches/safari-604.5.100-branch/Source/WebCore/ChangeLog 2017-12-19 22:36:21 UTC (rev 226142)
+++ branches/safari-604.5.100-branch/Source/WebCore/ChangeLog 2017-12-19 23:00:41 UTC (rev 226143)
@@ -1,3 +1,27 @@
+2017-12-18 Jason Marcell <[email protected]>
+
+ Cherry-pick r226065. rdar://problem/36080415
+
+ 2017-12-18 Zalan Bujtas <[email protected]>
+
+ [SVG] Detach list wrappers before resetting the base value.
+ https://bugs.webkit.org/show_bug.cgi?id=180912
+ <rdar://problem/36017970>
+
+ Reviewed by Simon Fraser.
+
+ Before resetting the animation value (and destroying the assigned SVG object -SVGLengthValue in this case),
+ we need to check if there's an associated tear off wrapper for the said SVG object and make a copy of it.
+ This is currently done in the wrong order through animValDidChange.
+
+ Test: svg/animations/crash-when-animation-is-running-while-getting-value.html
+
+ * svg/SVGAnimatedTypeAnimator.h:
+ (WebCore::SVGAnimatedTypeAnimator::resetFromBaseValue):
+ * svg/properties/SVGAnimatedPropertyTearOff.h:
+ * svg/properties/SVGAnimatedStaticPropertyTearOff.h:
+ (WebCore::SVGAnimatedStaticPropertyTearOff::synchronizeWrappersIfNeeded):
+
2017-12-05 Jason Marcell <[email protected]>
Cherry-pick r225528. rdar://problem/35839452
Modified: branches/safari-604.5.100-branch/Source/WebCore/svg/SVGAnimatedTypeAnimator.h (226142 => 226143)
--- branches/safari-604.5.100-branch/Source/WebCore/svg/SVGAnimatedTypeAnimator.h 2017-12-19 22:36:21 UTC (rev 226142)
+++ branches/safari-604.5.100-branch/Source/WebCore/svg/SVGAnimatedTypeAnimator.h 2017-12-19 23:00:41 UTC (rev 226143)
@@ -78,8 +78,11 @@
{
ASSERT(animatedTypes[0].properties.size() == 1);
ASSERT(type.type() == m_type);
+ auto* property = castAnimatedPropertyToActualType<AnimValType>(animatedTypes[0].properties[0].get());
+ property->synchronizeWrappersIfNeeded();
+
typename AnimValType::ContentType& animatedTypeValue = (type.*getter)();
- animatedTypeValue = castAnimatedPropertyToActualType<AnimValType>(animatedTypes[0].properties[0].get())->currentBaseValue();
+ animatedTypeValue = property->currentBaseValue();
executeAction<AnimValType>(StartAnimationAction, animatedTypes, 0, &animatedTypeValue);
}
Modified: branches/safari-604.5.100-branch/Source/WebCore/svg/properties/SVGAnimatedPropertyTearOff.h (226142 => 226143)
--- branches/safari-604.5.100-branch/Source/WebCore/svg/properties/SVGAnimatedPropertyTearOff.h 2017-12-19 22:36:21 UTC (rev 226142)
+++ branches/safari-604.5.100-branch/Source/WebCore/svg/properties/SVGAnimatedPropertyTearOff.h 2017-12-19 23:00:41 UTC (rev 226143)
@@ -106,6 +106,11 @@
ASSERT(isAnimating());
}
+ void synchronizeWrappersIfNeeded()
+ {
+ // no-op
+ }
+
private:
SVGAnimatedPropertyTearOff(SVGElement* contextElement, const QualifiedName& attributeName, AnimatedPropertyType animatedPropertyType, PropertyType& property)
: SVGAnimatedProperty(contextElement, attributeName, animatedPropertyType)
Modified: branches/safari-604.5.100-branch/Source/WebCore/svg/properties/SVGAnimatedStaticPropertyTearOff.h (226142 => 226143)
--- branches/safari-604.5.100-branch/Source/WebCore/svg/properties/SVGAnimatedStaticPropertyTearOff.h 2017-12-19 22:36:21 UTC (rev 226142)
+++ branches/safari-604.5.100-branch/Source/WebCore/svg/properties/SVGAnimatedStaticPropertyTearOff.h 2017-12-19 23:00:41 UTC (rev 226143)
@@ -93,6 +93,11 @@
ASSERT(isAnimating());
}
+ void synchronizeWrappersIfNeeded()
+ {
+ // no-op
+ }
+
protected:
SVGAnimatedStaticPropertyTearOff(SVGElement* contextElement, const QualifiedName& attributeName, AnimatedPropertyType animatedPropertyType, PropertyType& property)
: SVGAnimatedProperty(contextElement, attributeName, animatedPropertyType)
