Title: [109390] branches/chromium/963
- Revision
- 109390
- Author
- [email protected]
- Date
- 2012-03-01 12:28:30 -0800 (Thu, 01 Mar 2012)
Log Message
Merge 109345
BUG=116093
Review URL: https://chromiumcodereview.appspot.com/9568029
Modified Paths
Added Paths
Diff
Copied: branches/chromium/963/LayoutTests/svg/animations/resources/smil-element-target-crash.svg (from rev 109345, trunk/LayoutTests/svg/animations/resources/smil-element-target-crash.svg) (0 => 109390)
--- branches/chromium/963/LayoutTests/svg/animations/resources/smil-element-target-crash.svg (rev 0)
+++ branches/chromium/963/LayoutTests/svg/animations/resources/smil-element-target-crash.svg 2012-03-01 20:28:30 UTC (rev 109390)
@@ -0,0 +1,3 @@
+<svg xmlns="http://www.w3.org/2000/svg">
+<set attributeName="visibility" begin="focusin"/>
+</svg>
Copied: branches/chromium/963/LayoutTests/svg/animations/smil-element-target-crash-main-expected.txt (from rev 109345, trunk/LayoutTests/svg/animations/smil-element-target-crash-main-expected.txt) (0 => 109390)
--- branches/chromium/963/LayoutTests/svg/animations/smil-element-target-crash-main-expected.txt (rev 0)
+++ branches/chromium/963/LayoutTests/svg/animations/smil-element-target-crash-main-expected.txt 2012-03-01 20:28:30 UTC (rev 109390)
@@ -0,0 +1 @@
+PASS
Copied: branches/chromium/963/LayoutTests/svg/animations/smil-element-target-crash-main.html (from rev 109345, trunk/LayoutTests/svg/animations/smil-element-target-crash-main.html) (0 => 109390)
--- branches/chromium/963/LayoutTests/svg/animations/smil-element-target-crash-main.html (rev 0)
+++ branches/chromium/963/LayoutTests/svg/animations/smil-element-target-crash-main.html 2012-03-01 20:28:30 UTC (rev 109390)
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<html>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+}
+
+function crash()
+{
+ var doc = document.implementation.createDocument();
+ doc.adoptNode(object1.contentDocument.getElementsByTagName("svg")[0]);
+ delete doc;
+
+ if (window.GCController)
+ GCController.collect();
+
+ document.open();
+ document.write('PASS');
+ document.close();
+
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+}
+
+function runTest()
+{
+ setTimeout("crash()", 0);
+}
+</script>
+<object data="" id="object1" _onload_="runTest()"></object>
+<iframe id="iframe1"></iframe>
+</html>
Modified: branches/chromium/963/Source/WebCore/svg/animation/SVGSMILElement.cpp (109389 => 109390)
--- branches/chromium/963/Source/WebCore/svg/animation/SVGSMILElement.cpp 2012-03-01 20:20:41 UTC (rev 109389)
+++ branches/chromium/963/Source/WebCore/svg/animation/SVGSMILElement.cpp 2012-03-01 20:28:30 UTC (rev 109390)
@@ -200,14 +200,17 @@
m_timeContainer->unschedule(this);
m_timeContainer = 0;
}
+ // Calling disconnectConditions() may kill us if there are syncbase conditions.
+ // OK, but we don't want to die inside the call.
+ RefPtr<SVGSMILElement> keepAlive(this);
+ disconnectConditions();
+
+ // Clear target now, because disconnectConditions calls targetElement() which will recreate the target if we removed it sooner.
if (m_targetElement) {
document()->accessSVGExtensions()->removeAnimationElementFromTarget(this, m_targetElement);
m_targetElement = 0;
}
- // Calling disconnectConditions() may kill us if there are syncbase conditions.
- // OK, but we don't want to die inside the call.
- RefPtr<SVGSMILElement> keepAlive(this);
- disconnectConditions();
+
SVGElement::removedFromDocument();
}
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
