Title: [111556] trunk
- Revision
- 111556
- Author
- [email protected]
- Date
- 2012-03-21 09:56:06 -0700 (Wed, 21 Mar 2012)
Log Message
Skip building resources if SVGTRef is not in a document
https://bugs.webkit.org/show_bug.cgi?id=81473
Patch by Philip Rogers <[email protected]> on 2012-03-21
Reviewed by Nikolas Zimmermann.
Source/WebCore:
We can skip the building of pending resources in SVGTRef if we're not
yet in a document. This mirrors the nearly identical logic in
SVGUseElement::buildPendingResource() and
SVGFEImageElement::buildPendingResource().
Test: http/tests/svg/tref-adoptNode-crash.html
* svg/SVGTRefElement.cpp:
(WebCore::SVGTRefElement::buildPendingResource):
LayoutTests:
* http/tests/svg: Added.
* http/tests/svg/resources: Added.
* http/tests/svg/resources/svg-tref.svg: Added.
* http/tests/svg/tref-adoptNode-crash-expected.txt: Added.
* http/tests/svg/tref-adoptNode-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (111555 => 111556)
--- trunk/LayoutTests/ChangeLog 2012-03-21 16:52:38 UTC (rev 111555)
+++ trunk/LayoutTests/ChangeLog 2012-03-21 16:56:06 UTC (rev 111556)
@@ -1,3 +1,16 @@
+2012-03-21 Philip Rogers <[email protected]>
+
+ Skip building resources if SVGTRef is not in a document
+ https://bugs.webkit.org/show_bug.cgi?id=81473
+
+ Reviewed by Nikolas Zimmermann.
+
+ * http/tests/svg: Added.
+ * http/tests/svg/resources: Added.
+ * http/tests/svg/resources/svg-tref.svg: Added.
+ * http/tests/svg/tref-adoptNode-crash-expected.txt: Added.
+ * http/tests/svg/tref-adoptNode-crash.html: Added.
+
2012-03-21 Li Yin <[email protected]>
[WebSocket]The Sec-WebSocket-Accept MUST NOT appear more than once in an HTTP response
Added: trunk/LayoutTests/http/tests/svg/resources/svg-tref.svg (0 => 111556)
--- trunk/LayoutTests/http/tests/svg/resources/svg-tref.svg (rev 0)
+++ trunk/LayoutTests/http/tests/svg/resources/svg-tref.svg 2012-03-21 16:56:06 UTC (rev 111556)
@@ -0,0 +1,3 @@
+<svg xmlns:xlink="http://www.w3.org/1999/xlink" xmlns="http://www.w3.org/2000/svg">
+ <tref xlink:href="" />
+</svg>
Added: trunk/LayoutTests/http/tests/svg/tref-adoptNode-crash-expected.txt (0 => 111556)
--- trunk/LayoutTests/http/tests/svg/tref-adoptNode-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/svg/tref-adoptNode-crash-expected.txt 2012-03-21 16:56:06 UTC (rev 111556)
@@ -0,0 +1 @@
+If this text is visible and the test did not crash, this test passes
Added: trunk/LayoutTests/http/tests/svg/tref-adoptNode-crash.html (0 => 111556)
--- trunk/LayoutTests/http/tests/svg/tref-adoptNode-crash.html (rev 0)
+++ trunk/LayoutTests/http/tests/svg/tref-adoptNode-crash.html 2012-03-21 16:56:06 UTC (rev 111556)
@@ -0,0 +1,24 @@
+<script>
+// Test passes if it does not crash.
+// Note: this test is located under Layouttests/http in order to load an external
+// document (svg-tref.svg) and modify it without hitting security restrictions.
+ if (window.layoutTestController) {
+ layoutTestController.waitUntilDone();
+ layoutTestController.dumpAsText();
+ }
+
+ function crash() {
+ q = document.getElementById('root').contentDocument;
+ var z = document.lastChild;
+ q.adoptNode( z );
+ e = document.importNode( q.firstChild, true );
+ q.adoptNode( e );
+ r = document.createRange();
+ r.surroundContents( e );
+ e.id = 's';
+ document.write("If this text is visible and the test did not crash, this test passes");
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+ }
+</script>
+<object data="" id="root" _onload_="crash()"/>
Modified: trunk/Source/WebCore/ChangeLog (111555 => 111556)
--- trunk/Source/WebCore/ChangeLog 2012-03-21 16:52:38 UTC (rev 111555)
+++ trunk/Source/WebCore/ChangeLog 2012-03-21 16:56:06 UTC (rev 111556)
@@ -1,3 +1,20 @@
+2012-03-21 Philip Rogers <[email protected]>
+
+ Skip building resources if SVGTRef is not in a document
+ https://bugs.webkit.org/show_bug.cgi?id=81473
+
+ Reviewed by Nikolas Zimmermann.
+
+ We can skip the building of pending resources in SVGTRef if we're not
+ yet in a document. This mirrors the nearly identical logic in
+ SVGUseElement::buildPendingResource() and
+ SVGFEImageElement::buildPendingResource().
+
+ Test: http/tests/svg/tref-adoptNode-crash.html
+
+ * svg/SVGTRefElement.cpp:
+ (WebCore::SVGTRefElement::buildPendingResource):
+
2012-03-21 Sami Kyostila <[email protected]>
[chromium] Use floating point scroll deltas for layers
Modified: trunk/Source/WebCore/svg/SVGTRefElement.cpp (111555 => 111556)
--- trunk/Source/WebCore/svg/SVGTRefElement.cpp 2012-03-21 16:52:38 UTC (rev 111555)
+++ trunk/Source/WebCore/svg/SVGTRefElement.cpp 2012-03-21 16:56:06 UTC (rev 111556)
@@ -263,6 +263,10 @@
// Remove any existing event listener.
clearEventListener();
+ // If we're not yet in a document, this function will be called again from insertedIntoDocument().
+ if (!inDocument())
+ return;
+
String id;
Element* target = SVGURIReference::targetElementFromIRIString(href(), document(), &id);
if (!target) {
@@ -277,10 +281,6 @@
updateReferencedText();
- // We should not add the event listener if we are not in document yet.
- if (!inDocument())
- return;
-
m_eventListener = TargetListener::create(this, id);
target->addEventListener(eventNames().DOMSubtreeModifiedEvent, m_eventListener.get(), false);
target->addEventListener(eventNames().DOMNodeRemovedFromDocumentEvent, m_eventListener.get(), false);
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
