[webkit-changes] [114578] releases/WebKitGTK/webkit-1.8

Wed, 18 Apr 2012 16:23:56 -0700

Title: [114578] releases/WebKitGTK/webkit-1.8

Diff

Modified: releases/WebKitGTK/webkit-1.8/LayoutTests/ChangeLog (114577 => 114578)


--- releases/WebKitGTK/webkit-1.8/LayoutTests/ChangeLog	2012-04-18 23:17:38 UTC (rev 114577)
+++ releases/WebKitGTK/webkit-1.8/LayoutTests/ChangeLog	2012-04-18 23:23:42 UTC (rev 114578)
@@ -1,3 +1,16 @@
+2012-04-18  Philip Rogers  <[email protected]>
+
+        Skip building resources if SVGTRef is not in a document
+        https://bugs.webkit.org/show_bug.cgi?id=81473
+
+        Reviewed by Nikolas Zimmermann.
+
+        * http/tests/svg: Added.
+        * http/tests/svg/resources: Added.
+        * http/tests/svg/resources/svg-tref.svg: Added.
+        * http/tests/svg/tref-adoptNode-crash-expected.txt: Added.
+        * http/tests/svg/tref-adoptNode-crash.html: Added.
+
 2012-04-09  Martin Robinson  <[email protected]>
 
         [soup] Crash while loading http://www.jusco.cn

Added: releases/WebKitGTK/webkit-1.8/LayoutTests/http/tests/svg/resources/svg-tref.svg (0 => 114578)


--- releases/WebKitGTK/webkit-1.8/LayoutTests/http/tests/svg/resources/svg-tref.svg	                        (rev 0)
+++ releases/WebKitGTK/webkit-1.8/LayoutTests/http/tests/svg/resources/svg-tref.svg	2012-04-18 23:23:42 UTC (rev 114578)
@@ -0,0 +1,3 @@
+<svg xmlns:xlink="http://www.w3.org/1999/xlink" xmlns="http://www.w3.org/2000/svg">
+    <tref xlink:href="" />
+</svg>

Added: releases/WebKitGTK/webkit-1.8/LayoutTests/http/tests/svg/tref-adoptNode-crash-expected.txt (0 => 114578)


--- releases/WebKitGTK/webkit-1.8/LayoutTests/http/tests/svg/tref-adoptNode-crash-expected.txt	                        (rev 0)
+++ releases/WebKitGTK/webkit-1.8/LayoutTests/http/tests/svg/tref-adoptNode-crash-expected.txt	2012-04-18 23:23:42 UTC (rev 114578)
@@ -0,0 +1 @@
+If this text is visible and the test did not crash, this test passes
Property changes on: releases/WebKitGTK/webkit-1.8/LayoutTests/http/tests/svg/tref-adoptNode-crash-expected.txt
___________________________________________________________________

Added: svn:eol-style

Added: releases/WebKitGTK/webkit-1.8/LayoutTests/http/tests/svg/tref-adoptNode-crash.html (0 => 114578)


--- releases/WebKitGTK/webkit-1.8/LayoutTests/http/tests/svg/tref-adoptNode-crash.html	                        (rev 0)
+++ releases/WebKitGTK/webkit-1.8/LayoutTests/http/tests/svg/tref-adoptNode-crash.html	2012-04-18 23:23:42 UTC (rev 114578)
@@ -0,0 +1,24 @@
+<script>
+// Test passes if it does not crash.
+// Note: this test is located under Layouttests/http in order to load an external
+//       document (svg-tref.svg) and modify it without hitting security restrictions.
+    if (window.layoutTestController) {
+        layoutTestController.waitUntilDone();
+        layoutTestController.dumpAsText();
+    }
+
+    function crash() {
+        q = document.getElementById('root').contentDocument;
+        var z = document.lastChild;
+        q.adoptNode( z );
+        e = document.importNode( q.firstChild, true );
+        q.adoptNode( e );
+        r = document.createRange();
+        r.surroundContents( e );
+        e.id = 's';
+        document.write("If this text is visible and the test did not crash, this test passes");
+        if (window.layoutTestController)
+            layoutTestController.notifyDone();
+    }
+</script>
+<object data="" id="root" _onload_="crash()"/>
Property changes on: releases/WebKitGTK/webkit-1.8/LayoutTests/http/tests/svg/tref-adoptNode-crash.html
___________________________________________________________________

Added: svn:eol-style

Modified: releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog (114577 => 114578)


--- releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog	2012-04-18 23:17:38 UTC (rev 114577)
+++ releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog	2012-04-18 23:23:42 UTC (rev 114578)
@@ -1,3 +1,20 @@
+2012-04-18  Philip Rogers  <[email protected]>
+
+        Skip building resources if SVGTRef is not in a document
+        https://bugs.webkit.org/show_bug.cgi?id=81473
+
+        Reviewed by Nikolas Zimmermann.
+
+        We can skip the building of pending resources in SVGTRef if we're not
+        yet in a document. This mirrors the nearly identical logic in
+        SVGUseElement::buildPendingResource() and
+        SVGFEImageElement::buildPendingResource().
+
+        Test: http/tests/svg/tref-adoptNode-crash.html
+
+        * svg/SVGTRefElement.cpp:
+        (WebCore::SVGTRefElement::buildPendingResource):
+
 2012-03-28  Sergio Villar Senin  <[email protected]>
 
         [Soup] DNS prefetching spams resolver, shoots self in the foot

Modified: releases/WebKitGTK/webkit-1.8/Source/WebCore/svg/SVGTRefElement.cpp (114577 => 114578)


--- releases/WebKitGTK/webkit-1.8/Source/WebCore/svg/SVGTRefElement.cpp	2012-04-18 23:17:38 UTC (rev 114577)
+++ releases/WebKitGTK/webkit-1.8/Source/WebCore/svg/SVGTRefElement.cpp	2012-04-18 23:23:42 UTC (rev 114578)
@@ -262,6 +262,10 @@
     // Remove any existing event listener.
     clearEventListener();
 
+    // If we're not yet in a document, this function will be called again from insertedIntoDocument().
+    if (!inDocument())
+        return;
+
     String id;
     Element* target = SVGURIReference::targetElementFromIRIString(href(), document(), &id);
     if (!target) {
@@ -276,10 +280,6 @@
 
     updateReferencedText();
 
-    // We should not add the event listener if we are not in document yet.
-    if (!inDocument())
-        return;
-
     m_eventListener = TargetListener::create(this, id);
     target->addEventListener(eventNames().DOMSubtreeModifiedEvent, m_eventListener.get(), false);
     target->addEventListener(eventNames().DOMNodeRemovedFromDocumentEvent, m_eventListener.get(), false);

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to