[webkit-changes] [121491] trunk

[pdr]

Title: [121491] trunk

Revision

121491

Author

p...@google.com

Date

2012-06-28 17:13:07 -0700 (Thu, 28 Jun 2012)

Log Message

Prevent crash in animate resource handling
https://bugs.webkit.org/show_bug.cgi?id=90042

Reviewed by Abhishek Arya.

Source/WebCore:

This patch adds a check that we are in a document before registering animation
resources and creating a target element in SVGSMILElement. This prevents a crash where
we would register resources and create the target when we were not in a document
but fail to deregister / reset the target when we were removed from a document.
In failing to reset the target, we can crash when trying to deregister resources that
were not created after being inserted into a document and then removed.

The existence of m_targetResources and registered animation resources is now
tied to being in a document.

Test: svg/custom/animate-reference-crash.html

* svg/animation/SVGSMILElement.cpp:
(WebCore::SVGSMILElement::targetElement):

LayoutTests:

* svg/custom/animate-reference-crash-expected.txt: Added.
* svg/custom/animate-reference-crash.html: Added.

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/svg/animation/SVGSMILElement.cpp

Added Paths

• trunk/LayoutTests/svg/custom/animate-reference-crash-expected.txt
• trunk/LayoutTests/svg/custom/animate-reference-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (121490 => 121491)

--- trunk/LayoutTests/ChangeLog	2012-06-29 00:06:01 UTC (rev 121490)
+++ trunk/LayoutTests/ChangeLog	2012-06-29 00:13:07 UTC (rev 121491)
@@ -1,3 +1,13 @@
+2012-06-28  Philip Rogers  <p...@google.com>
+
+        Prevent crash in animate resource handling
+        https://bugs.webkit.org/show_bug.cgi?id=90042
+
+        Reviewed by Abhishek Arya.
+
+        * svg/custom/animate-reference-crash-expected.txt: Added.
+        * svg/custom/animate-reference-crash.html: Added.
+
 2012-06-28  Joshua Bell  <jsb...@chromium.org>
 
         IndexedDB: IDBDatabase should have a close pending field.

Added: trunk/LayoutTests/svg/custom/animate-reference-crash-expected.txt (0 => 121491)

--- trunk/LayoutTests/svg/custom/animate-reference-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/svg/custom/animate-reference-crash-expected.txt	2012-06-29 00:13:07 UTC (rev 121491)
@@ -0,0 +1 @@
+PASS

Added: trunk/LayoutTests/svg/custom/animate-reference-crash.html (0 => 121491)

--- trunk/LayoutTests/svg/custom/animate-reference-crash.html	                        (rev 0)
+++ trunk/LayoutTests/svg/custom/animate-reference-crash.html	2012-06-29 00:13:07 UTC (rev 121491)
@@ -0,0 +1,24 @@
+<!DOCTYPE HTML>
+<!-- Test for WK90042 - Passes if there is no crash and "PASS" is displayed. -->
+<html>
+<body>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+
+var textElement = document.createElementNS("http://www.w3.org/2000/svg", "text");
+document.documentElement.appendChild(textElement);
+var aElement = document.createElementNS("http://www.w3.org/2000/svg", "a");
+var animateElement = document.createElementNS("http://www.w3.org/2000/svg", "animate");
+aElement.appendChild(animateElement);
+document.implementation.createDocument("", "", null).adoptNode(aElement);
+for (something in animateElement)
+    animateElement[something];
+textElement.appendChild(animateElement);
+textElement.parentNode.removeChild(textElement);
+
+// Not crashing at this point means we PASS.
+document.body.innerHTML = "PASS";
+</script>
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (121490 => 121491)

--- trunk/Source/WebCore/ChangeLog	2012-06-29 00:06:01 UTC (rev 121490)
+++ trunk/Source/WebCore/ChangeLog	2012-06-29 00:13:07 UTC (rev 121491)
@@ -1,3 +1,25 @@
+2012-06-28  Philip Rogers  <p...@google.com>
+
+        Prevent crash in animate resource handling
+        https://bugs.webkit.org/show_bug.cgi?id=90042
+
+        Reviewed by Abhishek Arya.
+
+        This patch adds a check that we are in a document before registering animation
+        resources and creating a target element in SVGSMILElement. This prevents a crash where
+        we would register resources and create the target when we were not in a document
+        but fail to deregister / reset the target when we were removed from a document.
+        In failing to reset the target, we can crash when trying to deregister resources that
+        were not created after being inserted into a document and then removed.
+
+        The existence of m_targetResources and registered animation resources is now
+        tied to being in a document.
+
+        Test: svg/custom/animate-reference-crash.html
+
+        * svg/animation/SVGSMILElement.cpp:
+        (WebCore::SVGSMILElement::targetElement):
+
 2012-06-28  Joshua Bell  <jsb...@chromium.org>
 
         IndexedDB: IDBDatabase should have a close pending field.

Modified: trunk/Source/WebCore/svg/animation/SVGSMILElement.cpp (121490 => 121491)

--- trunk/Source/WebCore/svg/animation/SVGSMILElement.cpp	2012-06-29 00:06:01 UTC (rev 121490)
+++ trunk/Source/WebCore/svg/animation/SVGSMILElement.cpp	2012-06-29 00:13:07 UTC (rev 121491)
@@ -554,6 +554,9 @@
     if (m_targetElement)
         return m_targetElement;
 
+    if (!inDocument())
+        return 0;
+
     String href = ""
     ContainerNode* target = href.isEmpty() ? parentNode() : SVGURIReference::targetElementFromIRIString(href, document());
     if (!target || !target->isSVGElement())

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes