Skip to site navigation (Press enter)

[webkit-changes] [122143] branches/chromium/1180

cevans Mon, 09 Jul 2012 12:42:50 -0700

Title: [122143] branches/chromium/1180

Revision: 122143
Author: [email protected]
Date: 2012-07-09 12:42:43 -0700 (Mon, 09 Jul 2012)

Log Message

Merge 121491
BUG=134428
Review URL: https://chromiumcodereview.appspot.com/10762005


Modified Paths

branches/chromium/1180/Source/WebCore/svg/animation/SVGSMILElement.cpp


Added Paths

branches/chromium/1180/LayoutTests/svg/custom/animate-reference-crash-expected.txt
branches/chromium/1180/LayoutTests/svg/custom/animate-reference-crash.html

Diff

Copied: branches/chromium/1180/LayoutTests/svg/custom/animate-reference-crash-expected.txt (from rev 121491, trunk/LayoutTests/svg/custom/animate-reference-crash-expected.txt) (0 => 122143)


--- branches/chromium/1180/LayoutTests/svg/custom/animate-reference-crash-expected.txt	                        (rev 0)
+++ branches/chromium/1180/LayoutTests/svg/custom/animate-reference-crash-expected.txt	2012-07-09 19:42:43 UTC (rev 122143)
@@ -0,0 +1 @@
+PASS

Copied: branches/chromium/1180/LayoutTests/svg/custom/animate-reference-crash.html (from rev 121491, trunk/LayoutTests/svg/custom/animate-reference-crash.html) (0 => 122143)


--- branches/chromium/1180/LayoutTests/svg/custom/animate-reference-crash.html	                        (rev 0)
+++ branches/chromium/1180/LayoutTests/svg/custom/animate-reference-crash.html	2012-07-09 19:42:43 UTC (rev 122143)
@@ -0,0 +1,24 @@
+<!DOCTYPE HTML>
+<!-- Test for WK90042 - Passes if there is no crash and "PASS" is displayed. -->
+<html>
+<body>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+
+var textElement = document.createElementNS("http://www.w3.org/2000/svg", "text");
+document.documentElement.appendChild(textElement);
+var aElement = document.createElementNS("http://www.w3.org/2000/svg", "a");
+var animateElement = document.createElementNS("http://www.w3.org/2000/svg", "animate");
+aElement.appendChild(animateElement);
+document.implementation.createDocument("", "", null).adoptNode(aElement);
+for (something in animateElement)
+    animateElement[something];
+textElement.appendChild(animateElement);
+textElement.parentNode.removeChild(textElement);
+
+// Not crashing at this point means we PASS.
+document.body.innerHTML = "PASS";
+</script>
+</body>
+</html>

Modified: branches/chromium/1180/Source/WebCore/svg/animation/SVGSMILElement.cpp (122142 => 122143)


--- branches/chromium/1180/Source/WebCore/svg/animation/SVGSMILElement.cpp	2012-07-09 19:41:31 UTC (rev 122142)
+++ branches/chromium/1180/Source/WebCore/svg/animation/SVGSMILElement.cpp	2012-07-09 19:42:43 UTC (rev 122143)
@@ -556,6 +556,9 @@
     if (m_targetElement)
         return m_targetElement;
 
+    if (!inDocument())
+        return 0;
+
     String href = ""
     ContainerNode* target = href.isEmpty() ? parentNode() : SVGURIReference::targetElementFromIRIString(href, document());
     if (!target || !target->isSVGElement())

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes