Title: [122149] branches/chromium/1180
- Revision
- 122149
- Author
- [email protected]
- Date
- 2012-07-09 12:58:07 -0700 (Mon, 09 Jul 2012)
Log Message
Merge 120731
BUG=132690
Review URL: https://chromiumcodereview.appspot.com/10763008
Modified Paths
Added Paths
Diff
Copied: branches/chromium/1180/LayoutTests/svg/custom/intersection-list-crash-expected.txt (from rev 120731, trunk/LayoutTests/svg/custom/intersection-list-crash-expected.txt) (0 => 122149)
--- branches/chromium/1180/LayoutTests/svg/custom/intersection-list-crash-expected.txt (rev 0)
+++ branches/chromium/1180/LayoutTests/svg/custom/intersection-list-crash-expected.txt 2012-07-09 19:58:07 UTC (rev 122149)
@@ -0,0 +1 @@
+PASS. WebKit didn't crash.
Copied: branches/chromium/1180/LayoutTests/svg/custom/intersection-list-crash.svg (from rev 120731, trunk/LayoutTests/svg/custom/intersection-list-crash.svg) (0 => 122149)
--- branches/chromium/1180/LayoutTests/svg/custom/intersection-list-crash.svg (rev 0)
+++ branches/chromium/1180/LayoutTests/svg/custom/intersection-list-crash.svg 2012-07-09 19:58:07 UTC (rev 122149)
@@ -0,0 +1,26 @@
+<svg _onload_="runTest()" xmlns="http://www.w3.org/2000/svg" id="askedForIntersection">
+<style>
+.c1:nth-last-of-type(1n) { }
+</style>
+<script>
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+function runTest()
+{
+ docElement = document.documentElement;
+ textarea = document.createElementNS("http://www.w3.org/1999/xhtml", "textarea");
+ textarea.setAttribute("class", "c1");
+ docElement.appendChild(textarea);
+ object = document.createElementNS("http://www.w3.org/1999/xhtml", "object");
+ object.setAttribute("usemap", "#DivLogo-map");
+ iframe = document.createElementNS("http://www.w3.org/1999/xhtml", "iframe");
+ docElement.appendChild(iframe);
+ var svg = document.getElementById('askedForIntersection');
+ var rect = svg.createSVGRect();
+ svg.getIntersectionList(rect, svg);
+}
+</script>
+<rect style='content: counters(c, ".", decimal)'></rect>
+<text x="10" y="50">PASS. WebKit didn't crash.</text>
+</svg>
Modified: branches/chromium/1180/Source/WebCore/rendering/svg/RenderSVGModelObject.cpp (122148 => 122149)
--- branches/chromium/1180/Source/WebCore/rendering/svg/RenderSVGModelObject.cpp 2012-07-09 19:57:05 UTC (rev 122148)
+++ branches/chromium/1180/Source/WebCore/rendering/svg/RenderSVGModelObject.cpp 2012-07-09 19:58:07 UTC (rev 122149)
@@ -171,8 +171,10 @@
if (!isGraphicsElement(renderer))
return false;
AffineTransform ctm;
- getElementCTM(static_cast<SVGElement*>(renderer->node()), ctm);
- return intersectsAllowingEmpty(rect, ctm.mapRect(renderer->repaintRectInLocalCoordinates()));
+ SVGElement* svgElement = static_cast<SVGElement*>(renderer->node());
+ getElementCTM(svgElement, ctm);
+ ASSERT(svgElement->renderer());
+ return intersectsAllowingEmpty(rect, ctm.mapRect(svgElement->renderer()->repaintRectInLocalCoordinates()));
}
bool RenderSVGModelObject::checkEnclosure(RenderObject* renderer, const FloatRect& rect)
@@ -182,8 +184,10 @@
if (!isGraphicsElement(renderer))
return false;
AffineTransform ctm;
- getElementCTM(static_cast<SVGElement*>(renderer->node()), ctm);
- return rect.contains(ctm.mapRect(renderer->repaintRectInLocalCoordinates()));
+ SVGElement* svgElement = static_cast<SVGElement*>(renderer->node());
+ getElementCTM(svgElement, ctm);
+ ASSERT(svgElement->renderer());
+ return rect.contains(ctm.mapRect(svgElement->renderer()->repaintRectInLocalCoordinates()));
}
} // namespace WebCore
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
