Skip to site navigation (Press enter)

[webkit-changes] [122755] trunk

fmalita Mon, 16 Jul 2012 13:32:01 -0700

Title: [122755] trunk

Revision: 122755
Author: [email protected]
Date: 2012-07-16 13:31:54 -0700 (Mon, 16 Jul 2012)

Log Message

SVGAnimationElement::currentValuesForValuesAnimation crash
https://bugs.webkit.org/show_bug.cgi?id=91326


Reviewed by Simon Fraser.

SVGSMILElement::progress() assumes that seekToIntervalCorrespondingToTime() always
lands inside a defined interval, but one can force arbitrary time offsets using
setCurrentTime(). This patch adds logic for handling non-interval time offsets
gracefully.

Source/WebCore:

Test: svg/animations/smil-setcurrenttime-crash.svg

* svg/animation/SVGSMILElement.cpp:
(WebCore::SVGSMILElement::progress):

LayoutTests:

* svg/animations/smil-setcurrenttime-crash-expected.txt: Added.
* svg/animations/smil-setcurrenttime-crash.svg: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/svg/animation/SVGSMILElement.cpp

Added Paths

trunk/LayoutTests/svg/animations/smil-setcurrenttime-crash-expected.txt
trunk/LayoutTests/svg/animations/smil-setcurrenttime-crash.svg

Diff

Modified: trunk/LayoutTests/ChangeLog (122754 => 122755)


--- trunk/LayoutTests/ChangeLog	2012-07-16 20:29:07 UTC (rev 122754)
+++ trunk/LayoutTests/ChangeLog	2012-07-16 20:31:54 UTC (rev 122755)
@@ -1,3 +1,18 @@
+2012-07-16  Florin Malita  <[email protected]>
+
+        SVGAnimationElement::currentValuesForValuesAnimation crash
+        https://bugs.webkit.org/show_bug.cgi?id=91326
+
+        Reviewed by Simon Fraser.
+
+        SVGSMILElement::progress() assumes that seekToIntervalCorrespondingToTime() always
+        lands inside a defined interval, but one can force arbitrary time offsets using
+        setCurrentTime(). This patch adds logic for handling non-interval time offsets
+        gracefully.
+
+        * svg/animations/smil-setcurrenttime-crash-expected.txt: Added.
+        * svg/animations/smil-setcurrenttime-crash.svg: Added.
+
 2012-07-16  W. James MacLean  <[email protected]>
 
         [chromium] Unreviewed gardening. Layout Test fast/frames/calculate-fixed.html is flaky

Added: trunk/LayoutTests/svg/animations/smil-setcurrenttime-crash-expected.txt (0 => 122755)


--- trunk/LayoutTests/svg/animations/smil-setcurrenttime-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/svg/animations/smil-setcurrenttime-crash-expected.txt	2012-07-16 20:31:54 UTC (rev 122755)
@@ -0,0 +1 @@
+PASS: not crashing.

Added: trunk/LayoutTests/svg/animations/smil-setcurrenttime-crash.svg (0 => 122755)


--- trunk/LayoutTests/svg/animations/smil-setcurrenttime-crash.svg	                        (rev 0)
+++ trunk/LayoutTests/svg/animations/smil-setcurrenttime-crash.svg	2012-07-16 20:31:54 UTC (rev 122755)
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg version="1.1" xmlns="http://www.w3.org/2000/svg">
+  <!-- Test for https://bugs.webkit.org/show_bug.cgi?id=91326 -->
+  <rect>
+    <animate attributeName="fill" begin="1s; 10s" dur="3s" fill="freeze" values="#000;#fff"/>
+  </rect>
+  <text>PASS: not crashing.</text>
+
+  <script>
+    if (window.testRunner)
+      testRunner.dumpAsText();
+
+    document.documentElement.setCurrentTime(5);
+  </script>
+</svg>
+

Modified: trunk/Source/WebCore/ChangeLog (122754 => 122755)


--- trunk/Source/WebCore/ChangeLog	2012-07-16 20:29:07 UTC (rev 122754)
+++ trunk/Source/WebCore/ChangeLog	2012-07-16 20:31:54 UTC (rev 122755)
@@ -1,3 +1,20 @@
+2012-07-16  Florin Malita  <[email protected]>
+
+        SVGAnimationElement::currentValuesForValuesAnimation crash
+        https://bugs.webkit.org/show_bug.cgi?id=91326
+
+        Reviewed by Simon Fraser.
+
+        SVGSMILElement::progress() assumes that seekToIntervalCorrespondingToTime() always
+        lands inside a defined interval, but one can force arbitrary time offsets using
+        setCurrentTime(). This patch adds logic for handling non-interval time offsets
+        gracefully.
+
+        Test: svg/animations/smil-setcurrenttime-crash.svg
+
+        * svg/animation/SVGSMILElement.cpp:
+        (WebCore::SVGSMILElement::progress):
+
 2012-07-16  Joshua Netterfield  <[email protected]>
 
         [BlackBerry] Upstream WebGL Code

Modified: trunk/Source/WebCore/svg/animation/SVGSMILElement.cpp (122754 => 122755)


--- trunk/Source/WebCore/svg/animation/SVGSMILElement.cpp	2012-07-16 20:29:07 UTC (rev 122754)
+++ trunk/Source/WebCore/svg/animation/SVGSMILElement.cpp	2012-07-16 20:31:54 UTC (rev 122755)
@@ -1043,7 +1043,11 @@
     // This call may obtain a new interval -- never call calculateAnimationPercentAndRepeat() before!
     if (seekToTime) {
         seekToIntervalCorrespondingToTime(elapsed);
-        ASSERT(elapsed >= m_intervalBegin);
+        if (elapsed < m_intervalBegin) {
+            // elapsed is not within an interval.
+            m_nextProgressTime = m_intervalBegin;
+            return false;
+        }
     }
 
     unsigned repeat = 0;

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes