[webkit-changes] [124063] branches/safari-536.26-branch

Mon, 30 Jul 2012 11:37:11 -0700

Title: [124063] branches/safari-536.26-branch

Diff

Modified: branches/safari-536.26-branch/LayoutTests/ChangeLog (124062 => 124063)


--- branches/safari-536.26-branch/LayoutTests/ChangeLog	2012-07-30 18:35:00 UTC (rev 124062)
+++ branches/safari-536.26-branch/LayoutTests/ChangeLog	2012-07-30 18:37:18 UTC (rev 124063)
@@ -1,5 +1,19 @@
 2012-07-30  Lucas Forschler  <[email protected]>
 
+    Merge 117161
+
+    2012-05-15  Abhishek Arya  <[email protected]>
+
+            Crash due shadow tree parent confusion in SVG.
+            https://bugs.webkit.org/show_bug.cgi?id=84248
+
+            Reviewed by Nikolas Zimmermann.
+
+            * svg/foreignObject/viewport-foreignobject-crash-expected.html: Added.
+            * svg/foreignObject/viewport-foreignobject-crash.html: Added.
+
+2012-07-30  Lucas Forschler  <[email protected]>
+
     Merge 117007
 
     2012-05-14  Takashi Sakamoto  <[email protected]>

Copied: branches/safari-536.26-branch/LayoutTests/svg/foreignObject/viewport-foreignobject-crash-expected.html (from rev 117161, trunk/LayoutTests/svg/foreignObject/viewport-foreignobject-crash-expected.html) (0 => 124063)


--- branches/safari-536.26-branch/LayoutTests/svg/foreignObject/viewport-foreignobject-crash-expected.html	                        (rev 0)
+++ branches/safari-536.26-branch/LayoutTests/svg/foreignObject/viewport-foreignobject-crash-expected.html	2012-07-30 18:37:18 UTC (rev 124063)
@@ -0,0 +1 @@
+PASS

Copied: branches/safari-536.26-branch/LayoutTests/svg/foreignObject/viewport-foreignobject-crash.html (from rev 117161, trunk/LayoutTests/svg/foreignObject/viewport-foreignobject-crash.html) (0 => 124063)


--- branches/safari-536.26-branch/LayoutTests/svg/foreignObject/viewport-foreignobject-crash.html	                        (rev 0)
+++ branches/safari-536.26-branch/LayoutTests/svg/foreignObject/viewport-foreignobject-crash.html	2012-07-30 18:37:18 UTC (rev 124063)
@@ -0,0 +1,35 @@
+<html>
+<body>
+<script>
+var script = document.getElementsByTagName("script")[0];
+script.parentNode.removeChild(script);
+
+var count = 0;
+function crash() {
+    var element = event.srcElement;
+    document.adoptNode(element);
+    if (!document.body.innerHTML)
+        return;
+    document.execCommand('InsertHTML', false, document.body.innerHTML);
+    if (count == 1) {
+        document.removeEventListener("DOMNodeInserted", crash, false);
+        document.body.innerHTML = "PASS";
+        return;
+    }
+    document.body.appendChild(element);
+    element.insertAdjacentHTML('beforeend', '<svg><foreignObject>A</foreignObject></svg>');
+    element.focus();
+    count += 1;
+}
+
+document.addEventListener("DOMNodeInserted", crash, false);
+document.addEventListener("DOMContentLoaded", function () {
+    document.execCommand("SelectAll", false, false);
+    var range = window.getSelection().getRangeAt(0);
+    var docFragment = range.extractContents();
+    document.documentElement.firstChild.appendChild(docFragment);
+}, false);
+</script>
+<input/>
+</body>
+</html>

Modified: branches/safari-536.26-branch/Source/WebCore/ChangeLog (124062 => 124063)


--- branches/safari-536.26-branch/Source/WebCore/ChangeLog	2012-07-30 18:35:00 UTC (rev 124062)
+++ branches/safari-536.26-branch/Source/WebCore/ChangeLog	2012-07-30 18:37:18 UTC (rev 124063)
@@ -1,5 +1,26 @@
 2012-07-30  Lucas Forschler  <[email protected]>
 
+    Merge 117161
+
+    2012-05-15  Abhishek Arya  <[email protected]>
+
+            Crash due shadow tree parent confusion in SVG.
+            https://bugs.webkit.org/show_bug.cgi?id=84248
+
+            Reviewed by Nikolas Zimmermann.
+
+            Test: svg/foreignObject/viewport-foreignobject-crash.html
+
+            When we try to make a decision on whether we need an outer
+            SVGRoot container, we detect if we are in shadow tree or not.
+            We also need to make sure that our parentOrHostElement is also
+            an svg element. 
+
+            * svg/SVGElement.cpp:
+            (WebCore::SVGElement::isOutermostSVGSVGElement):
+
+2012-07-30  Lucas Forschler  <[email protected]>
+
     Merge 117007
 
     2012-05-14  Takashi Sakamoto  <[email protected]>

Modified: branches/safari-536.26-branch/Source/WebCore/svg/SVGElement.cpp (124062 => 124063)


--- branches/safari-536.26-branch/Source/WebCore/svg/SVGElement.cpp	2012-07-30 18:35:00 UTC (rev 124062)
+++ branches/safari-536.26-branch/Source/WebCore/svg/SVGElement.cpp	2012-07-30 18:37:18 UTC (rev 124063)
@@ -129,7 +129,7 @@
     // If we're living in a shadow tree, we're a <svg> element that got created as replacement
     // for a <symbol> element or a cloned <svg> element in the referenced tree. In that case
     // we're always an inner <svg> element.
-    if (isInShadowTree())
+    if (isInShadowTree() && parentOrHostElement() && parentOrHostElement()->isSVGElement())
         return false;
 
     // Element may not be in the document, pretend we're outermost for viewport(), getCTM(), etc.

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to