Copied: branches/chromium/1229/LayoutTests/svg/custom/tref-stale-listener-crash-expected.txt (from rev 126205, trunk/LayoutTests/svg/custom/tref-stale-listener-crash-expected.txt) (0 => 126672)
--- branches/chromium/1229/LayoutTests/svg/custom/tref-stale-listener-crash-expected.txt (rev 0)
+++ branches/chromium/1229/LayoutTests/svg/custom/tref-stale-listener-crash-expected.txt 2012-08-25 01:41:15 UTC (rev 126672)
@@ -0,0 +1,4 @@
+
+
+
+PASS: did not crash.
Copied: branches/chromium/1229/LayoutTests/svg/custom/tref-stale-listener-crash.html (from rev 126205, trunk/LayoutTests/svg/custom/tref-stale-listener-crash.html) (0 => 126672)
--- branches/chromium/1229/LayoutTests/svg/custom/tref-stale-listener-crash.html (rev 0)
+++ branches/chromium/1229/LayoutTests/svg/custom/tref-stale-listener-crash.html 2012-08-25 01:41:15 UTC (rev 126672)
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html>
+<body _onload_="crash()">
+ <!-- Test for https://bugs.webkit.org/show_bug.cgi?id=94487 -->
+ <input/>
+ <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+ <g>
+ <tref xlink:href=""
+ <g id="target"></g>
+ </g>
+ </svg>
+ <input/>
+ <div>PASS: did not crash.</div>
+
+ <script>
+ if (window.testRunner)
+ testRunner.dumpAsText();
+
+ function crash() {
+ document.designMode='on';
+ document.execCommand('selectall');
+ document.execCommand('FormatBlock', false, '<'+'pre>');
+ }
+ </script>
+</body>
+</html>
Modified: branches/chromium/1229/Source/WebCore/svg/SVGTRefElement.cpp (126671 => 126672)
--- branches/chromium/1229/Source/WebCore/svg/SVGTRefElement.cpp 2012-08-25 01:29:40 UTC (rev 126671)
+++ branches/chromium/1229/Source/WebCore/svg/SVGTRefElement.cpp 2012-08-25 01:41:15 UTC (rev 126672)
@@ -69,9 +69,9 @@
? static_cast<const SVGTRefTargetEventListener*>(listener) : 0;
}
- void attach(Element* target, String& targetId);
+ void attach(PassRefPtr<Element> target);
void detach();
- bool isAttached() const { return m_attached; }
+ bool isAttached() const { return m_target.get(); }
private:
SVGTRefTargetEventListener(SVGTRefElement* trefElement);
@@ -80,29 +80,26 @@
virtual bool operator==(const EventListener&) OVERRIDE;
SVGTRefElement* m_trefElement;
- String m_targetId;
- bool m_attached;
+ RefPtr<Element> m_target;
};
SVGTRefTargetEventListener::SVGTRefTargetEventListener(SVGTRefElement* trefElement)
: EventListener(SVGTRefTargetEventListenerType)
, m_trefElement(trefElement)
- , m_attached(false)
+ , m_target(0)
{
ASSERT(m_trefElement);
}
-void SVGTRefTargetEventListener::attach(Element* target, String& targetId)
+void SVGTRefTargetEventListener::attach(PassRefPtr<Element> target)
{
ASSERT(!isAttached());
- ASSERT(target);
+ ASSERT(target.get());
ASSERT(target->inDocument());
- ASSERT(!targetId.isEmpty());
target->addEventListener(eventNames().DOMSubtreeModifiedEvent, this, false);
target->addEventListener(eventNames().DOMNodeRemovedFromDocumentEvent, this, false);
- m_targetId = targetId;
- m_attached = true;
+ m_target = target;
}
void SVGTRefTargetEventListener::detach()
@@ -110,13 +107,9 @@
if (!isAttached())
return;
- if (Element* target = m_trefElement->treeScope()->getElementById(m_targetId)) {
- target->removeEventListener(eventNames().DOMSubtreeModifiedEvent, this, false);
- target->removeEventListener(eventNames().DOMNodeRemovedFromDocumentEvent, this, false);
- }
-
- m_targetId = emptyString();
- m_attached = false;
+ m_target->removeEventListener(eventNames().DOMSubtreeModifiedEvent, this, false);
+ m_target->removeEventListener(eventNames().DOMNodeRemovedFromDocumentEvent, this, false);
+ m_target.clear();
}
bool SVGTRefTargetEventListener::operator==(const EventListener& listener)
@@ -131,7 +124,7 @@
ASSERT(isAttached());
if (event->type() == eventNames().DOMSubtreeModifiedEvent && m_trefElement != event->target())
- m_trefElement->updateReferencedText();
+ m_trefElement->updateReferencedText(m_target.get());
else if (event->type() == eventNames().DOMNodeRemovedFromDocumentEvent)
m_trefElement->detachTarget();
}
@@ -183,10 +176,10 @@
ShadowRoot::create(this, ShadowRoot::UserAgentShadowRoot, ASSERT_NO_EXCEPTION);
}
-void SVGTRefElement::updateReferencedText()
+void SVGTRefElement::updateReferencedText(Element* target)
{
String textContent;
- if (Element* target = SVGURIReference::targetElementFromIRIString(href(), document()))
+ if (target)
textContent = target->textContent();
ASSERT(shadow());
@@ -296,8 +289,8 @@
return;
String id;
- Element* target = SVGURIReference::targetElementFromIRIString(href(), document(), &id);
- if (!target) {
+ RefPtr<Element> target = SVGURIReference::targetElementFromIRIString(href(), document(), &id);
+ if (!target.get()) {
if (id.isEmpty())
return;
@@ -311,9 +304,9 @@
// expects every element instance to have an associated shadow tree element - which is not the
// case when we land here from SVGUseElement::buildShadowTree().
if (!isInShadowTree())
- m_targetListener->attach(target, id);
+ m_targetListener->attach(target);
- updateReferencedText();
+ updateReferencedText(target.get());
}
Node::InsertionNotificationRequest SVGTRefElement::insertedInto(ContainerNode* rootParent)
Modified: branches/chromium/1229/Source/WebCore/svg/SVGTRefElement.h (126671 => 126672)
--- branches/chromium/1229/Source/WebCore/svg/SVGTRefElement.h 2012-08-25 01:29:40 UTC (rev 126671)
+++ branches/chromium/1229/Source/WebCore/svg/SVGTRefElement.h 2012-08-25 01:41:15 UTC (rev 126672)
@@ -53,7 +53,7 @@
virtual InsertionNotificationRequest insertedInto(ContainerNode*) OVERRIDE;
virtual void removedFrom(ContainerNode*) OVERRIDE;
- void updateReferencedText();
+ void updateReferencedText(Element*);
void detachTarget();
