Title: [133355] branches/safari-536.28-branch
- Revision
- 133355
- Author
- [email protected]
- Date
- 2012-11-02 14:57:02 -0700 (Fri, 02 Nov 2012)
Log Message
Merged r124631. <rdar://problem/12536479>
Modified Paths
Added Paths
Diff
Modified: branches/safari-536.28-branch/LayoutTests/ChangeLog (133354 => 133355)
--- branches/safari-536.28-branch/LayoutTests/ChangeLog 2012-11-02 21:54:54 UTC (rev 133354)
+++ branches/safari-536.28-branch/LayoutTests/ChangeLog 2012-11-02 21:57:02 UTC (rev 133355)
@@ -1,5 +1,23 @@
2012-11-02 Lucas Forschler <[email protected]>
+ Merge r124631
+
+ 2012-08-03 Stephen Chenney <[email protected]>
+
+ Crash when a clip path referencing a clip path changes documents
+ https://bugs.webkit.org/show_bug.cgi?id=93023
+
+ Reviewed by Dirk Schulze.
+
+ Test that asserts in debug DRT without this change. Any attempt to
+ delete a clip that references another clip after changing the document
+ results in a crash.
+
+ * svg/custom/clip-path-document-change-assert-expected.txt: Added.
+ * svg/custom/clip-path-document-change-assert.html: Added.
+
+2012-11-02 Lucas Forschler <[email protected]>
+
Merge r124626
2012-07-20 Jon Lee <[email protected]>
@@ -10773,3 +10791,4 @@
.
.
.
+.
Copied: branches/safari-536.28-branch/LayoutTests/svg/custom/clip-path-document-change-assert-expected.txt (from rev 124631, trunk/LayoutTests/svg/custom/clip-path-document-change-assert-expected.txt) (0 => 133355)
--- branches/safari-536.28-branch/LayoutTests/svg/custom/clip-path-document-change-assert-expected.txt (rev 0)
+++ branches/safari-536.28-branch/LayoutTests/svg/custom/clip-path-document-change-assert-expected.txt 2012-11-02 21:57:02 UTC (rev 133355)
@@ -0,0 +1 @@
+PASS
Copied: branches/safari-536.28-branch/LayoutTests/svg/custom/clip-path-document-change-assert.html (from rev 124631, trunk/LayoutTests/svg/custom/clip-path-document-change-assert.html) (0 => 133355)
--- branches/safari-536.28-branch/LayoutTests/svg/custom/clip-path-document-change-assert.html (rev 0)
+++ branches/safari-536.28-branch/LayoutTests/svg/custom/clip-path-document-change-assert.html 2012-11-02 21:57:02 UTC (rev 133355)
@@ -0,0 +1,39 @@
+<html xmlns="http://www.w3.org/1999/xhtml">
+ <head>
+ </head>
+ <body id="bodyRoot">
+ <svg xmlns="http://www.w3.org/2000/svg">
+ <defs>
+ <clipPath id="clipClip">
+ <rect>
+ </rect>
+ </clipPath>
+ <clipPath clip-path="url(#clipClip)">
+ <circle>
+ </circle>
+ </clipPath>
+ </defs>
+ <rect>
+ </rect>
+ </svg>
+ </body>
+ <script>
+ if (window.testRunner) {
+ testRunner.waitUntilDone();
+ testRunner.dumpAsText();
+ }
+
+ document.addEventListener("DOMContentLoaded", initCrash, false);
+
+ function initCrash() {
+ var bodyRoot = document.getElementById("bodyRoot");
+ try { document.implementation.createDocument("", "", null).adoptNode(bodyRoot); } catch(e) {}
+ try { bodyRoot.textContent = "" } catch(e) {}
+ document.documentElement.innerHTML = "PASS";
+
+ if (window.testRunner)
+ testRunner.notifyDone();
+ }
+ </script>
+</html>
+
Modified: branches/safari-536.28-branch/Source/WebCore/ChangeLog (133354 => 133355)
--- branches/safari-536.28-branch/Source/WebCore/ChangeLog 2012-11-02 21:54:54 UTC (rev 133354)
+++ branches/safari-536.28-branch/Source/WebCore/ChangeLog 2012-11-02 21:57:02 UTC (rev 133355)
@@ -1,5 +1,40 @@
2012-11-02 Lucas Forschler <[email protected]>
+ Merge r124631
+
+ 2012-08-03 Stephen Chenney <[email protected]>
+
+ Crash when a clip path referencing a clip path changes documents
+ https://bugs.webkit.org/show_bug.cgi?id=93023
+
+ Reviewed by Dirk Schulze.
+
+ The SVGClipPathElement is set to not need pending resource handling,
+ when in fact it can have pending resources. The result is a crash when
+ the element is moved to a new document (which deletes all resources
+ and leaves them pending) and then immediately deleted (which asserts
+ that there are no pending resources). There is code to remove pending
+ resources upon deletion and removal from the DOM, but it was not
+ executing for clips because of the aforementioned code claiming that
+ clips don't require such handling.
+
+ The assertion that there be no pending resources is necessary to
+ prevent caches of pending resources from trying to access the deleted
+ element.
+
+ This change removes the check for needsPendingResourceHandling in
+ SVGStyledElement upon deletion and removal from the DOM. Pending resources
+ will always be checked in such cases to ensure we do not introduce
+ security issues.
+
+ Test: svg/custom/clip-path-document-change-assert.html
+
+ * svg/SVGStyledElement.cpp:
+ (WebCore::SVGStyledElement::~SVGStyledElement): Removed needsPendingResourceHandling in the conditional to clean up resources.
+ (WebCore::SVGStyledElement::removedFrom): Removed needsPendingResourceHandling in the conditional to clean up resources.
+
+2012-11-02 Lucas Forschler <[email protected]>
+
Merge r124626
2012-07-20 Jon Lee <[email protected]>
@@ -206106,3 +206141,4 @@
.
.
.
+.
Modified: branches/safari-536.28-branch/Source/WebCore/svg/SVGStyledElement.cpp (133354 => 133355)
--- branches/safari-536.28-branch/Source/WebCore/svg/SVGStyledElement.cpp 2012-11-02 21:54:54 UTC (rev 133354)
+++ branches/safari-536.28-branch/Source/WebCore/svg/SVGStyledElement.cpp 2012-11-02 21:57:02 UTC (rev 133355)
@@ -75,7 +75,7 @@
SVGStyledElement::~SVGStyledElement()
{
- if (needsPendingResourceHandling() && hasPendingResources() && document())
+ if (hasPendingResources() && document())
document()->accessSVGExtensions()->removeElementFromPendingResources(this);
ASSERT(!hasPendingResources());
@@ -396,7 +396,7 @@
SVGElement::removedFrom(rootParent);
SVGElementInstance::invalidateAllInstancesOfElement(this);
Document* document = this->document();
- if (!rootParent->inDocument() || !needsPendingResourceHandling() || !document)
+ if (!rootParent->inDocument() || !document)
return;
document->accessSVGExtensions()->removeElementFromPendingResources(this);
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
