[webkit-changes] [144108] branches/chromium/1364

Tue, 26 Feb 2013 14:19:25 -0800

Title: [144108] branches/chromium/1364

Diff

Copied: branches/chromium/1364/LayoutTests/svg/dom/SVGPathSegList-crash-expected.txt (from rev 143454, trunk/LayoutTests/svg/dom/SVGPathSegList-crash-expected.txt) (0 => 144108)


--- branches/chromium/1364/LayoutTests/svg/dom/SVGPathSegList-crash-expected.txt	                        (rev 0)
+++ branches/chromium/1364/LayoutTests/svg/dom/SVGPathSegList-crash-expected.txt	2013-02-26 22:21:25 UTC (rev 144108)
@@ -0,0 +1 @@
+PASS: Did not crash.

Copied: branches/chromium/1364/LayoutTests/svg/dom/SVGPathSegList-crash.html (from rev 143454, trunk/LayoutTests/svg/dom/SVGPathSegList-crash.html) (0 => 144108)


--- branches/chromium/1364/LayoutTests/svg/dom/SVGPathSegList-crash.html	                        (rev 0)
+++ branches/chromium/1364/LayoutTests/svg/dom/SVGPathSegList-crash.html	2013-02-26 22:21:25 UTC (rev 144108)
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+  <body>
+    <script>
+        if (window.testRunner)
+            testRunner.dumpAsText();
+
+        var path = document.createElementNS("http://www.w3.org/2000/svg", "path");
+        var seg1 = path.createSVGPathSegLinetoAbs(10, 10);
+        var seg2 = path.createSVGPathSegLinetoAbs(100, 100);
+
+        path.pathSegList.initialize(seg1);
+        path.pathSegList.initialize(seg2);
+        path.pathSegList.initialize(seg1);
+        path.pathSegList.replaceItem(seg2, 0);
+        path.pathSegList.initialize(seg1);
+    </script>
+  </body>
+  <div>PASS: Did not crash.</div>
+</html>

Modified: branches/chromium/1364/Source/WebCore/svg/properties/SVGPathSegListPropertyTearOff.cpp (144107 => 144108)


--- branches/chromium/1364/Source/WebCore/svg/properties/SVGPathSegListPropertyTearOff.cpp	2013-02-26 22:15:49 UTC (rev 144107)
+++ branches/chromium/1364/Source/WebCore/svg/properties/SVGPathSegListPropertyTearOff.cpp	2013-02-26 22:21:25 UTC (rev 144108)
@@ -29,18 +29,23 @@
 
 namespace WebCore {
 
-void SVGPathSegListPropertyTearOff::clear(ExceptionCode& ec)
+void SVGPathSegListPropertyTearOff::clearContextAndRoles()
 {
     ASSERT(m_values);
-    if (m_values->isEmpty())
-        return;
-
     unsigned size = m_values->size();
     for (unsigned i = 0; i < size; ++i) {
         ListItemType item = m_values->at(i);
         static_cast<SVGPathSegWithContext*>(item.get())->setContextAndRole(0, PathSegUndefinedRole);
     }
+}
 
+void SVGPathSegListPropertyTearOff::clear(ExceptionCode& ec)
+{
+    ASSERT(m_values);
+    if (m_values->isEmpty())
+        return;
+
+    clearContextAndRoles();
     SVGPathSegListPropertyTearOff::Base::clearValues(ec);
 }
 
@@ -54,6 +59,24 @@
     return returnedItem.release();
 }
 
+SVGPathSegListPropertyTearOff::PassListItemType SVGPathSegListPropertyTearOff::replaceItem(PassListItemType passNewItem, unsigned index, ExceptionCode& ec)
+{
+    // Not specified, but FF/Opera do it this way, and it's just sane.
+    if (!passNewItem) {
+        ec = SVGException::SVG_WRONG_TYPE_ERR;
+        return 0;
+    }
+
+    if (index < m_values->size()) {
+        ListItemType replacedItem = m_values->at(index);
+        ASSERT(replacedItem);
+        static_cast<SVGPathSegWithContext*>(replacedItem.get())->setContextAndRole(0, PathSegUndefinedRole);
+    }
+
+    ListItemType newItem = passNewItem;
+    return Base::replaceItemValues(newItem, index, ec);
+}
+
 SVGPathSegListPropertyTearOff::PassListItemType SVGPathSegListPropertyTearOff::removeItem(unsigned index, ExceptionCode& ec)
 {
     SVGPathSegListPropertyTearOff::ListItemType removedItem = SVGPathSegListPropertyTearOff::Base::removeItemValues(index, ec);

Modified: branches/chromium/1364/Source/WebCore/svg/properties/SVGPathSegListPropertyTearOff.h (144107 => 144108)


--- branches/chromium/1364/Source/WebCore/svg/properties/SVGPathSegListPropertyTearOff.h	2013-02-26 22:15:49 UTC (rev 144107)
+++ branches/chromium/1364/Source/WebCore/svg/properties/SVGPathSegListPropertyTearOff.h	2013-02-26 22:21:25 UTC (rev 144108)
@@ -75,6 +75,7 @@
             return 0;
         }
 
+        clearContextAndRoles();
         ListItemType newItem = passNewItem;
         return Base::initializeValues(newItem, ec);
     }
@@ -93,18 +94,8 @@
         return Base::insertItemBeforeValues(newItem, index, ec);
     }
 
-    PassListItemType replaceItem(PassListItemType passNewItem, unsigned index, ExceptionCode& ec)
-    {
-        // Not specified, but FF/Opera do it this way, and it's just sane.
-        if (!passNewItem) {
-            ec = SVGException::SVG_WRONG_TYPE_ERR;
-            return 0;
-        }
+    PassListItemType replaceItem(PassListItemType, unsigned index, ExceptionCode&);
 
-        ListItemType newItem = passNewItem;
-        return Base::replaceItemValues(newItem, index, ec);
-    }
-
     PassListItemType removeItem(unsigned index, ExceptionCode&);
 
     PassListItemType appendItem(PassListItemType passNewItem, ExceptionCode& ec)
@@ -129,6 +120,8 @@
 
     SVGPathElement* contextElement() const;
 
+    void clearContextAndRoles();
+
     using Base::m_role;
 
     virtual bool isReadOnly() const

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to