Title: [147434] trunk
- Revision
- 147434
- Author
- [email protected]
- Date
- 2013-04-02 08:18:36 -0700 (Tue, 02 Apr 2013)
Log Message
Hang when calling setCurrentTime on SVG with cyclic animation dependency chain
https://bugs.webkit.org/show_bug.cgi?id=113485
Patch by David Vest <[email protected]> on 2013-04-02
Reviewed by Stephen Chenney.
Source/WebCore:
If no exact match can be found, approximateBinarySearch may return
either adjacent value to the key. Selecting the lesser value when
there is a greater one may cause interval creation to fail in a
way that causes infinite loops during seeking. Detect and amend
this condition by selecting the greater value when possible.
Test: svg/animations/animation-dependency-hang.html
* svg/animation/SVGSMILElement.cpp:
(WebCore::SVGSMILElement::findInstanceTime):
LayoutTests:
* svg/animations/animation-dependency-hang-expected.txt: Added.
* svg/animations/animation-dependency-hang.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (147433 => 147434)
--- trunk/LayoutTests/ChangeLog 2013-04-02 14:58:05 UTC (rev 147433)
+++ trunk/LayoutTests/ChangeLog 2013-04-02 15:18:36 UTC (rev 147434)
@@ -1,3 +1,13 @@
+2013-04-02 David Vest <[email protected]>
+
+ Hang when calling setCurrentTime on SVG with cyclic animation dependency chain
+ https://bugs.webkit.org/show_bug.cgi?id=113485
+
+ Reviewed by Stephen Chenney.
+
+ * svg/animations/animation-dependency-hang-expected.txt: Added.
+ * svg/animations/animation-dependency-hang.html: Added.
+
2013-04-02 Julien Chaffraix <[email protected]>
webkit fails IETC grid-column-002
Added: trunk/LayoutTests/svg/animations/animation-dependency-hang-expected.txt (0 => 147434)
--- trunk/LayoutTests/svg/animations/animation-dependency-hang-expected.txt (rev 0)
+++ trunk/LayoutTests/svg/animations/animation-dependency-hang-expected.txt 2013-04-02 15:18:36 UTC (rev 147434)
@@ -0,0 +1 @@
+PASS: Test did not hang.
Added: trunk/LayoutTests/svg/animations/animation-dependency-hang.html (0 => 147434)
--- trunk/LayoutTests/svg/animations/animation-dependency-hang.html (rev 0)
+++ trunk/LayoutTests/svg/animations/animation-dependency-hang.html 2013-04-02 15:18:36 UTC (rev 147434)
@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <script type="text/_javascript_">
+ if (window.testRunner)
+ testRunner.waitUntilDone();
+
+ _onload_ = function() {
+ // Do test _after_ onload to make sure that the time container
+ // has begun.
+ window.setTimeout(function() {
+ document.querySelector('svg').setCurrentTime(0.5);
+ document.body.innerHTML = 'PASS: Test did not hang.';
+ if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.notifyDone();
+ }
+ }, 0);
+ };
+ </script>
+</head>
+<body>
+ <p>This test passes if it does not hang...</p>
+ <svg xmlns="http://www.w3.org/2000/svg">
+ <circle r="10" cx="50" cy="50" fill="none">
+ <animate id="anim1" attributeName="opacity" from="0" to="1" begin="0.1s; anim3.end" dur="0.01s"/>
+ <animate id="anim2" attributeName="opacity" from="1" to="1" begin="anim1.end" dur="0.05s" fill="freeze"/>
+ <animate id="anim3" attributeName="opacity" from="1" to="0" begin="anim2.end" dur="0.01s" fill="freeze"/>
+ </circle>
+ </svg>
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (147433 => 147434)
--- trunk/Source/WebCore/ChangeLog 2013-04-02 14:58:05 UTC (rev 147433)
+++ trunk/Source/WebCore/ChangeLog 2013-04-02 15:18:36 UTC (rev 147434)
@@ -1,3 +1,21 @@
+2013-04-02 David Vest <[email protected]>
+
+ Hang when calling setCurrentTime on SVG with cyclic animation dependency chain
+ https://bugs.webkit.org/show_bug.cgi?id=113485
+
+ Reviewed by Stephen Chenney.
+
+ If no exact match can be found, approximateBinarySearch may return
+ either adjacent value to the key. Selecting the lesser value when
+ there is a greater one may cause interval creation to fail in a
+ way that causes infinite loops during seeking. Detect and amend
+ this condition by selecting the greater value when possible.
+
+ Test: svg/animations/animation-dependency-hang.html
+
+ * svg/animation/SVGSMILElement.cpp:
+ (WebCore::SVGSMILElement::findInstanceTime):
+
2013-04-02 Andrey Lushnikov <[email protected]>
Web Inspector: source location gets frozen after inspector reload
Modified: trunk/Source/WebCore/svg/animation/SVGSMILElement.cpp (147433 => 147434)
--- trunk/Source/WebCore/svg/animation/SVGSMILElement.cpp 2013-04-02 14:58:05 UTC (rev 147433)
+++ trunk/Source/WebCore/svg/animation/SVGSMILElement.cpp 2013-04-02 15:18:36 UTC (rev 147434)
@@ -743,6 +743,10 @@
const SMILTimeWithOrigin* result = approximateBinarySearch<const SMILTimeWithOrigin, SMILTime>(list, sizeOfList, minimumTime, extractTimeFromVector);
int indexOfResult = result - list.begin();
ASSERT_WITH_SECURITY_IMPLICATION(indexOfResult < sizeOfList);
+
+ if (list[indexOfResult].time() < minimumTime && indexOfResult < sizeOfList - 1)
+ ++indexOfResult;
+
const SMILTime& currentTime = list[indexOfResult].time();
// The special value "indefinite" does not yield an instance time in the begin list.
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
