[webkit-changes] [148469] branches/safari-536.30-branch

Mon, 15 Apr 2013 14:40:46 -0700

Title: [148469] branches/safari-536.30-branch

Diff

Modified: branches/safari-536.30-branch/LayoutTests/ChangeLog (148468 => 148469)


--- branches/safari-536.30-branch/LayoutTests/ChangeLog	2013-04-15 21:25:35 UTC (rev 148468)
+++ branches/safari-536.30-branch/LayoutTests/ChangeLog	2013-04-15 21:42:34 UTC (rev 148469)
@@ -1,5 +1,19 @@
 2013-04-15  Tim Horton  <[email protected]>
 
+        Merge r143454.
+
+    2013-02-20  Florin Malita  <[email protected]>
+
+        Clear SVGPathSeg role on removal.
+        https://bugs.webkit.org/show_bug.cgi?id=110058
+
+        Reviewed by Dirk Schulze.
+
+        * svg/dom/SVGPathSegList-crash-expected.txt: Added.
+        * svg/dom/SVGPathSegList-crash.html: Added.
+
+2013-04-15  Tim Horton  <[email protected]>
+
         Merge r142759.
 
     2013-02-13  Florin Malita  <[email protected]>

Copied: branches/safari-536.30-branch/LayoutTests/svg/dom/SVGPathSegList-crash-expected.txt (from rev 143454, trunk/LayoutTests/svg/dom/SVGPathSegList-crash-expected.txt) (0 => 148469)


--- branches/safari-536.30-branch/LayoutTests/svg/dom/SVGPathSegList-crash-expected.txt	                        (rev 0)
+++ branches/safari-536.30-branch/LayoutTests/svg/dom/SVGPathSegList-crash-expected.txt	2013-04-15 21:42:34 UTC (rev 148469)
@@ -0,0 +1 @@
+PASS: Did not crash.

Copied: branches/safari-536.30-branch/LayoutTests/svg/dom/SVGPathSegList-crash.html (from rev 143454, trunk/LayoutTests/svg/dom/SVGPathSegList-crash.html) (0 => 148469)


--- branches/safari-536.30-branch/LayoutTests/svg/dom/SVGPathSegList-crash.html	                        (rev 0)
+++ branches/safari-536.30-branch/LayoutTests/svg/dom/SVGPathSegList-crash.html	2013-04-15 21:42:34 UTC (rev 148469)
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+  <body>
+    <script>
+        if (window.layoutTestController)
+            layoutTestController.dumpAsText();
+
+        var path = document.createElementNS("http://www.w3.org/2000/svg", "path");
+        var seg1 = path.createSVGPathSegLinetoAbs(10, 10);
+        var seg2 = path.createSVGPathSegLinetoAbs(100, 100);
+
+        path.pathSegList.initialize(seg1);
+        path.pathSegList.initialize(seg2);
+        path.pathSegList.initialize(seg1);
+        path.pathSegList.replaceItem(seg2, 0);
+        path.pathSegList.initialize(seg1);
+    </script>
+  </body>
+  <div>PASS: Did not crash.</div>
+</html>

Modified: branches/safari-536.30-branch/Source/WebCore/ChangeLog (148468 => 148469)


--- branches/safari-536.30-branch/Source/WebCore/ChangeLog	2013-04-15 21:25:35 UTC (rev 148468)
+++ branches/safari-536.30-branch/Source/WebCore/ChangeLog	2013-04-15 21:42:34 UTC (rev 148469)
@@ -1,5 +1,32 @@
 2013-04-15  Tim Horton  <[email protected]>
 
+        Merge r143454.
+
+    2013-02-20  Florin Malita  <[email protected]>
+
+            Clear SVGPathSeg role on removal.
+            https://bugs.webkit.org/show_bug.cgi?id=110058
+
+            Reviewed by Dirk Schulze.
+
+            SVGPathSegListPropertyTearOff::initialize() and SVGPathSegListPropertyTearOff::replaceItem()
+            need to clear the context and role for segments being expunged from the list, similarly to
+            removeItem(). Otherwise, processIncomingListItemValue() can get confused and attempt to
+            remove stale segments.
+
+            Test: svg/dom/SVGPathSegList-crash.html
+
+            * svg/properties/SVGPathSegListPropertyTearOff.cpp:
+            (WebCore::SVGPathSegListPropertyTearOff::clearContextAndRoles):
+            (WebCore::SVGPathSegListPropertyTearOff::clear):
+            (WebCore::SVGPathSegListPropertyTearOff::replaceItem):
+            (WebCore):
+            * svg/properties/SVGPathSegListPropertyTearOff.h:
+            (WebCore::SVGPathSegListPropertyTearOff::initialize):
+            (SVGPathSegListPropertyTearOff):
+
+2013-04-15  Tim Horton  <[email protected]>
+
         Merge r142759.
 
     2013-02-13  Florin Malita  <[email protected]>

Modified: branches/safari-536.30-branch/Source/WebCore/svg/properties/SVGPathSegListPropertyTearOff.cpp (148468 => 148469)


--- branches/safari-536.30-branch/Source/WebCore/svg/properties/SVGPathSegListPropertyTearOff.cpp	2013-04-15 21:25:35 UTC (rev 148468)
+++ branches/safari-536.30-branch/Source/WebCore/svg/properties/SVGPathSegListPropertyTearOff.cpp	2013-04-15 21:42:34 UTC (rev 148469)
@@ -29,18 +29,23 @@
 
 namespace WebCore {
 
-void SVGPathSegListPropertyTearOff::clear(ExceptionCode& ec)
+void SVGPathSegListPropertyTearOff::clearContextAndRoles()
 {
     ASSERT(m_values);
-    if (m_values->isEmpty())
-        return;
-
     unsigned size = m_values->size();
     for (unsigned i = 0; i < size; ++i) {
         ListItemType item = m_values->at(i);
         static_cast<SVGPathSegWithContext*>(item.get())->setContextAndRole(0, PathSegUndefinedRole);
     }
+}
 
+void SVGPathSegListPropertyTearOff::clear(ExceptionCode& ec)
+{
+    ASSERT(m_values);
+    if (m_values->isEmpty())
+        return;
+
+    clearContextAndRoles();
     SVGPathSegListPropertyTearOff::Base::clearValues(ec);
 }
 
@@ -54,6 +59,24 @@
     return returnedItem.release();
 }
 
+SVGPathSegListPropertyTearOff::PassListItemType SVGPathSegListPropertyTearOff::replaceItem(PassListItemType passNewItem, unsigned index, ExceptionCode& ec)
+{
+    // Not specified, but FF/Opera do it this way, and it's just sane.
+    if (!passNewItem) {
+        ec = SVGException::SVG_WRONG_TYPE_ERR;
+        return 0;
+    }
+
+    if (index < m_values->size()) {
+        ListItemType replacedItem = m_values->at(index);
+        ASSERT(replacedItem);
+        static_cast<SVGPathSegWithContext*>(replacedItem.get())->setContextAndRole(0, PathSegUndefinedRole);
+    }
+
+    ListItemType newItem = passNewItem;
+    return Base::replaceItemValues(newItem, index, ec);
+}
+
 SVGPathSegListPropertyTearOff::PassListItemType SVGPathSegListPropertyTearOff::removeItem(unsigned index, ExceptionCode& ec)
 {
     SVGPathSegListPropertyTearOff::ListItemType removedItem = SVGPathSegListPropertyTearOff::Base::removeItemValues(index, ec);

Modified: branches/safari-536.30-branch/Source/WebCore/svg/properties/SVGPathSegListPropertyTearOff.h (148468 => 148469)


--- branches/safari-536.30-branch/Source/WebCore/svg/properties/SVGPathSegListPropertyTearOff.h	2013-04-15 21:25:35 UTC (rev 148468)
+++ branches/safari-536.30-branch/Source/WebCore/svg/properties/SVGPathSegListPropertyTearOff.h	2013-04-15 21:42:34 UTC (rev 148469)
@@ -76,6 +76,7 @@
             return 0;
         }
 
+        clearContextAndRoles();
         ListItemType newItem = passNewItem;
         return Base::initializeValues(newItem, ec);
     }
@@ -94,18 +95,8 @@
         return Base::insertItemBeforeValues(newItem, index, ec);
     }
 
-    PassListItemType replaceItem(PassListItemType passNewItem, unsigned index, ExceptionCode& ec)
-    {
-        // Not specified, but FF/Opera do it this way, and it's just sane.
-        if (!passNewItem) {
-            ec = SVGException::SVG_WRONG_TYPE_ERR;
-            return 0;
-        }
+    PassListItemType replaceItem(PassListItemType, unsigned index, ExceptionCode&);
 
-        ListItemType newItem = passNewItem;
-        return Base::replaceItemValues(newItem, index, ec);
-    }
-
     PassListItemType removeItem(unsigned index, ExceptionCode&);
 
     PassListItemType appendItem(PassListItemType passNewItem, ExceptionCode& ec)
@@ -130,6 +121,10 @@
 
     SVGPathElement* contextElement() const;
 
+    void clearContextAndRoles();
+
+    using Base::m_role;
+
     virtual void commitChange()
     {
         ASSERT(m_values);

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to