Title: [153835] trunk
- Revision
- 153835
- Author
- [email protected]
- Date
- 2013-08-08 11:38:53 -0700 (Thu, 08 Aug 2013)
Log Message
Crash in WTF::RefPtr<WebCore::SpaceSplitStringData>::operator UnspecifiedBoolType
https://bugs.webkit.org/show_bug.cgi?id=118839
Reviewed by Darin Adler.
Source/WebCore:
Take into account that elementData() can be null in classAttributeChanged.
Test: svg/animations/classAttributeSettingCrash.html
* dom/Element.cpp:
(WebCore::Element::classAttributeChanged):
LayoutTests:
Add testcase that showed up to cause a crash by the fuzzer.
* svg/animations/classAttributeSettingCrash-expected.txt: Added.
* svg/animations/classAttributeSettingCrash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (153834 => 153835)
--- trunk/LayoutTests/ChangeLog 2013-08-08 18:35:49 UTC (rev 153834)
+++ trunk/LayoutTests/ChangeLog 2013-08-08 18:38:53 UTC (rev 153835)
@@ -9,6 +9,18 @@
2013-08-08 Rob Buis <[email protected]>
+ Crash in WTF::RefPtr<WebCore::SpaceSplitStringData>::operator UnspecifiedBoolType
+ https://bugs.webkit.org/show_bug.cgi?id=118839
+
+ Reviewed by Darin Adler.
+
+ Add testcase that showed up to cause a crash by the fuzzer.
+
+ * svg/animations/classAttributeSettingCrash-expected.txt: Added.
+ * svg/animations/classAttributeSettingCrash.html: Added.
+
+2013-08-08 Rob Buis <[email protected]>
+
svg/custom/use-href-update-crash.svg failing on certain platforms
https://bugs.webkit.org/show_bug.cgi?id=104054
Added: trunk/LayoutTests/svg/animations/classAttributeSettingCrash-expected.txt (0 => 153835)
--- trunk/LayoutTests/svg/animations/classAttributeSettingCrash-expected.txt (rev 0)
+++ trunk/LayoutTests/svg/animations/classAttributeSettingCrash-expected.txt 2013-08-08 18:38:53 UTC (rev 153835)
@@ -0,0 +1,2 @@
+PASS
+
Added: trunk/LayoutTests/svg/animations/classAttributeSettingCrash.html (0 => 153835)
--- trunk/LayoutTests/svg/animations/classAttributeSettingCrash.html (rev 0)
+++ trunk/LayoutTests/svg/animations/classAttributeSettingCrash.html 2013-08-08 18:38:53 UTC (rev 153835)
@@ -0,0 +1,12 @@
+<head>
+ <div>PASS</div>
+ <svg xmlns="http://www.w3.org/2000/svg">
+ <g>
+ <set attributename="class"></set>
+ </g>
+ <script type="text/_javascript_">
+ if (window.testRunner)
+ testRunner.dumpAsText();
+ </script>
+ </svg>
+</head>
Modified: trunk/Source/WebCore/ChangeLog (153834 => 153835)
--- trunk/Source/WebCore/ChangeLog 2013-08-08 18:35:49 UTC (rev 153834)
+++ trunk/Source/WebCore/ChangeLog 2013-08-08 18:38:53 UTC (rev 153835)
@@ -1,3 +1,17 @@
+2013-08-08 Rob Buis <[email protected]>
+
+ Crash in WTF::RefPtr<WebCore::SpaceSplitStringData>::operator UnspecifiedBoolType
+ https://bugs.webkit.org/show_bug.cgi?id=118839
+
+ Reviewed by Darin Adler.
+
+ Take into account that elementData() can be null in classAttributeChanged.
+
+ Test: svg/animations/classAttributeSettingCrash.html
+
+ * dom/Element.cpp:
+ (WebCore::Element::classAttributeChanged):
+
2013-08-08 Robert Hogan <[email protected]>
REGRESSION(r147019): Page has extra space
Modified: trunk/Source/WebCore/dom/Element.cpp (153834 => 153835)
--- trunk/Source/WebCore/dom/Element.cpp 2013-08-08 18:35:49 UTC (rev 153834)
+++ trunk/Source/WebCore/dom/Element.cpp 2013-08-08 18:38:53 UTC (rev 153835)
@@ -1110,11 +1110,11 @@
if (classStringHasClassName(newClassString)) {
const bool shouldFoldCase = document()->inQuirksMode();
- const SpaceSplitString oldClasses = elementData()->classNames();
+ const SpaceSplitString oldClasses = ensureUniqueElementData()->classNames();
elementData()->setClass(newClassString, shouldFoldCase);
const SpaceSplitString& newClasses = elementData()->classNames();
shouldInvalidateStyle = testShouldInvalidateStyle && checkSelectorForClassChange(oldClasses, newClasses, *styleResolver);
- } else {
+ } else if (elementData()) {
const SpaceSplitString& oldClasses = elementData()->classNames();
shouldInvalidateStyle = testShouldInvalidateStyle && checkSelectorForClassChange(oldClasses, *styleResolver);
elementData()->clearClass();
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
