Title: [165120] branches/safari-537.75-branch
Diff
Modified: branches/safari-537.75-branch/LayoutTests/ChangeLog (165119 => 165120)
--- branches/safari-537.75-branch/LayoutTests/ChangeLog 2014-03-05 20:26:58 UTC (rev 165119)
+++ branches/safari-537.75-branch/LayoutTests/ChangeLog 2014-03-05 20:34:45 UTC (rev 165120)
@@ -1,3 +1,34 @@
+2014-03-05 Matthew Hanson <[email protected]>
+
+ Merge r164933.
+
+ 2014-03-01 David Kilzer <[email protected]>
+
+ Ensure keySplines is valid in SMIL animations
+ <http://webkit.org/b/129547>
+ <rdar://problem/15676128>
+
+ Reviewed by Darin Adler.
+
+ Merged from Blink (patch by Philip Rogers):
+ https://src.chromium.org/viewvc/blink?revision=156452&view=revision
+ http://crbug.com/276111
+
+ This patch fixes a crash in SMIL animations when keySplines are not
+ specified. The SMIL spec is clear on this:
+ http://www.w3.org/TR/2001/REC-smil-animation-20010904/#AnimFuncCalcMode
+ "If there are any errors in the keyTimes specification (bad values,
+ too many or too few values), the animation will have no effect."
+
+ This patch simply checks that keyTimes is not empty. Previously,
+ splinesCount was set to be m_keySplines.size() + 1 in
+ SVGAnimationElement.cpp; this patch changes splinesCount to be equal
+ to m_keySplines.size() to make the logic easier to follow and to
+ match other checks in SVGAnimationElement::startedActiveInterval.
+
+ * svg/animations/animate-keysplines-crash-expected.txt: Added.
+ * svg/animations/animate-keysplines-crash.html: Added.
+
2014-02-12 Matthew Hanson <[email protected]>
Merge r163579.
Copied: branches/safari-537.75-branch/LayoutTests/svg/animations/animate-keysplines-crash-expected.txt (from rev 164933, trunk/LayoutTests/svg/animations/animate-keysplines-crash-expected.txt) (0 => 165120)
--- branches/safari-537.75-branch/LayoutTests/svg/animations/animate-keysplines-crash-expected.txt (rev 0)
+++ branches/safari-537.75-branch/LayoutTests/svg/animations/animate-keysplines-crash-expected.txt 2014-03-05 20:34:45 UTC (rev 165120)
@@ -0,0 +1 @@
+PASS
Copied: branches/safari-537.75-branch/LayoutTests/svg/animations/animate-keysplines-crash.html (from rev 164933, trunk/LayoutTests/svg/animations/animate-keysplines-crash.html) (0 => 165120)
--- branches/safari-537.75-branch/LayoutTests/svg/animations/animate-keysplines-crash.html (rev 0)
+++ branches/safari-537.75-branch/LayoutTests/svg/animations/animate-keysplines-crash.html 2014-03-05 20:34:45 UTC (rev 165120)
@@ -0,0 +1,28 @@
+<!DOCTYPE HTML>
+<html>
+<body>
+Test for crbug.com/276111: This test passes if it does not crash.
+<svg xmlns="http://www.w3.org/2000/svg">
+ <rect>
+ <animateMotion path="M 1 2Z" id="animateMotionElement" calcMode="spline" values="M 1 2Z; M3 4Z"/>
+ </rect>
+</svg>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+
+function removePathAndFinishTest() {
+ animateMotionElement.removeAttribute('path');
+ setTimeout(function() {
+ document.write("PASS");
+ if (window.testRunner)
+ testRunner.notifyDone();
+ }, 0);
+}
+
+setTimeout('removePathAndFinishTest()', 0);
+</script>
+</body>
+</html>
Modified: branches/safari-537.75-branch/Source/WebCore/ChangeLog (165119 => 165120)
--- branches/safari-537.75-branch/Source/WebCore/ChangeLog 2014-03-05 20:26:58 UTC (rev 165119)
+++ branches/safari-537.75-branch/Source/WebCore/ChangeLog 2014-03-05 20:34:45 UTC (rev 165120)
@@ -1,3 +1,36 @@
+2014-03-05 Matthew Hanson <[email protected]>
+
+ Merge r164933.
+
+ 2014-03-01 David Kilzer <[email protected]>
+
+ Ensure keySplines is valid in SMIL animations
+ <http://webkit.org/b/129547>
+ <rdar://problem/15676128>
+
+ Reviewed by Darin Adler.
+
+ Merged from Blink (patch by Philip Rogers):
+ https://src.chromium.org/viewvc/blink?revision=156452&view=revision
+ http://crbug.com/276111
+
+ This patch fixes a crash in SMIL animations when keySplines are not
+ specified. The SMIL spec is clear on this:
+ http://www.w3.org/TR/2001/REC-smil-animation-20010904/#AnimFuncCalcMode
+ "If there are any errors in the keyTimes specification (bad values,
+ too many or too few values), the animation will have no effect."
+
+ This patch simply checks that keyTimes is not empty. Previously,
+ splinesCount was set to be m_keySplines.size() + 1 in
+ SVGAnimationElement.cpp; this patch changes splinesCount to be equal
+ to m_keySplines.size() to make the logic easier to follow and to
+ match other checks in SVGAnimationElement::startedActiveInterval.
+
+ Test: svg/animations/animate-keysplines-crash.html
+
+ * svg/SVGAnimationElement.cpp:
+ (WebCore::SVGAnimationElement::startedActiveInterval):
+
2014-03-04 Brent Fulgham <[email protected]>
Unreviewed build fix after bad merge of r154146.
Modified: branches/safari-537.75-branch/Source/WebCore/svg/SVGAnimationElement.cpp (165119 => 165120)
--- branches/safari-537.75-branch/Source/WebCore/svg/SVGAnimationElement.cpp 2014-03-05 20:26:58 UTC (rev 165119)
+++ branches/safari-537.75-branch/Source/WebCore/svg/SVGAnimationElement.cpp 2014-03-05 20:34:45 UTC (rev 165120)
@@ -565,10 +565,11 @@
AnimationMode animationMode = this->animationMode();
CalcMode calcMode = this->calcMode();
if (calcMode == CalcModeSpline) {
- unsigned splinesCount = m_keySplines.size() + 1;
- if ((fastHasAttribute(SVGNames::keyPointsAttr) && m_keyPoints.size() != splinesCount)
- || (animationMode == ValuesAnimation && m_values.size() != splinesCount)
- || (fastHasAttribute(SVGNames::keyTimesAttr) && m_keyTimes.size() != splinesCount))
+ unsigned splinesCount = m_keySplines.size();
+ if (!splinesCount
+ || (fastHasAttribute(SVGNames::keyPointsAttr) && m_keyPoints.size() - 1 != splinesCount)
+ || (animationMode == ValuesAnimation && m_values.size() - 1 != splinesCount)
+ || (fastHasAttribute(SVGNames::keyTimesAttr) && m_keyTimes.size() - 1 != splinesCount))
return;
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
