[SCM] WebKit Debian packaging branch, webkit-1.2, updated. upstream/1.1.90-6072-g9a69373

eric at webkit.org eric at webkit.org
Wed Apr 7 23:10:39 UTC 2010 

The following commit has been merged in the webkit-1.2 branch:
commit 18c52e6d074dd26bfd9d0ac4dd0a1db301418635
Author: eric at webkit.org <eric at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Wed Oct 28 00:18:15 2009 +0000

    2009-10-27  Eric Seidel  <eric at webkit.org>
    
            Reviewed by Nikolas Zimmermann.
    
            SVGStyledElement::getPresentationAttribute() can return a shared CSSValue (some SVG tests randomly fail on the bot, and in release builds)
            https://bugs.webkit.org/show_bug.cgi?id=29620
    
            * svg/dom/getPresentationAttribute-cache-corruption-expected.txt: Added.
            * svg/dom/getPresentationAttribute-cache-corruption.svg: Added.
    2009-10-27  Eric Seidel  <eric at webkit.org>
    
            Reviewed by Nikolas Zimmermann.
    
            SVGStyledElement::getPresentationAttribute() can return a shared CSSValue (some SVG tests randomly fail on the bot, and in release builds)
            https://bugs.webkit.org/show_bug.cgi?id=29620
    
            SVG was modifying CSSValues cached of off CSSMappedAttributeDeclarations.
            This patch fixes the check to make sure that a new CSSMappedAttributeDeclaration is
            created before returning a CSSValue that JavaScript can modify.
    
            Test: svg/dom/getPresentationAttribute-cache-corruption.svg
    
            * svg/SVGStyledElement.cpp:
            (WebCore::SVGStyledElement::getPresentationAttribute):
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@50185 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 959cd3c..e173f82 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2009-10-27  Eric Seidel  <eric at webkit.org>
+
+        Reviewed by Nikolas Zimmermann.
+
+        SVGStyledElement::getPresentationAttribute() can return a shared CSSValue (some SVG tests randomly fail on the bot, and in release builds)
+        https://bugs.webkit.org/show_bug.cgi?id=29620
+
+        * svg/dom/getPresentationAttribute-cache-corruption-expected.txt: Added.
+        * svg/dom/getPresentationAttribute-cache-corruption.svg: Added.
+
 2009-10-27  Dan Bernstein  <mitz at apple.com>
 
         Reviewed by Simon Fraser.
diff --git a/LayoutTests/editing/selection/doubleclick-whitespace-img-crash-expected.txt b/LayoutTests/svg/dom/getPresentationAttribute-cache-corruption-expected.txt
similarity index 100%
copy from LayoutTests/editing/selection/doubleclick-whitespace-img-crash-expected.txt
copy to LayoutTests/svg/dom/getPresentationAttribute-cache-corruption-expected.txt
diff --git a/LayoutTests/svg/dom/getPresentationAttribute-cache-corruption.svg b/LayoutTests/svg/dom/getPresentationAttribute-cache-corruption.svg
new file mode 100644
index 0000000..a54b8ea
--- /dev/null
+++ b/LayoutTests/svg/dom/getPresentationAttribute-cache-corruption.svg
@@ -0,0 +1,27 @@
+<?xml version="1.0"?>
+<svg xmlns="http://www.w3.org/2000/svg">
+    <rect id="first" x="0" y="0" width="100" height="100" fill="green" />
+    <script>
+    <![CDATA[
+    if (window.layoutTestController)
+        layoutTestController.dumpAsText();
+    // This test makes sure that mutating the CSSValue returned
+    // by getPresentationAttribute does not affect later mapped attribute values.
+    // See bug https://bugs.webkit.org/show_bug.cgi?id=29620.
+    var fill = document.getElementById("first").getPresentationAttribute('fill');
+    fill.setRGBColor("red");
+    ]]>
+    </script>
+    <rect id="second" x="0" y="0" width="100" height="100" fill="green" />
+    <text id="result" x="10" y="30">FAIL</text>
+    <script>
+    <![CDATA[
+    var fillValue = window.getComputedStyle(document.getElementById("second"), null)['fill'];
+    if (fillValue == "#008000") {
+        document.getElementById("result").textContent = "PASS";
+    } else {
+        document.getElementById("result").textContent = "FAIL: expected #008000 got " + fillValue;
+    }
+    ]]>
+    </script>
+</svg>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 061a54a..8060daa 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,19 @@
+2009-10-27  Eric Seidel  <eric at webkit.org>
+
+        Reviewed by Nikolas Zimmermann.
+
+        SVGStyledElement::getPresentationAttribute() can return a shared CSSValue (some SVG tests randomly fail on the bot, and in release builds)
+        https://bugs.webkit.org/show_bug.cgi?id=29620
+
+        SVG was modifying CSSValues cached of off CSSMappedAttributeDeclarations.
+        This patch fixes the check to make sure that a new CSSMappedAttributeDeclaration is
+        created before returning a CSSValue that JavaScript can modify.
+
+        Test: svg/dom/getPresentationAttribute-cache-corruption.svg
+
+        * svg/SVGStyledElement.cpp:
+        (WebCore::SVGStyledElement::getPresentationAttribute):
+
 2009-10-27  Dan Bernstein  <mitz at apple.com>
 
         Reviewed by Simon Fraser.
diff --git a/WebCore/svg/SVGStyledElement.cpp b/WebCore/svg/SVGStyledElement.cpp
index 98b6459..6960519 100644
--- a/WebCore/svg/SVGStyledElement.cpp
+++ b/WebCore/svg/SVGStyledElement.cpp
@@ -245,20 +245,23 @@ PassRefPtr<CSSValue> SVGStyledElement::getPresentationAttribute(const String& na
     if (!mappedAttributes())
         return 0;
 
-    Attribute* attr = mappedAttributes()->getAttributeItem(QualifiedName(nullAtom, name, nullAtom));
+    QualifiedName attributeName(nullAtom, name, nullAtom);
+    Attribute* attr = mappedAttributes()->getAttributeItem(attributeName);
     if (!attr || !attr->isMappedAttribute() || !attr->style())
         return 0;
 
     MappedAttribute* cssSVGAttr = static_cast<MappedAttribute*>(attr);
-
-    // FIXME: Is it possible that the style will not be shared at the time this
-    // is called, but a later addition to the DOM will make it shared?
-    if (!cssSVGAttr->style()->hasOneRef()) {
+    // This function returns a pointer to a CSSValue which can be mutated from JavaScript.
+    // If the associated MappedAttribute uses the same CSSMappedAttributeDeclaration
+    // as StyledElement's mappedAttributeDecls cache, create a new CSSMappedAttributeDeclaration
+    // before returning so that any modifications to the CSSValue will not affect other attributes.
+    MappedAttributeEntry entry;
+    mapToEntry(attributeName, entry);
+    if (getMappedAttributeDecl(entry, cssSVGAttr) == cssSVGAttr->decl()) {
         cssSVGAttr->setDecl(0);
         int propId = SVGStyledElement::cssPropertyIdForSVGAttributeName(cssSVGAttr->name());
         addCSSProperty(cssSVGAttr, propId, cssSVGAttr->value());
     }
-
     return cssSVGAttr->style()->getPropertyCSSValue(name);
 }
 

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list