[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc

jschuh at chromium.org jschuh at chromium.org
Wed Dec 22 13:01:23 UTC 2010 

The following commit has been merged in the debian/experimental branch:
commit e79b441650b337c63c1f3722ce7ec2dfd09e9822
Author: jschuh at chromium.org <jschuh at chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Sat Sep 4 15:45:47 2010 +0000

    2010-09-04  Justin Schuh  <jschuh at chromium.org>
    
            Reviewed by Nikolas Zimmermann.
    
            Prevent premature deletion of svg use shadow tree
            https://bugs.webkit.org/show_bug.cgi?id=43260
    
            Test: svg/custom/use-invalid-style.svg
    
            * svg/SVGUseElement.cpp:
            (WebCore::SVGUseElement::insertedIntoDocument):
            (WebCore::SVGUseElement::removedFromDocument):
            (WebCore::SVGUseElement::detach):
    2010-09-04  Justin Schuh  <jschuh at chromium.org>
    
            Reviewed by Nikolas Zimmermann.
    
            Check for premature deletion of svg use shadow style element
            https://bugs.webkit.org/show_bug.cgi?id=43260
    
            * svg/custom/use-invalid-style-expected.txt: Added.
            * svg/custom/use-invalid-style.svg: Added.
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@66795 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 9594b6f..a2ec56f 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2010-09-04  Justin Schuh  <jschuh at chromium.org>
+
+        Reviewed by Nikolas Zimmermann.
+
+        Check for premature deletion of svg use shadow style element
+        https://bugs.webkit.org/show_bug.cgi?id=43260
+
+        * svg/custom/use-invalid-style-expected.txt: Added.
+        * svg/custom/use-invalid-style.svg: Added.
+
 2010-09-04  Steve Block  <steveblock at google.com>
 
         Unreviewed.
diff --git a/LayoutTests/svg/custom/use-invalid-style-expected.txt b/LayoutTests/svg/custom/use-invalid-style-expected.txt
new file mode 100644
index 0000000..b9737b1
--- /dev/null
+++ b/LayoutTests/svg/custom/use-invalid-style-expected.txt
@@ -0,0 +1,7 @@
+This page contains the following errors:
+
+error on line 10 at column 88: Opening and ending tag mismatch: junk line 0 and svg
+Below is a rendering of the page up to the first error.
+
+This should not crash, but display an error document.
+
diff --git a/LayoutTests/svg/custom/use-invalid-style.svg b/LayoutTests/svg/custom/use-invalid-style.svg
new file mode 100644
index 0000000..d873428
--- /dev/null
+++ b/LayoutTests/svg/custom/use-invalid-style.svg
@@ -0,0 +1,10 @@
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+    <script>
+        if (window.layoutTestController)
+            layoutTestController.dumpAsText();
+    </script>
+    <text y="20">This should not crash, but display an error document.</text>
+    <style id="crash"></style>
+    <use xlink:href="#crash" />
+    <junk>
+</svg>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 1e7775f..52c6755 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,17 @@
+2010-09-04  Justin Schuh  <jschuh at chromium.org>
+
+        Reviewed by Nikolas Zimmermann.
+
+        Prevent premature deletion of svg use shadow tree
+        https://bugs.webkit.org/show_bug.cgi?id=43260
+
+        Test: svg/custom/use-invalid-style.svg
+
+        * svg/SVGUseElement.cpp:
+        (WebCore::SVGUseElement::insertedIntoDocument):
+        (WebCore::SVGUseElement::removedFromDocument):
+        (WebCore::SVGUseElement::detach):
+
 2010-09-03  Jesus Sanchez-Palencia  <jesus.palencia at openbossa.org>
 
         Reviewed by Darin Adler.
diff --git a/WebCore/svg/SVGUseElement.cpp b/WebCore/svg/SVGUseElement.cpp
index fc6c9fc..3723f9a 100644
--- a/WebCore/svg/SVGUseElement.cpp
+++ b/WebCore/svg/SVGUseElement.cpp
@@ -44,6 +44,7 @@
 #include "SVGShadowTreeElements.h"
 #include "SVGSymbolElement.h"
 #include "XLinkNames.h"
+#include "XMLDocumentParser.h"
 #include "XMLSerializer.h"
 
 // Dump SVGElementInstance object tree - useful to debug instanceRoot problems
@@ -120,14 +121,14 @@ void SVGUseElement::insertedIntoDocument()
 {
     // This functions exists to assure assumptions made in the code regarding SVGElementInstance creation/destruction are satisfied.
     SVGStyledTransformableElement::insertedIntoDocument();
-    ASSERT(!m_targetElementInstance);
+    ASSERT(!m_targetElementInstance || ((document()->isSVGDocument() || document()->isXHTMLDocument()) && !static_cast<XMLDocumentParser*>(document()->parser())->wellFormed()));
     ASSERT(!m_isPendingResource);
 }
 
 void SVGUseElement::removedFromDocument()
 {
-    m_targetElementInstance = 0;
     SVGStyledTransformableElement::removedFromDocument();
+    m_targetElementInstance = 0;
 }
 
 void SVGUseElement::svgAttributeChanged(const QualifiedName& attrName)
@@ -608,8 +609,8 @@ void SVGUseElement::attach()
 
 void SVGUseElement::detach()
 {
-    m_targetElementInstance = 0;
     SVGStyledTransformableElement::detach();
+    m_targetElementInstance = 0;
 }
 
 static bool isDirectReference(Node* n)

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list