[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc

commit-queue at webkit.org commit-queue at webkit.org
Wed Dec 22 13:04:18 UTC 2010 

The following commit has been merged in the debian/experimental branch:
commit 35bcdf7b423702699dea8ce115c0ddaf9edeb144
Author: commit-queue at webkit.org <commit-queue at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Mon Sep 6 16:51:37 2010 +0000

    2010-09-06  Shane Stephens  <shanestephens at google.com>
    
            Reviewed by Dimitri Glazkov.
    
            [Crash] <animateMotion> element directly inside <symbol> element causes crash when referenced by <use>
            https://bugs.webkit.org/show_bug.cgi?id=44750
    
            Added test case to demonstrate crash bug.
    
            * svg/dom/symbol-embeddedAnimation-expected.txt: Added.
            * svg/dom/symbol-embeddedAnimation.svg: Added.
    2010-09-06  Shane Stephens  <shanestephens at google.com>
    
            Reviewed by Dimitri Glazkov.
    
            [Crash] <animateMotion> element directly inside <symbol> element causes crash when referenced by <use>
            https://bugs.webkit.org/show_bug.cgi?id=44750
    
            Fixes crash by checking for null transforms and skipping update step
            when appropriate.
    
            Test: svg/dom/symbol-embeddedAnimation.svg
    
            * svg/SVGAnimateMotionElement.cpp:
            (WebCore::SVGAnimateMotionElement::applyResultsToTarget):
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@66836 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 10c57b3..46e424a 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,15 @@
+2010-09-06  Shane Stephens  <shanestephens at google.com>
+
+        Reviewed by Dimitri Glazkov.
+
+        [Crash] <animateMotion> element directly inside <symbol> element causes crash when referenced by <use>
+        https://bugs.webkit.org/show_bug.cgi?id=44750
+
+        Added test case to demonstrate crash bug.
+
+        * svg/dom/symbol-embeddedAnimation-expected.txt: Added.
+        * svg/dom/symbol-embeddedAnimation.svg: Added.
+
 2010-09-06  Martin Robinson  <mrobinson at igalia.com>
 
         Unskip a couple of plugin tests which are now passing.
diff --git a/LayoutTests/svg/dom/use-transform-expected.txt b/LayoutTests/svg/dom/symbol-embeddedAnimation-expected.txt
similarity index 100%
copy from LayoutTests/svg/dom/use-transform-expected.txt
copy to LayoutTests/svg/dom/symbol-embeddedAnimation-expected.txt
diff --git a/LayoutTests/svg/dom/symbol-embeddedAnimation.svg b/LayoutTests/svg/dom/symbol-embeddedAnimation.svg
new file mode 100644
index 0000000..e91a023
--- /dev/null
+++ b/LayoutTests/svg/dom/symbol-embeddedAnimation.svg
@@ -0,0 +1,16 @@
+<?xml version="1.0" standalone="no"?>
+<svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+  <!-- use of animateMotion inside symbol tag should not crash -->
+  <use xlink:href="#crash"/>
+  <a id="crash">
+    <symbol>
+      <animateMotion/>
+    </symbol>
+  </a>
+
+  <text>Survived the crash!</text>
+  <script>
+  if (window.layoutTestController)
+      layoutTestController.dumpAsText();
+  </script>
+</svg>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 2c4029f..53ec82e 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,18 @@
+2010-09-06  Shane Stephens  <shanestephens at google.com>
+
+        Reviewed by Dimitri Glazkov.
+
+        [Crash] <animateMotion> element directly inside <symbol> element causes crash when referenced by <use>
+        https://bugs.webkit.org/show_bug.cgi?id=44750
+
+        Fixes crash by checking for null transforms and skipping update step
+        when appropriate.
+
+        Test: svg/dom/symbol-embeddedAnimation.svg
+
+        * svg/SVGAnimateMotionElement.cpp:
+        (WebCore::SVGAnimateMotionElement::applyResultsToTarget):
+
 2010-09-06  Xan Lopez  <xlopez at igalia.com>
 
         Rubber-stamped by Tor Arne Vestbø.
diff --git a/WebCore/svg/SVGAnimateMotionElement.cpp b/WebCore/svg/SVGAnimateMotionElement.cpp
index ffa201b..b50a993 100644
--- a/WebCore/svg/SVGAnimateMotionElement.cpp
+++ b/WebCore/svg/SVGAnimateMotionElement.cpp
@@ -222,6 +222,10 @@ void SVGAnimateMotionElement::applyResultsToTarget()
     if (RenderObject* renderer = targetElement->renderer())
         RenderSVGResource::markForLayoutAndParentResourceInvalidation(renderer);
 
+    AffineTransform* t = targetElement->supplementalTransform();
+    if (!t)
+        return;
+
     // ...except in case where we have additional instances in <use> trees.
     const HashSet<SVGElementInstance*>& instances = targetElement->instancesForElement();
     const HashSet<SVGElementInstance*>::const_iterator end = instances.end();
@@ -229,7 +233,8 @@ void SVGAnimateMotionElement::applyResultsToTarget()
         SVGElement* shadowTreeElement = (*it)->shadowTreeElement();
         ASSERT(shadowTreeElement);
         AffineTransform* transform = shadowTreeElement->supplementalTransform();
-        AffineTransform* t = targetElement->supplementalTransform();
+        if (!transform)
+            continue;
         transform->setMatrix(t->a(), t->b(), t->c(), t->d(), t->e(), t->f());
         if (RenderObject* renderer = shadowTreeElement->renderer()) {
             renderer->setNeedsTransformUpdate();

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list