[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc

zimmermann at webkit.org zimmermann at webkit.org
Wed Dec 22 15:43:57 UTC 2010 

The following commit has been merged in the debian/experimental branch:
commit 3058cc40aa2459320bc852f8eda7b9dc1c62aa52
Author: zimmermann at webkit.org <zimmermann at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Thu Nov 11 12:46:36 2010 +0000

    2010-11-11  Nikolas Zimmermann  <nzimmermann at rim.com>
    
            Reviewed by Dirk Schulze.
    
            chrome.dll!WebCore::SVGLengthInternal::valueInSpecifiedUnitsAttrGetter ReadAV at NULL (4cf97a4f3ebe8006a2f5ffcc5bc10aeb)
            https://bugs.webkit.org/show_bug.cgi?id=49331
    
            Test: svg/dom/SVGPolygonElement-baseVal-list-removal-crash.html
    
            * svg/properties/SVGListProperty.h:
            (WebCore::SVGListProperty::replaceItemValuesAndWrappers): Avoid premature deletion of 'oldItem'.
            (WebCore::SVGListProperty::removeItemValuesAndWrappers): Ditto.
    
    2010-11-11  Nikolas Zimmermann  <nzimmermann at rim.com>
    
            Reviewed by Dirk Schulze.
    
            chrome.dll!WebCore::SVGLengthInternal::valueInSpecifiedUnitsAttrGetter ReadAV at NULL (4cf97a4f3ebe8006a2f5ffcc5bc10aeb)
            https://bugs.webkit.org/show_bug.cgi?id=49331
    
            * svg/dom/SVGPolygonElement-baseVal-list-removal-crash-expected.txt: Added.
            * svg/dom/SVGPolygonElement-baseVal-list-removal-crash.html: Added.
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@71805 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index c2b6b0d..670162e 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2010-11-11  Nikolas Zimmermann  <nzimmermann at rim.com>
+
+        Reviewed by Dirk Schulze.
+
+        chrome.dll!WebCore::SVGLengthInternal::valueInSpecifiedUnitsAttrGetter ReadAV at NULL (4cf97a4f3ebe8006a2f5ffcc5bc10aeb)
+        https://bugs.webkit.org/show_bug.cgi?id=49331
+ 
+        * svg/dom/SVGPolygonElement-baseVal-list-removal-crash-expected.txt: Added.
+        * svg/dom/SVGPolygonElement-baseVal-list-removal-crash.html: Added.
+
 2010-11-10  Nikolas Zimmermann  <nzimmermann at rim.com>
 
         Reviewed by Dirk Schulze.
diff --git a/LayoutTests/svg/dom/SVGPolygonElement-baseVal-list-removal-crash-expected.txt b/LayoutTests/svg/dom/SVGPolygonElement-baseVal-list-removal-crash-expected.txt
new file mode 100644
index 0000000..d167dd6
--- /dev/null
+++ b/LayoutTests/svg/dom/SVGPolygonElement-baseVal-list-removal-crash-expected.txt
@@ -0,0 +1,2 @@
+ALERT: Accessing old oSVGPoint1.x: 0
+This test passes if it doesn't crash.
diff --git a/LayoutTests/svg/dom/SVGPolygonElement-baseVal-list-removal-crash.html b/LayoutTests/svg/dom/SVGPolygonElement-baseVal-list-removal-crash.html
new file mode 100644
index 0000000..dd44f35
--- /dev/null
+++ b/LayoutTests/svg/dom/SVGPolygonElement-baseVal-list-removal-crash.html
@@ -0,0 +1,20 @@
+<html>
+<head>
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+function go() {
+    var oSVGPolygon = document.createElementNS("http://www.w3.org/2000/svg", "polygon");
+    var oSVGPath = document.createElementNS("http://www.w3.org/2000/svg", "path");
+    var oSVGPoint1 = oSVGPath.getPointAtLength();
+    oSVGPolygon.points.initialize(oSVGPoint1);
+    oSVGPolygon.points.removeItem(-9223372036854775802);
+    alert("Accessing old oSVGPoint1.x: " + oSVGPoint1.x);
+}
+</script>
+</head>
+<body onload="go()">
+This test passes if it doesn't crash.
+</body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 97dea01..08d43be 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,16 @@
+2010-11-11  Nikolas Zimmermann  <nzimmermann at rim.com>
+
+        Reviewed by Dirk Schulze.
+
+        chrome.dll!WebCore::SVGLengthInternal::valueInSpecifiedUnitsAttrGetter ReadAV at NULL (4cf97a4f3ebe8006a2f5ffcc5bc10aeb)
+        https://bugs.webkit.org/show_bug.cgi?id=49331
+
+        Test: svg/dom/SVGPolygonElement-baseVal-list-removal-crash.html
+
+        * svg/properties/SVGListProperty.h:
+        (WebCore::SVGListProperty::replaceItemValuesAndWrappers): Avoid premature deletion of 'oldItem'.
+        (WebCore::SVGListProperty::removeItemValuesAndWrappers): Ditto.
+
 2010-11-11  Kenneth Rohde Christiansen  <kenneth at webkit.org>
 
         Reviewed by Andreas Kling.
diff --git a/WebCore/svg/properties/SVGListProperty.h b/WebCore/svg/properties/SVGListProperty.h
index 7edc0f1..f143389 100644
--- a/WebCore/svg/properties/SVGListProperty.h
+++ b/WebCore/svg/properties/SVGListProperty.h
@@ -287,7 +287,7 @@ public:
         processIncomingListItemWrapper(newItem, &index);
 
         // Detach the existing wrapper.
-        RefPtr<ListItemTearOff>& oldItem = wrappers.at(index);
+        RefPtr<ListItemTearOff> oldItem = wrappers.at(index);
         if (oldItem)
             oldItem->detachWrapper();
 
@@ -336,7 +336,7 @@ public:
         ASSERT(values.size() == wrappers.size());
 
         // Detach the existing wrapper.
-        RefPtr<ListItemTearOff>& oldItem = wrappers.at(index);
+        RefPtr<ListItemTearOff> oldItem = wrappers.at(index);
         if (oldItem)
             oldItem->detachWrapper();
 

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list