[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc
inferno at chromium.org
inferno at chromium.org
Wed Dec 22 15:40:41 UTC 2010
The following commit has been merged in the debian/experimental branch:
commit 94d80dce2f4e8a2f3eb8c583d9b3f2d809559dbe
Author: inferno at chromium.org <inferno at chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Wed Nov 10 08:20:05 2010 +0000
2010-11-10 Cris Neckar <cdn at chromium.org>
Reviewed by Nikolas Zimmermann.
Added check to ensure that svg viewport containers are not treated in the same way as generic svg containers.
https://bugs.webkit.org/show_bug.cgi?id=49188
Test: svg/dom/viewport-container-crash.svg
* rendering/SVGImageBufferTools.cpp:
(WebCore::SVGImageBufferTools::renderSubtreeToImageBuffer):
2010-11-10 Cris Neckar <cdn at chromium.org>
Reviewed by Nikolas Zimmermann.
Test for crash when svg viewport containers are treated as generic svg containers.
https://bugs.webkit.org/show_bug.cgi?id=49188
* svg/dom/viewport-container-crash-expected.txt: Added.
* svg/dom/viewport-container-crash.svg: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@71723 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 53fa7ba..841738c 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2010-11-10 Cris Neckar <cdn at chromium.org>
+
+ Reviewed by Nikolas Zimmermann.
+
+ Test for crash when svg viewport containers are treated as generic svg containers.
+ https://bugs.webkit.org/show_bug.cgi?id=49188
+
+ * svg/dom/viewport-container-crash-expected.txt: Added.
+ * svg/dom/viewport-container-crash.svg: Added.
+
2010-11-09 Fumitoshi Ukai <ukai at chromium.org>
Unreviewed, updating Chromium expectations
diff --git a/LayoutTests/fast/dom/beforeload/image-object-before-load-expected.txt b/LayoutTests/svg/dom/viewport-container-crash-expected.txt
similarity index 100%
copy from LayoutTests/fast/dom/beforeload/image-object-before-load-expected.txt
copy to LayoutTests/svg/dom/viewport-container-crash-expected.txt
diff --git a/LayoutTests/svg/dom/viewport-container-crash.svg b/LayoutTests/svg/dom/viewport-container-crash.svg
new file mode 100644
index 0000000..0066a81
--- /dev/null
+++ b/LayoutTests/svg/dom/viewport-container-crash.svg
@@ -0,0 +1,13 @@
+<svg xmlns="http://www.w3.org/2000/svg">
+ <text>PASS</text>
+ <defs>
+ <pattern id="Pattern" width="20" height="20">
+ <svg></svg>
+ </pattern>
+ </defs>
+ <rect width="430" height="80" fill="url(#Pattern)"/>
+ <script>
+ if (layoutTestController)
+ layoutTestController.dumpAsText();
+ </script>
+</svg>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index cb5e285..d3de0d3 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,15 @@
+2010-11-10 Cris Neckar <cdn at chromium.org>
+
+ Reviewed by Nikolas Zimmermann.
+
+ Added check to ensure that svg viewport containers are not treated in the same way as generic svg containers.
+ https://bugs.webkit.org/show_bug.cgi?id=49188
+
+ Test: svg/dom/viewport-container-crash.svg
+
+ * rendering/SVGImageBufferTools.cpp:
+ (WebCore::SVGImageBufferTools::renderSubtreeToImageBuffer):
+
2010-11-09 Gyuyoung Kim <gyuyoung.kim at samsung.com>
Reviewed by Eric Seidel.
diff --git a/WebCore/rendering/RenderObject.h b/WebCore/rendering/RenderObject.h
index 89d9921..e79d7e4 100644
--- a/WebCore/rendering/RenderObject.h
+++ b/WebCore/rendering/RenderObject.h
@@ -314,6 +314,7 @@ public:
// to add SVG renderer methods to RenderObject with an ASSERT_NOT_REACHED() default implementation.
virtual bool isSVGRoot() const { return false; }
virtual bool isSVGContainer() const { return false; }
+ virtual bool isSVGViewportContainer() const { return false; }
virtual bool isSVGGradientStop() const { return false; }
virtual bool isSVGHiddenContainer() const { return false; }
virtual bool isSVGPath() const { return false; }
diff --git a/WebCore/rendering/RenderSVGViewportContainer.h b/WebCore/rendering/RenderSVGViewportContainer.h
index 63c336c..5373ca8 100644
--- a/WebCore/rendering/RenderSVGViewportContainer.h
+++ b/WebCore/rendering/RenderSVGViewportContainer.h
@@ -36,6 +36,7 @@ public:
private:
virtual bool isSVGContainer() const { return true; }
+ virtual bool isSVGViewportContainer() const { return true; }
virtual const char* renderName() const { return "RenderSVGViewportContainer"; }
AffineTransform viewportTransform() const;
diff --git a/WebCore/rendering/SVGImageBufferTools.cpp b/WebCore/rendering/SVGImageBufferTools.cpp
index 903aa21..20f45b1 100644
--- a/WebCore/rendering/SVGImageBufferTools.cpp
+++ b/WebCore/rendering/SVGImageBufferTools.cpp
@@ -81,10 +81,8 @@ void SVGImageBufferTools::renderSubtreeToImageBuffer(ImageBuffer* image, RenderO
PaintInfo info(image->context(), PaintInfo::infiniteRect(), PaintPhaseForeground, 0, 0, 0);
- // FIXME: isSVGContainer returns true for RenderSVGViewportContainer, so if this is ever
- // called with one of those, we will read from the wrong offset in an object due to a bad cast.
RenderSVGContainer* svgContainer = 0;
- if (item && item->isSVGContainer())
+ if (item && item->isSVGContainer() && !item->isSVGViewportContainer())
svgContainer = toRenderSVGContainer(item);
bool drawsContents = svgContainer ? svgContainer->drawsContents() : false;
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list