[SCM] WebKit Debian packaging branch, webkit-1.1, updated. upstream/1.1.19-706-ge5415e9
zimmermann at webkit.org
zimmermann at webkit.org
Thu Feb 4 21:22:30 UTC 2010
The following commit has been merged in the webkit-1.1 branch:
commit 9e471f0b77d4c234674b86a568f65e2cb96d04bb
Author: zimmermann at webkit.org <zimmermann at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Thu Jan 21 02:10:20 2010 +0000
2010-01-20 Nikolas Zimmermann <nzimmermann at rim.com>
Reviewed by Oliver Hunt.
Crash on dispatching SVG mouse events
https://bugs.webkit.org/show_bug.cgi?id=33841
Return early SVGUseElement::instanceForShadowTreeElement if m_targetElementInstance is zero.
This only happens if the SVGUseElement has just been removed from the document and EventHandler
tries to dispatch a mouseout event to the corresponding SVGElementInstance. This is not testable
using DRT unfortunately, so we have to add another manual testcase for that.
Tests: manual-tests/use-crash-on-mouse-hover.svg
* manual-tests/svg-crash-hovering-use.svg: Added.
* svg/SVGUseElement.cpp:
(WebCore::SVGUseElement::instanceForShadowTreeElement): Add ASSERT(!inDocument()) when returning 0 here if m_targetElementInstance is 0.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@53589 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index dabfd68..b399a2e 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,21 @@
+2010-01-20 Nikolas Zimmermann <nzimmermann at rim.com>
+
+ Reviewed by Oliver Hunt.
+
+ Crash on dispatching SVG mouse events
+ https://bugs.webkit.org/show_bug.cgi?id=33841
+
+ Return early SVGUseElement::instanceForShadowTreeElement if m_targetElementInstance is zero.
+ This only happens if the SVGUseElement has just been removed from the document and EventHandler
+ tries to dispatch a mouseout event to the corresponding SVGElementInstance. This is not testable
+ using DRT unfortunately, so we have to add another manual testcase for that.
+
+ Tests: manual-tests/use-crash-on-mouse-hover.svg
+
+ * manual-tests/svg-crash-hovering-use.svg: Added.
+ * svg/SVGUseElement.cpp:
+ (WebCore::SVGUseElement::instanceForShadowTreeElement): Add ASSERT(!inDocument()) when returning 0 here if m_targetElementInstance is 0.
+
2010-01-20 Ilya Tikhonovsky <loislo at chromium.org>
Reviewed by Pavel Feldman.
diff --git a/WebCore/manual-tests/svg-crash-hovering-use.svg b/WebCore/manual-tests/svg-crash-hovering-use.svg
new file mode 100644
index 0000000..029b23b
--- /dev/null
+++ b/WebCore/manual-tests/svg-crash-hovering-use.svg
@@ -0,0 +1,30 @@
+<?xml version="1.0" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg id="svg" viewBox="0 0 100 30" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+<defs>
+ <rect id="rect" width="60" height="10"/>
+</defs>
+
+<text x="30" y="30" transform="scale(0.2 0.2)">Hover over the rectangle - it should not crash</text>
+<use id="use" x="20" y="10" xlink:href="#rect" />
+
+<script>
+<![CDATA[
+ var svg = document.getElementById("svg");
+ var use = document.getElementById("use");
+
+ function addUseElement() {
+ svg.appendChild(use, true);
+ setTimeout(removeUseElement, 50);
+ }
+
+ function removeUseElement() {
+ use.parentElement.removeChild(use);
+ setTimeout(addUseElement, 50);
+ }
+
+ document.addEventListener("DOMNodeInserted", function() {}, true);
+ removeUseElement();
+]]>
+</script>
+</svg>
diff --git a/WebCore/svg/SVGUseElement.cpp b/WebCore/svg/SVGUseElement.cpp
index 6d371dc..f8f459b 100644
--- a/WebCore/svg/SVGUseElement.cpp
+++ b/WebCore/svg/SVGUseElement.cpp
@@ -857,6 +857,11 @@ void SVGUseElement::associateInstancesWithShadowTreeElements(Node* target, SVGEl
SVGElementInstance* SVGUseElement::instanceForShadowTreeElement(Node* element) const
{
+ if (!m_targetElementInstance) {
+ ASSERT(!inDocument());
+ return 0;
+ }
+
return instanceForShadowTreeElement(element, m_targetElementInstance.get());
}
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list