[SCM] WebKit Debian packaging branch, debian/experimental, updated. debian/1.3.8-1-1049-g2e11a8e

commit-queue at webkit.org commit-queue at webkit.org
Fri Jan 21 14:54:18 UTC 2011 

The following commit has been merged in the debian/experimental branch:
commit 404aeae907d121128c00ee83df3731fed845b5b5
Author: commit-queue at webkit.org <commit-queue at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Tue Jan 4 09:11:30 2011 +0000

    2011-01-04  Leo Yang  <leo.yang at torchmobile.com.cn>
    
            Reviewed by Dirk Schulze.
    
            Malformed SVG causes crash in updateContainerOffset
            https://bugs.webkit.org/show_bug.cgi?id=44610
    
            Test case for recursive svg <use>.
            This test case passes if no crash occurs.
    
            * svg/custom/recursive-use-expected.txt: Added.
            * svg/custom/recursive-use.svg: Added.
    2011-01-04  Leo Yang  <leo.yang at torchmobile.com.cn>
    
            Reviewed by Dirk Schulze.
    
            Malformed SVG causes crash in updateContainerOffset
            https://bugs.webkit.org/show_bug.cgi?id=44610
    
            We should check recursive <use> at the begining of
            WebCore::SVGUseElement::buildInstanceTree instead
            of at the end of it because the target element's
            children may cause infinite recursive <use>.
    
            Test: svg/custom/recursive-use.svg
    
            * svg/SVGUseElement.cpp:
            (WebCore::SVGUseElement::buildInstanceTree):
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@74960 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index f21c5ab..6f516da 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,16 @@
+2011-01-04  Leo Yang  <leo.yang at torchmobile.com.cn>
+
+        Reviewed by Dirk Schulze.
+
+        Malformed SVG causes crash in updateContainerOffset
+        https://bugs.webkit.org/show_bug.cgi?id=44610
+
+        Test case for recursive svg <use>.
+        This test case passes if no crash occurs.
+
+        * svg/custom/recursive-use-expected.txt: Added.
+        * svg/custom/recursive-use.svg: Added.
+
 2011-01-03  Kent Tamura  <tkent at chromium.org>
 
         Unreviewed, test expectation update
diff --git a/LayoutTests/svg/custom/recursive-use-expected.txt b/LayoutTests/svg/custom/recursive-use-expected.txt
new file mode 100644
index 0000000..f381830
--- /dev/null
+++ b/LayoutTests/svg/custom/recursive-use-expected.txt
@@ -0,0 +1 @@
+PASS without crash.
diff --git a/LayoutTests/svg/custom/recursive-use.svg b/LayoutTests/svg/custom/recursive-use.svg
new file mode 100644
index 0000000..e6120a4
--- /dev/null
+++ b/LayoutTests/svg/custom/recursive-use.svg
@@ -0,0 +1,15 @@
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+<defs>
+    <polygon id="pt" points="-1,0 0,-0.5 1,0"/>
+    <g id="u">
+        <use xlink:href="#pt">
+        <use xlink:href="#u"/>
+        </use>
+    </g>
+</defs>
+<text>PASS without crash.</text>
+<script>
+    if (window.layoutTestController)
+        layoutTestController.dumpAsText();
+</script>
+</svg>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 87812f4..1124bd1 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,20 @@
+2011-01-04  Leo Yang  <leo.yang at torchmobile.com.cn>
+
+        Reviewed by Dirk Schulze.
+
+        Malformed SVG causes crash in updateContainerOffset
+        https://bugs.webkit.org/show_bug.cgi?id=44610
+
+        We should check recursive <use> at the begining of
+        WebCore::SVGUseElement::buildInstanceTree instead
+        of at the end of it because the target element's
+        children may cause infinite recursive <use>.
+
+        Test: svg/custom/recursive-use.svg
+
+        * svg/SVGUseElement.cpp:
+        (WebCore::SVGUseElement::buildInstanceTree):
+
 2011-01-04  Kent Tamura  <tkent at chromium.org>
 
         Unreviewed, build fix.
diff --git a/WebCore/svg/SVGUseElement.cpp b/WebCore/svg/SVGUseElement.cpp
index 4f23f46..bf1c085 100644
--- a/WebCore/svg/SVGUseElement.cpp
+++ b/WebCore/svg/SVGUseElement.cpp
@@ -682,6 +682,11 @@ void SVGUseElement::buildInstanceTree(SVGElement* target, SVGElementInstance* ta
     ASSERT(target);
     ASSERT(targetInstance);
 
+    // Spec: If the referenced object is itself a 'use', or if there are 'use' subelements within the referenced
+    // object, the instance tree will contain recursive expansion of the indirect references to form a complete tree.
+    if (target->hasTagName(SVGNames::useTag))
+        handleDeepUseReferencing(static_cast<SVGUseElement*>(target), targetInstance, foundProblem);
+
     // A general description from the SVG spec, describing what buildInstanceTree() actually does.
     //
     // Spec: If the 'use' element references a 'g' which contains two 'rect' elements, then the instance tree
@@ -706,11 +711,6 @@ void SVGUseElement::buildInstanceTree(SVGElement* target, SVGElementInstance* ta
         // Enter recursion, appending new instance tree nodes to the "instance" object.
         buildInstanceTree(element, instancePtr, foundProblem);
     }
-
-    // Spec: If the referenced object is itself a 'use', or if there are 'use' subelements within the referenced
-    // object, the instance tree will contain recursive expansion of the indirect references to form a complete tree.
-    if (target->hasTagName(SVGNames::useTag))
-        handleDeepUseReferencing(static_cast<SVGUseElement*>(target), targetInstance, foundProblem);
 }
 
 void SVGUseElement::handleDeepUseReferencing(SVGUseElement* use, SVGElementInstance* targetInstance, bool& foundProblem)

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list