[SCM] WebKit Debian packaging branch, debian/experimental, updated. debian/1.3.8-1-1049-g2e11a8e

commit-queue at webkit.org commit-queue at webkit.org
Fri Jan 21 14:57:17 UTC 2011 

The following commit has been merged in the debian/experimental branch:
commit 0f5d54e5f9d4ae663084af561af95139a14fbec0
Author: commit-queue at webkit.org <commit-queue at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Wed Jan 5 12:11:15 2011 +0000

    2011-01-05  Leo Yang  <leo.yang at torchmobile.com.cn>
    
            Reviewed by Dirk Schulze.
    
            Malformed SVG causes crash in updateContainerOffset
            https://bugs.webkit.org/show_bug.cgi?id=44610
    
            Test case for recursive svg <use>.
            This test case passes if no crash occurs.
    
            * svg/custom/recursive-use-expected.txt: Added.
            * svg/custom/recursive-use.svg: Added.
    2011-01-05  Leo Yang  <leo.yang at torchmobile.com.cn>
    
            Reviewed by Dirk Schulze.
    
            Malformed SVG causes crash in updateContainerOffset
            https://bugs.webkit.org/show_bug.cgi?id=44610
    
            We should check recursive <use> at the begining of
            WebCore::SVGUseElement::buildInstanceTree instead
            of at the end of it because the target element's
            children may cause infinite recursive <use>.
    
            Test: svg/custom/recursive-use.svg
    
            * svg/SVGUseElement.cpp:
            (WebCore::SVGUseElement::buildInstanceTree):
            (WebCore::SVGUseElement::hasCycleUseReferencing):
            * svg/SVGUseElement.h:
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@75059 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index f2dfc53..e0294d1 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,16 @@
+2011-01-05  Leo Yang  <leo.yang at torchmobile.com.cn>
+
+        Reviewed by Dirk Schulze.
+
+        Malformed SVG causes crash in updateContainerOffset
+        https://bugs.webkit.org/show_bug.cgi?id=44610
+
+        Test case for recursive svg <use>.
+        This test case passes if no crash occurs.
+
+        * svg/custom/recursive-use-expected.txt: Added.
+        * svg/custom/recursive-use.svg: Added.
+
 2011-01-05  Antti Koivisto  <antti at apple.com>
 
         Not reviewed.
diff --git a/LayoutTests/svg/custom/recursive-use-expected.txt b/LayoutTests/svg/custom/recursive-use-expected.txt
new file mode 100644
index 0000000..f381830
--- /dev/null
+++ b/LayoutTests/svg/custom/recursive-use-expected.txt
@@ -0,0 +1 @@
+PASS without crash.
diff --git a/LayoutTests/svg/custom/recursive-use.svg b/LayoutTests/svg/custom/recursive-use.svg
new file mode 100644
index 0000000..6dbbac2
--- /dev/null
+++ b/LayoutTests/svg/custom/recursive-use.svg
@@ -0,0 +1,15 @@
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+<defs>
+    <polygon id="pt" points="-1,0 0,-0.5 1,0"/>
+    <g id="u">
+        <use xlink:href="#pt">
+        <use xlink:href="#u"/>
+        </use>
+    </g>
+</defs>
+<text x="10" y= "30">PASS without crash.</text>
+<script>
+    if (window.layoutTestController)
+        layoutTestController.dumpAsText();
+</script>
+</svg>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index c9e4aac..18edbbf 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,22 @@
+2011-01-05  Leo Yang  <leo.yang at torchmobile.com.cn>
+
+        Reviewed by Dirk Schulze.
+
+        Malformed SVG causes crash in updateContainerOffset
+        https://bugs.webkit.org/show_bug.cgi?id=44610
+
+        We should check recursive <use> at the begining of
+        WebCore::SVGUseElement::buildInstanceTree instead
+        of at the end of it because the target element's
+        children may cause infinite recursive <use>.
+
+        Test: svg/custom/recursive-use.svg
+
+        * svg/SVGUseElement.cpp:
+        (WebCore::SVGUseElement::buildInstanceTree):
+        (WebCore::SVGUseElement::hasCycleUseReferencing):
+        * svg/SVGUseElement.h:
+
 2011-01-04  Antti Koivisto  <antti at apple.com>
 
         Reviewed by Dan Bernstein.
diff --git a/WebCore/svg/SVGUseElement.cpp b/WebCore/svg/SVGUseElement.cpp
index 4f23f46..589a560 100644
--- a/WebCore/svg/SVGUseElement.cpp
+++ b/WebCore/svg/SVGUseElement.cpp
@@ -2,6 +2,7 @@
  * Copyright (C) 2004, 2005, 2006, 2007, 2008 Nikolas Zimmermann <zimmermann at kde.org>
  * Copyright (C) 2004, 2005, 2006, 2007 Rob Buis <buis at kde.org>
  * Copyright (C) Research In Motion Limited 2009-2010. All rights reserved.
+ * Copyright (C) 2011 Torch Mobile (Beijing) Co. Ltd. All rights reserved.
  *
  * This library is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Library General Public
@@ -682,6 +683,16 @@ void SVGUseElement::buildInstanceTree(SVGElement* target, SVGElementInstance* ta
     ASSERT(target);
     ASSERT(targetInstance);
 
+    // Spec: If the referenced object is itself a 'use', or if there are 'use' subelements within the referenced
+    // object, the instance tree will contain recursive expansion of the indirect references to form a complete tree.
+    bool targetHasUseTag = target->hasTagName(SVGNames::useTag);
+    SVGElement* newTarget = 0;
+    if (targetHasUseTag) {
+        foundProblem = hasCycleUseReferencing(static_cast<SVGUseElement*>(target), targetInstance, newTarget);
+        if (foundProblem)
+            return;
+    }
+
     // A general description from the SVG spec, describing what buildInstanceTree() actually does.
     //
     // Spec: If the 'use' element references a 'g' which contains two 'rect' elements, then the instance tree
@@ -707,50 +718,41 @@ void SVGUseElement::buildInstanceTree(SVGElement* target, SVGElementInstance* ta
         buildInstanceTree(element, instancePtr, foundProblem);
     }
 
-    // Spec: If the referenced object is itself a 'use', or if there are 'use' subelements within the referenced
-    // object, the instance tree will contain recursive expansion of the indirect references to form a complete tree.
-    if (target->hasTagName(SVGNames::useTag))
-        handleDeepUseReferencing(static_cast<SVGUseElement*>(target), targetInstance, foundProblem);
+    if (!targetHasUseTag || !newTarget)
+        return;
+
+    RefPtr<SVGElementInstance> newInstance = SVGElementInstance::create(this, newTarget);
+    SVGElementInstance* newInstancePtr = newInstance.get();
+    targetInstance->appendChild(newInstance.release());
+    buildInstanceTree(newTarget, newInstancePtr, foundProblem);
 }
 
-void SVGUseElement::handleDeepUseReferencing(SVGUseElement* use, SVGElementInstance* targetInstance, bool& foundProblem)
+bool SVGUseElement::hasCycleUseReferencing(SVGUseElement* use, SVGElementInstance* targetInstance, SVGElement*& newTarget)
 {
     String id = SVGURIReference::getTarget(use->href());
     Element* targetElement = document()->getElementById(id); 
-    SVGElement* target = 0;
+    newTarget = 0;
     if (targetElement && targetElement->isSVGElement())
-        target = static_cast<SVGElement*>(targetElement);
-
-    if (!target)
-        return;
+        newTarget = static_cast<SVGElement*>(targetElement);
 
-    // Cycle detection first!
-    foundProblem = (target == this);
+    if (!newTarget)
+        return false;
 
     // Shortcut for self-references
-    if (foundProblem)
-        return;
+    if (newTarget == this)
+        return true;
 
     SVGElementInstance* instance = targetInstance->parentNode();
     while (instance) {
         SVGElement* element = instance->correspondingElement();
 
         // FIXME: This should probably be using getIdAttribute instead of idForStyleResolution.
-        if (element->hasID() && element->idForStyleResolution() == id) {
-            foundProblem = true;
-            return;
-        }
+        if (element->hasID() && element->idForStyleResolution() == id)
+            return true;
     
         instance = instance->parentNode();
     }
-
-    // Create an instance object, even if we're dealing with a cycle
-    RefPtr<SVGElementInstance> newInstance = SVGElementInstance::create(this, target);
-    SVGElementInstance* newInstancePtr = newInstance.get();
-    targetInstance->appendChild(newInstance.release());
-
-    // Eventually enter recursion to build SVGElementInstance objects for the sub-tree children
-    buildInstanceTree(target, newInstancePtr, foundProblem);
+    return false;
 }
 
 void SVGUseElement::removeDisallowedElementsFromSubtree(Node* subtree)
diff --git a/WebCore/svg/SVGUseElement.h b/WebCore/svg/SVGUseElement.h
index 9b7a0bc..c1095ed 100644
--- a/WebCore/svg/SVGUseElement.h
+++ b/WebCore/svg/SVGUseElement.h
@@ -83,7 +83,7 @@ private:
 
     // Instance tree handling
     void buildInstanceTree(SVGElement* target, SVGElementInstance* targetInstance, bool& foundCycle);
-    void handleDeepUseReferencing(SVGUseElement* use, SVGElementInstance* targetInstance, bool& foundCycle);
+    bool hasCycleUseReferencing(SVGUseElement*, SVGElementInstance* targetInstance, SVGElement*& newTarget);
 
     // Shadow tree handling
     void buildShadowTree(SVGShadowTreeRootElement*, SVGElement* target, SVGElementInstance* targetInstance);

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list