Changeset 130777 in webkit


Ignore:
Timestamp:
Oct 9, 2012, 10:49:59 AM (13 years ago)
Author:
pdr@google.com
Message:

Prevent animation when CSS attributeType is invalid.
https://bugs.webkit.org/show_bug.cgi?id=94569

Reviewed by Dirk Schulze.

Source/WebCore:

This patch changes hasValidAttributeType() to return false when
we have attributeType=CSS with a non-CSS attribute name.

Previously we would animate non-CSS attributes when attributeType was
CSS which resulted in crashes. To track this case, this patch catches
changes to targetElement, attributeName, and attributeType and checks
if an invalid combination is present. If invalid, hasInvalidCSSAttributeType()
will return true causing hasValidAttributeType() to return false and prevent
the animation from running.

Tests: svg/animations/animate-css-xml-attributeType.html

svg/animations/invalid-css-attribute-crash-expected.svg
svg/animations/invalid-css-attribute-crash.svg

  • svg/SVGAnimateElement.cpp:

(WebCore::SVGAnimateElement::hasValidAttributeType):
(WebCore::SVGAnimateElement::targetElementWillChange):

  • svg/SVGAnimationElement.cpp:

(WebCore::SVGAnimationElement::SVGAnimationElement):
(WebCore::SVGAnimationElement::isSupportedAttribute):

This now supports the attributeType attribute which is stored in m_attributeType.

(WebCore::SVGAnimationElement::parseAttribute):
(WebCore::SVGAnimationElement::setAttributeType):

Changes to attributeType, attributeName, and targetElement need to be tracked
to determine when an invalid combination happens.

(WebCore::SVGAnimationElement::targetElementWillChange):
(WebCore):
(WebCore::SVGAnimationElement::setAttributeName):
(WebCore::SVGAnimationElement::checkInvalidCSSAttributeType):

  • svg/SVGAnimationElement.h:

(WebCore::SVGAnimationElement::attributeType):
(SVGAnimationElement):
(WebCore::SVGAnimationElement::hasInvalidCSSAttributeType):

  • svg/animation/SVGSMILElement.cpp:

(WebCore::SVGSMILElement::targetElement):

  • svg/animation/SVGSMILElement.h:

(SVGSMILElement):

LayoutTests:

Adding a test to prove this patch works (invalid-css-attribute-crash.svg)
and an additional test to show that switching between XML and CSS
attributeTypes works as expected (animate-css-xml-attributeType.html).

  • platform/chromium/TestExpectations:
  • platform/efl/TestExpectations:
  • platform/gtk/TestExpectations:
  • platform/mac/TestExpectations:
  • platform/qt/TestExpectations:
  • platform/win/TestExpectations:
  • svg/animations/animate-css-xml-attributeType-expected.txt: Added.
  • svg/animations/animate-css-xml-attributeType.html: Added.
  • svg/animations/invalid-css-attribute-crash-expected.svg: Added.
  • svg/animations/invalid-css-attribute-crash.svg: Added.
  • svg/animations/script-tests/animate-css-xml-attributeType.js: Added.

(sample1):
(sample6):
(executeTest):

Location:
trunk
Files:
5 added
13 edited

Legend:

Unmodified
Added
Removed

  • trunk/LayoutTests/ChangeLog

    r130776 r130777  
     12012-10-09  Philip Rogers  <pdr@google.com>
     2
     3        Prevent animation when CSS attributeType is invalid.
     4        https://bugs.webkit.org/show_bug.cgi?id=94569
     5
     6        Reviewed by Dirk Schulze.
     7
     8        Adding a test to prove this patch works (invalid-css-attribute-crash.svg)
     9        and an additional test to show that switching between XML and CSS
     10        attributeTypes works as expected (animate-css-xml-attributeType.html).
     11
     12        * platform/chromium/TestExpectations:
     13        * platform/efl/TestExpectations:
     14        * platform/gtk/TestExpectations:
     15        * platform/mac/TestExpectations:
     16        * platform/qt/TestExpectations:
     17        * platform/win/TestExpectations:
     18        * svg/animations/animate-css-xml-attributeType-expected.txt: Added.
     19        * svg/animations/animate-css-xml-attributeType.html: Added.
     20        * svg/animations/invalid-css-attribute-crash-expected.svg: Added.
     21        * svg/animations/invalid-css-attribute-crash.svg: Added.
     22        * svg/animations/script-tests/animate-css-xml-attributeType.js: Added.
     23        (sample1):
     24        (sample6):
     25        (executeTest):
     26
    1272012-10-08  Simon Fraser  <simon.fraser@apple.com>
    228

  • trunk/LayoutTests/platform/chromium/TestExpectations

    r130771 r130777  
    12241224crbug.com/19897 [ Android Linux Win ] svg/custom/getscreenctm-in-mixed-content2.xhtml [ Failure ]
    12251225
     1226webkit.org/b/98718 svg/animations/animate-css-xml-attributeType.html [ Failure Pass ]
     1227
    12261228# Failing since creation in http://trac.webkit.org/changeset/75308
    12271229# Failing worse maybe since https://bugs.webkit.org/show_bug.cgi?id=53471

  • trunk/LayoutTests/platform/efl/TestExpectations

    r130769 r130777  
    820820webkit.org/b/98651 svg/text/non-bmp-positioning-lists.svg [ Skip ]
    821821webkit.org/b/98653 svg/text/lengthAdjust-text-metrics.html [ Failure ]
     822
     823webkit.org/b/98718 svg/animations/animate-css-xml-attributeType.html [ Failure Pass ]
    822824
    823825# EFL's TestRunner does not implement setMediaType

  • trunk/LayoutTests/platform/gtk/TestExpectations

    r130773 r130777  
    535535webkit.org/b/89650 [ Debug ] svg/W3C-SVG-1.1/animate-elem-85-t.svg [ Failure Pass ]
    536536webkit.org/b/89650 svg/W3C-SVG-1.1/struct-dom-06-b.svg [ Failure Pass ]
     537
     538webkit.org/b/98718 svg/animations/animate-css-xml-attributeType.html [ Failure Pass ]
    537539
    538540webkit.org/b/80158 plugins/netscape-plugin-page-cache-works.html [ Failure Pass ]

  • trunk/LayoutTests/platform/mac/TestExpectations

    r130655 r130777  
    11861186webkit.org/b/89116 svg/filters/feLighting-crash.svg [ ImageOnlyFailure Pass ]
    11871187
     1188webkit.org/b/98718 svg/animations/animate-css-xml-attributeType.html [ Failure Pass ]
     1189
    11881190# Needs rebaseline after https://bugs.webkit.org/show_bug.cgi?id=79682
    11891191webkit.org/b/79682 svg/repaint/text-mask-update.svg [ Failure ImageOnlyFailure Missing Pass ]

  • trunk/LayoutTests/platform/qt/TestExpectations

    r130753 r130777  
    14261426svg/text/text-intro-05-t.svg
    14271427svg/text/text-tselect-02-f.svg
     1428
     1429webkit.org/b/98718 svg/animations/animate-css-xml-attributeType.html [ Failure Pass ]
    14281430
    14291431# [Qt] svg/animations/animate-path-nested-transforms.html fails

  • trunk/LayoutTests/platform/win/TestExpectations

    r130720 r130777  
    142142fast/text/cg-vs-atsui.html
    143143fast/text/atsui-spacing-features.html
     144
     145webkit.org/b/98718 svg/animations/animate-css-xml-attributeType.html [ Failure Pass ]
    144146
    145147# <rdar://problem/5718773> Support a minimum antialiased font size

  • trunk/Source/WebCore/ChangeLog

    r130774 r130777  
     12012-10-09  Philip Rogers  <pdr@google.com>
     2
     3        Prevent animation when CSS attributeType is invalid.
     4        https://bugs.webkit.org/show_bug.cgi?id=94569
     5
     6        Reviewed by Dirk Schulze.
     7
     8        This patch changes hasValidAttributeType() to return false when
     9        we have attributeType=CSS with a non-CSS attribute name.
     10
     11        Previously we would animate non-CSS attributes when attributeType was
     12        CSS which resulted in crashes. To track this case, this patch catches
     13        changes to targetElement, attributeName, and attributeType and checks
     14        if an invalid combination is present. If invalid, hasInvalidCSSAttributeType()
     15        will return true causing hasValidAttributeType() to return false and prevent
     16        the animation from running.
     17
     18        Tests: svg/animations/animate-css-xml-attributeType.html
     19               svg/animations/invalid-css-attribute-crash-expected.svg
     20               svg/animations/invalid-css-attribute-crash.svg
     21
     22        * svg/SVGAnimateElement.cpp:
     23        (WebCore::SVGAnimateElement::hasValidAttributeType):
     24        (WebCore::SVGAnimateElement::targetElementWillChange):
     25        * svg/SVGAnimationElement.cpp:
     26        (WebCore::SVGAnimationElement::SVGAnimationElement):
     27        (WebCore::SVGAnimationElement::isSupportedAttribute):
     28
     29            This now supports the attributeType attribute which is stored in m_attributeType.
     30
     31        (WebCore::SVGAnimationElement::parseAttribute):
     32        (WebCore::SVGAnimationElement::setAttributeType):
     33
     34            Changes to attributeType, attributeName, and targetElement need to be tracked
     35            to determine when an invalid combination happens.
     36
     37        (WebCore::SVGAnimationElement::targetElementWillChange):
     38        (WebCore):
     39        (WebCore::SVGAnimationElement::setAttributeName):
     40        (WebCore::SVGAnimationElement::checkInvalidCSSAttributeType):
     41        * svg/SVGAnimationElement.h:
     42        (WebCore::SVGAnimationElement::attributeType):
     43        (SVGAnimationElement):
     44        (WebCore::SVGAnimationElement::hasInvalidCSSAttributeType):
     45        * svg/animation/SVGSMILElement.cpp:
     46        (WebCore::SVGSMILElement::targetElement):
     47        * svg/animation/SVGSMILElement.h:
     48        (SVGSMILElement):
     49
    1502012-10-09  Pravin D  <pravind.2k4@gmail.com>
    251

  • trunk/Source/WebCore/svg/SVGAnimateElement.cpp

    r116451 r130777  
    5757    if (!targetElement)
    5858        return false;
    59    
    60     return m_animatedPropertyType != AnimatedUnknown;
     59
     60    return m_animatedPropertyType != AnimatedUnknown && !hasInvalidCSSAttributeType();
    6161}
    6262
     
    399399void SVGAnimateElement::targetElementWillChange(SVGElement* currentTarget, SVGElement* newTarget)
    400400{
    401     SVGSMILElement::targetElementWillChange(currentTarget, newTarget);
     401    SVGAnimationElement::targetElementWillChange(currentTarget, newTarget);
    402402
    403403    ASSERT(!m_animatedType);

  • trunk/Source/WebCore/svg/SVGAnimationElement.cpp

    r125608 r130777  
    5656    , m_toPropertyValueType(RegularPropertyValue)
    5757    , m_animationValid(false)
     58    , m_attributeType(AttributeTypeAuto)
     59    , m_hasInvalidCSSAttributeType(false)
    5860{
    5961    registerAnimatedPropertiesForSVGAnimationElement();
     
    146148        supportedAttributes.add(SVGNames::keyPointsAttr);
    147149        supportedAttributes.add(SVGNames::keySplinesAttr);
     150        supportedAttributes.add(SVGNames::attributeTypeAttr);
    148151    }
    149152    return supportedAttributes.contains<QualifiedName, SVGAttributeHashTranslator>(attrName);
     
    183186    if (attribute.name() == SVGNames::keySplinesAttr) {
    184187        parseKeySplines(attribute.value(), m_keySplines);
     188        return;
     189    }
     190
     191    if (attribute.name() == SVGNames::attributeTypeAttr) {
     192        setAttributeType(attribute.value());
    185193        return;
    186194    }
     
    282290}
    283291
    284 SVGAnimationElement::AttributeType SVGAnimationElement::attributeType() const
    285 {   
     292void SVGAnimationElement::setAttributeType(const AtomicString& attributeType)
     293{
    286294    DEFINE_STATIC_LOCAL(const AtomicString, css, ("CSS"));
    287295    DEFINE_STATIC_LOCAL(const AtomicString, xml, ("XML"));
    288     const AtomicString& value = fastGetAttribute(SVGNames::attributeTypeAttr);
    289     if (value == css)
    290         return AttributeTypeCSS;
    291     if (value == xml)
    292         return AttributeTypeXML;
    293     return AttributeTypeAuto;
     296    if (attributeType == css)
     297        m_attributeType = AttributeTypeCSS;
     298    else if (attributeType == xml)
     299        m_attributeType = AttributeTypeXML;
     300    else
     301        m_attributeType = AttributeTypeAuto;
     302    checkInvalidCSSAttributeType(targetElement(DoNotResolveNewTarget));
    294303}
    295304
     
    649658}
    650659
     660void SVGAnimationElement::targetElementWillChange(SVGElement* currentTarget, SVGElement* newTarget)
     661{
     662    SVGSMILElement::targetElementWillChange(currentTarget, newTarget);
     663
     664    checkInvalidCSSAttributeType(newTarget);
     665}
     666
     667void SVGAnimationElement::setAttributeName(const QualifiedName& attributeName)
     668{
     669    SVGSMILElement::setAttributeName(attributeName);
     670
     671    checkInvalidCSSAttributeType(targetElement(DoNotResolveNewTarget));
     672}
     673
     674void SVGAnimationElement::checkInvalidCSSAttributeType(SVGElement* target)
     675{
     676    m_hasInvalidCSSAttributeType = target && hasValidAttributeName() && attributeType() == AttributeTypeCSS && !isTargetAttributeCSSProperty(target, attributeName());
     677}
     678
    651679}
    652680

  • trunk/Source/WebCore/svg/SVGAnimationElement.h

    r117195 r130777  
    184184        AttributeTypeAuto
    185185    };
    186     AttributeType attributeType() const;
     186    AttributeType attributeType() const { return m_attributeType; }
    187187
    188188    String toValue() const;
     
    199199    AnimatedPropertyValueType m_toPropertyValueType;
    200200
     201    virtual void targetElementWillChange(SVGElement* currentTarget, SVGElement* oldTarget) OVERRIDE;
     202    bool hasInvalidCSSAttributeType() const { return m_hasInvalidCSSAttributeType; }
     203
    201204private:
    202205    virtual void animationAttributeChanged() OVERRIDE;
     206    virtual void setAttributeName(const QualifiedName&) OVERRIDE;
     207    void setAttributeType(const AtomicString&);
     208
     209    void checkInvalidCSSAttributeType(SVGElement*);
    203210
    204211    virtual bool calculateToAtEndOfDurationValue(const String& toAtEndOfDurationString) = 0;
     
    231238    bool m_animationValid;
    232239
     240    AttributeType m_attributeType;
    233241    Vector<String> m_values;
    234242    Vector<float> m_keyTimes;
     
    237245    String m_lastValuesAnimationFrom;
    238246    String m_lastValuesAnimationTo;
     247    bool m_hasInvalidCSSAttributeType;
    239248};
    240249

  • trunk/Source/WebCore/svg/animation/SVGSMILElement.cpp

    r129670 r130777  
    568568}
    569569
    570 SVGElement* SVGSMILElement::targetElement()
     570SVGElement* SVGSMILElement::targetElement(ResolveTarget resolveTarget)
    571571{
    572572    if (m_targetElement)
    573573        return m_targetElement;
    574574
    575     if (!inDocument())
     575    if (!inDocument() || resolveTarget == DoNotResolveNewTarget)
    576576        return 0;
    577577

  • trunk/Source/WebCore/svg/animation/SVGSMILElement.h

    r129670 r130777  
    5959    SMILTimeContainer* timeContainer() const { return m_timeContainer.get(); }
    6060
    61     SVGElement* targetElement();
     61    SVGElement* targetElement(ResolveTarget = ResolveNewTarget);
    6262    void resetTargetElement(ResolveTarget = ResolveNewTarget);
    6363    const QualifiedName& attributeName() const { return m_attributeName; }
     
    122122    // Sub-classes may need to take action when the target is changed.
    123123    virtual void targetElementWillChange(SVGElement* currentTarget, SVGElement* newTarget);
     124    virtual void setAttributeName(const QualifiedName&);
    124125
    125126private:
     
    143144    void endListChanged(SMILTime eventTime);
    144145
    145     void setAttributeName(const QualifiedName&);
    146 
    147146    // This represents conditions on elements begin or end list that need to be resolved on runtime
    148147    // for example <animate begin="otherElement.begin + 8s; button.click" ... />
Note: See TracChangeset for help on using the changeset viewer.