Context Navigation

← Previous Changeset
Next Changeset →

Changeset 108082 in webkit

Timestamp:

Feb 17, 2012 8:50:13 AM (12 years ago)

Author:

commit-queue@webkit.org

Message:

chrome.dll!WebCore::SVGTRefElement::updateReferencedText ReadAV@NULL (e85cb8e140071fa7790cad215b0109dc)
https://bugs.webkit.org/show_bug.cgi?id=74858

Patch by Florin Malita <fmalita@google.com> on 2012-02-17
Reviewed by Nikolas Zimmermann.

Source/WebCore:

Tests: svg/custom/tref-remove-target-crash-expected.svg

svg/custom/tref-remove-target-crash.svg

Add a DOMNodeRemovedFromDocumentEvent listener to detect when the target element is removed. Upon removal,
cleanup all listeners and re-activate the pending resource to attach if the referenced ID is added
at a later time programmatically. Also move the DOMSubtreeModifiedEvent listener from the parent to
the target element to simplify the implementation and reduce the scope.

svg/SVGTRefElement.cpp:

(WebCore::TargetListener::create):
(WebCore::TargetListener::cast):
(WebCore::TargetListener::clear):
(WebCore::TargetListener::TargetListener):
(WebCore::TargetListener::operator==):
(WebCore::TargetListener::handleEvent):
(WebCore::SVGTRefElement::detachTarget):
(WebCore::SVGTRefElement::buildPendingResource):

svg/SVGTRefElement.h:

LayoutTests:

svg/custom/tref-remove-target-crash-expected.svg: Added.
svg/custom/tref-remove-target-crash.svg: Added.

Location:

trunk

Files:

: 2 added
: 4 edited

LayoutTests/ChangeLog (modified) (1 diff)
LayoutTests/svg/custom/tref-remove-target-crash-expected.svg (added)
LayoutTests/svg/custom/tref-remove-target-crash.svg (added)
Source/WebCore/ChangeLog (modified) (1 diff)
Source/WebCore/svg/SVGTRefElement.cpp (modified) (6 diffs)
Source/WebCore/svg/SVGTRefElement.h (modified) (4 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk/LayoutTests/ChangeLog

-                      r108075
+                      r108082
+-02-17  Florin Malita  <fmalita@google.com>
+        chrome.dll!WebCore::SVGTRefElement::updateReferencedText ReadAV@NULL (e85cb8e140071fa7790cad215b0109dc)
+        https://bugs.webkit.org/show_bug.cgi?id=74858
+        Reviewed by Nikolas Zimmermann.
+        * svg/custom/tref-remove-target-crash-expected.svg: Added.
+        * svg/custom/tref-remove-target-crash.svg: Added.
 -02-17  Pavel Feldman  <pfeldman@google.com>

trunk/Source/WebCore/ChangeLog

-                      r108081
+                      r108082
+-02-17  Florin Malita  <fmalita@google.com>
+        chrome.dll!WebCore::SVGTRefElement::updateReferencedText ReadAV@NULL (e85cb8e140071fa7790cad215b0109dc)
+        https://bugs.webkit.org/show_bug.cgi?id=74858
+        Reviewed by Nikolas Zimmermann.
+        Tests: svg/custom/tref-remove-target-crash-expected.svg
+               svg/custom/tref-remove-target-crash.svg
+        Add a DOMNodeRemovedFromDocumentEvent listener to detect when the target element is removed. Upon removal,
+        cleanup all listeners and re-activate the pending resource to attach if the referenced ID is added
+        at a later time programmatically. Also move the DOMSubtreeModifiedEvent listener from the parent to
+        the target element to simplify the implementation and reduce the scope.
+        * svg/SVGTRefElement.cpp:
+        (WebCore::TargetListener::create):
+        (WebCore::TargetListener::cast):
+        (WebCore::TargetListener::clear):
+        (WebCore::TargetListener::TargetListener):
+        (WebCore::TargetListener::operator==):
+        (WebCore::TargetListener::handleEvent):
+        (WebCore::SVGTRefElement::detachTarget):
+        (WebCore::SVGTRefElement::buildPendingResource):
+        * svg/SVGTRefElement.h:
 -02-17  Simon Fraser  <simon.fraser@apple.com>

trunk/Source/WebCore/svg/SVGTRefElement.cpp

-                      r107706
+                      r108082
+}
 class SubtreeModificationEventListener : public EventListener {
+class TargetListener : public EventListener {
 public:
     static PassRefPtr<SubtreeModificationEventListener> create(SVGTRefElement* trefElement, String targetId)
+    {
         return adoptRef(new SubtreeModificationEventListener(trefElement, targetId));
+    }
     static const SubtreeModificationEventListener* cast(const EventListener* listener)
+    {
         return listener->type() == CPPEventListenerType ? static_cast<const SubtreeModificationEventListener*>(listener) : 0;
+    static PassRefPtr<TargetListener> create(SVGTRefElement* trefElement, String targetId)
+    {
+        return adoptRef(new TargetListener(trefElement, targetId));
+    }
+    static const TargetListener* cast(const EventListener* listener)
+    {
+        return listener->type() == CPPEventListenerType ? static_cast<const TargetListener*>(listener) : 0;
+    }
 …
+    {
         Element* target = m_trefElement->treeScope()->getElementById(m_targetId);
+        if (target && target->parentNode())
+            target->parentNode()->removeEventListener(eventNames().DOMSubtreeModifiedEvent, this, false);
+        if (target) {
+            target->removeEventListener(eventNames().DOMSubtreeModifiedEvent, this, false);
+            target->removeEventListener(eventNames().DOMNodeRemovedFromDocumentEvent, this, false);
+        }
         m_trefElement = 0;
 …
 private:
     SubtreeModificationEventListener(SVGTRefElement* trefElement, String targetId)
+    TargetListener(SVGTRefElement* trefElement, String targetId)
         : EventListener(CPPEventListenerType)
         , m_trefElement(trefElement)
 …
 };
 bool SubtreeModificationEventListener::operator==(const EventListener& listener)
+{
     if (const SubtreeModificationEventListener* subtreeModificationEventListener = SubtreeModificationEventListener::cast(&listener))
+bool TargetListener::operator==(const EventListener& listener)
+{
+    if (const TargetListener* subtreeModificationEventListener = TargetListener::cast(&listener))
         return m_trefElement == subtreeModificationEventListener->m_trefElement;
     return false;
+}
 void SubtreeModificationEventListener::handleEvent(ScriptExecutionContext*, Event* event)
+void TargetListener::handleEvent(ScriptExecutionContext*, Event* event)
+{
     if (m_trefElement && event->type() == eventNames().DOMSubtreeModifiedEvent && m_trefElement != event->target())
         m_trefElement->updateReferencedText();
+    if (m_trefElement && event->type() == eventNames().DOMNodeRemovedFromDocumentEvent)
+        m_trefElement->detachTarget();
+}
 …
     else
         root->firstChild()->setTextContent(textContent, ASSERT_NO_EXCEPTION);
+}
+void SVGTRefElement::detachTarget()
+{
+    // Remove active listeners and clear the text content.
+    clearEventListener();
+    String emptyContent;
+    ExceptionCode ignore = 0;
+    ASSERT(hasShadowRoot());
+    Node* container = shadowRootList()->oldestShadowRoot()->firstChild();
+    if (container)
+        container->setTextContent(emptyContent, ignore);
+    // Mark the referenced ID as pending.
+    String id;
+    SVGURIReference::targetElementFromIRIString(href(), document(), &id);
+    if (!hasPendingResources() && !id.isEmpty())
+        document()->accessSVGExtensions()->addPendingResource(id, this);
+}
 …
         return;
     m_eventListener = SubtreeModificationEventListener::create(this, id);
     ASSERT(target->parentNode());
     target->parentNode()->addEventListener(eventNames().DOMSubtreeModifiedEvent, m_eventListener.get(), false);
+    m_eventListener = TargetListener::create(this, id);
+    target->addEventListener(eventNames().DOMSubtreeModifiedEvent, m_eventListener.get(), false);
+    target->addEventListener(eventNames().DOMNodeRemovedFromDocumentEvent, m_eventListener.get(), false);
+}

trunk/Source/WebCore/svg/SVGTRefElement.h

-                      r107523
+                      r108082
 namespace WebCore {
 class SubtreeModificationEventListener;
+class TargetListener;
 class SVGTRefElement : public SVGTextPositioningElement,
 …
 private:
     friend class SubtreeModificationEventListener;
+    friend class TargetListener;
     SVGTRefElement(const QualifiedName&, Document*);
 …
     void updateReferencedText();
+    void detachTarget();
     virtual void buildPendingResource();
 …
     END_DECLARE_ANIMATED_PROPERTIES
     RefPtr<SubtreeModificationEventListener> m_eventListener;
+    RefPtr<TargetListener> m_eventListener;
 };

Note: See TracChangeset for help on using the changeset viewer.