Changeset 147434 in webkit


Ignore:
Timestamp:
Apr 2, 2013 8:18:36 AM (11 years ago)
Author:
commit-queue@webkit.org
Message:

Hang when calling setCurrentTime on SVG with cyclic animation dependency chain
https://bugs.webkit.org/show_bug.cgi?id=113485

Patch by David Vest <davve@opera.com> on 2013-04-02
Reviewed by Stephen Chenney.

Source/WebCore:

If no exact match can be found, approximateBinarySearch may return
either adjacent value to the key. Selecting the lesser value when
there is a greater one may cause interval creation to fail in a
way that causes infinite loops during seeking. Detect and amend
this condition by selecting the greater value when possible.

Test: svg/animations/animation-dependency-hang.html

  • svg/animation/SVGSMILElement.cpp:

(WebCore::SVGSMILElement::findInstanceTime):

LayoutTests:

  • svg/animations/animation-dependency-hang-expected.txt: Added.
  • svg/animations/animation-dependency-hang.html: Added.
Location:
trunk
Files:
2 added
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r147430 r147434  
     12013-04-02  David Vest  <davve@opera.com>
     2
     3        Hang when calling setCurrentTime on SVG with cyclic animation dependency chain
     4        https://bugs.webkit.org/show_bug.cgi?id=113485
     5
     6        Reviewed by Stephen Chenney.
     7
     8        * svg/animations/animation-dependency-hang-expected.txt: Added.
     9        * svg/animations/animation-dependency-hang.html: Added.
     10
    1112013-04-02  Julien Chaffraix  <jchaffraix@webkit.org>
    212
  • trunk/Source/WebCore/ChangeLog

    r147433 r147434  
     12013-04-02  David Vest  <davve@opera.com>
     2
     3        Hang when calling setCurrentTime on SVG with cyclic animation dependency chain
     4        https://bugs.webkit.org/show_bug.cgi?id=113485
     5
     6        Reviewed by Stephen Chenney.
     7
     8        If no exact match can be found, approximateBinarySearch may return
     9        either adjacent value to the key. Selecting the lesser value when
     10        there is a greater one may cause interval creation to fail in a
     11        way that causes infinite loops during seeking. Detect and amend
     12        this condition by selecting the greater value when possible.
     13
     14        Test: svg/animations/animation-dependency-hang.html
     15
     16        * svg/animation/SVGSMILElement.cpp:
     17        (WebCore::SVGSMILElement::findInstanceTime):
     18
    1192013-04-02  Andrey Lushnikov  <lushnikov@chromium.org>
    220
  • trunk/Source/WebCore/svg/animation/SVGSMILElement.cpp

    r145818 r147434  
    744744    int indexOfResult = result - list.begin();
    745745    ASSERT_WITH_SECURITY_IMPLICATION(indexOfResult < sizeOfList);
     746
     747    if (list[indexOfResult].time() < minimumTime && indexOfResult < sizeOfList - 1)
     748        ++indexOfResult;
     749
    746750    const SMILTime& currentTime = list[indexOfResult].time();
    747751
Note: See TracChangeset for help on using the changeset viewer.