Context Navigation

Changeset 66836 in webkit

Timestamp:

Sep 6, 2010 9:51:37 AM (14 years ago)

Author:

commit-queue@webkit.org

Message:

2010-09-06 Shane Stephens <shanestephens@google.com>

Reviewed by Dimitri Glazkov.

[Crash] <animateMotion> element directly inside <symbol> element causes crash when referenced by <use>
https://bugs.webkit.org/show_bug.cgi?id=44750

Added test case to demonstrate crash bug.

2010-09-06 Shane Stephens <shanestephens@google.com>

Reviewed by Dimitri Glazkov.

[Crash] <animateMotion> element directly inside <symbol> element causes crash when referenced by <use>
https://bugs.webkit.org/show_bug.cgi?id=44750

Fixes crash by checking for null transforms and skipping update step
when appropriate.

Test: svg/dom/symbol-embeddedAnimation.svg

svg/SVGAnimateMotionElement.cpp: (WebCore::SVGAnimateMotionElement::applyResultsToTarget):

Location:

trunk

Files:

-                      r66833
+                      r66836
+-09-06  Shane Stephens  <shanestephens@google.com>
+        Reviewed by Dimitri Glazkov.
+        [Crash] <animateMotion> element directly inside <symbol> element causes crash when referenced by <use>
+        https://bugs.webkit.org/show_bug.cgi?id=44750
+        Added test case to demonstrate crash bug.
+        * svg/dom/symbol-embeddedAnimation-expected.txt: Added.
+        * svg/dom/symbol-embeddedAnimation.svg: Added.
 -09-06  Martin Robinson  <mrobinson@igalia.com>

-                      r66831
+                      r66836
+-09-06  Shane Stephens  <shanestephens@google.com>
+        Reviewed by Dimitri Glazkov.
+        [Crash] <animateMotion> element directly inside <symbol> element causes crash when referenced by <use>
+        https://bugs.webkit.org/show_bug.cgi?id=44750
+        Fixes crash by checking for null transforms and skipping update step
+        when appropriate.
+        Test: svg/dom/symbol-embeddedAnimation.svg
+        * svg/SVGAnimateMotionElement.cpp:
+        (WebCore::SVGAnimateMotionElement::applyResultsToTarget):
 -09-06  Xan Lopez  <xlopez@igalia.com>

-                      r66498
+                      r66836
         RenderSVGResource::markForLayoutAndParentResourceInvalidation(renderer);
+    AffineTransform* t = targetElement->supplementalTransform();
+    if (!t)
+        return;
     // ...except in case where we have additional instances in <use> trees.
     const HashSet<SVGElementInstance*>& instances = targetElement->instancesForElement();
 …
         ASSERT(shadowTreeElement);
         AffineTransform* transform = shadowTreeElement->supplementalTransform();
+        AffineTransform* t = targetElement->supplementalTransform();
+        if (!transform)
+            continue;
         transform->setMatrix(t->a(), t->b(), t->c(), t->d(), t->e(), t->f());
         if (RenderObject* renderer = shadowTreeElement->renderer()) {

Note: See TracChangeset for help on using the changeset viewer.