2011-04-26 Leo Yang <leo.yang@torchmobile.com.cn>
authorleo.yang@torchmobile.com.cn <leo.yang@torchmobile.com.cn@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 26 Apr 2011 09:57:11 +0000 (09:57 +0000)
committerleo.yang@torchmobile.com.cn <leo.yang@torchmobile.com.cn@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 26 Apr 2011 09:57:11 +0000 (09:57 +0000)
        Reviewed by Nikolas Zimmermann.

        ASSERT failure in SVGUseElement
        https://bugs.webkit.org/show_bug.cgi?id=59313

        Test case to verify webkit doesn't crash when a <use> element
        is pending on resource and the document is not well-formed.
        Test passes if no crash occurs in debug mode.

        * svg/custom/use-crash-in-non-wellformed-document-expected.txt: Added.
        * svg/custom/use-crash-in-non-wellformed-document.svg: Added.
2011-04-26  Leo Yang  <leo.yang@torchmobile.com.cn>

        Reviewed by Nikolas Zimmermann.

        ASSERT failure in SVGUseElement
        https://bugs.webkit.org/show_bug.cgi?id=59313

        In SVGUseElement::insertedIntoDocument(), ASSERT(!m_isPendingResource)
        was wrong because the document may not be well-formed.

        This patch asserts the element is not pending on resource or the
        document is not well-formed.

        Test: svg/custom/use-crash-in-non-wellformed-document.svg

        * svg/SVGUseElement.cpp:
        (WebCore::isWellFormedDocument):
        (WebCore::SVGUseElement::insertedIntoDocument):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@84899 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/svg/custom/use-crash-in-non-wellformed-document-expected.txt [new file with mode: 0644]
LayoutTests/svg/custom/use-crash-in-non-wellformed-document.svg [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/svg/SVGUseElement.cpp

index 348e841088a1d750a0e803a7ad4772ff13e5c0cb..a42779cd23bc39f2d62fc4f38e8ec8232afe93c9 100644 (file)
@@ -1,3 +1,17 @@
+2011-04-26  Leo Yang  <leo.yang@torchmobile.com.cn>
+
+        Reviewed by Nikolas Zimmermann.
+
+        ASSERT failure in SVGUseElement
+        https://bugs.webkit.org/show_bug.cgi?id=59313
+
+        Test case to verify webkit doesn't crash when a <use> element
+        is pending on resource and the document is not well-formed.
+        Test passes if no crash occurs in debug mode.
+
+        * svg/custom/use-crash-in-non-wellformed-document-expected.txt: Added.
+        * svg/custom/use-crash-in-non-wellformed-document.svg: Added.
+
 2011-04-26  Chang Shu  <cshu@webkit.org>
 
         Reviewed by Sam Weinig.
diff --git a/LayoutTests/svg/custom/use-crash-in-non-wellformed-document-expected.txt b/LayoutTests/svg/custom/use-crash-in-non-wellformed-document-expected.txt
new file mode 100644 (file)
index 0000000..f381830
--- /dev/null
@@ -0,0 +1 @@
+PASS without crash.
diff --git a/LayoutTests/svg/custom/use-crash-in-non-wellformed-document.svg b/LayoutTests/svg/custom/use-crash-in-non-wellformed-document.svg
new file mode 100644 (file)
index 0000000..ca6e5ff
--- /dev/null
@@ -0,0 +1,27 @@
+<?xml version="1.0" standalone="no"?>
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.0">
+    <text x="0" y="30">PASS without crash.</text>
+    <use xlink:href="#undefined">
+    <script>
+        if (window.layoutTestController) {
+            layoutTestController.dumpAsText();
+            layoutTestController.waitUntilDone();
+        }
+
+        function runTest()
+        {
+            try {
+                var errorElement = document.getElementsByTagName("parsererror")[0];
+                errorElement.parentNode.removeChild(errorElement);
+                var useElement = document.getElementsByTagName("use")[0];
+                useElement.parentNode.removeChild(useElement);
+            } catch(e) {
+            }
+
+            if (window.layoutTestController)
+                layoutTestController.notifyDone();
+        }
+
+        window.setTimeout("runTest()", 0);
+    </script>
+</svg>
index 4987ddc3b60e35af9455531a370c245a7023cca3..cccd1e2ad9b7ce62c99379d304ada6d147b9ca70 100644 (file)
@@ -1,3 +1,22 @@
+2011-04-26  Leo Yang  <leo.yang@torchmobile.com.cn>
+
+        Reviewed by Nikolas Zimmermann.
+
+        ASSERT failure in SVGUseElement
+        https://bugs.webkit.org/show_bug.cgi?id=59313
+
+        In SVGUseElement::insertedIntoDocument(), ASSERT(!m_isPendingResource)
+        was wrong because the document may not be well-formed.
+
+        This patch asserts the element is not pending on resource or the
+        document is not well-formed.
+
+        Test: svg/custom/use-crash-in-non-wellformed-document.svg
+
+        * svg/SVGUseElement.cpp:
+        (WebCore::isWellFormedDocument):
+        (WebCore::SVGUseElement::insertedIntoDocument):
+
 2011-04-26  Mikhail Naganov  <mnaganov@chromium.org>
 
         Reviewed by Pavel Feldman.
index f9bbcb26f128e953dbdc8a8226eefbd741766ffc..e50ae85b71a7c6f5bf628b24d90f39afa703554c 100644 (file)
@@ -127,12 +127,19 @@ void SVGUseElement::parseMappedAttribute(Attribute* attr)
     }
 }
 
+static inline bool isWellFormedDocument(Document* document)
+{
+    if (document->isSVGDocument() || document->isXHTMLDocument())
+        return static_cast<XMLDocumentParser*>(document->parser())->wellFormed();
+    return true;
+}
+
 void SVGUseElement::insertedIntoDocument()
 {
     // This functions exists to assure assumptions made in the code regarding SVGElementInstance creation/destruction are satisfied.
     SVGStyledTransformableElement::insertedIntoDocument();
-    ASSERT(!m_targetElementInstance || ((document()->isSVGDocument() || document()->isXHTMLDocument()) && !static_cast<XMLDocumentParser*>(document()->parser())->wellFormed()));
-    ASSERT(!m_isPendingResource);
+    ASSERT(!m_targetElementInstance || !isWellFormedDocument(document()));
+    ASSERT(!m_isPendingResource || !isWellFormedDocument(document()));
 }
 
 void SVGUseElement::removedFromDocument()