2010-07-05 Fady Samuel <fsamuel@chromium.org>
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 6 Jul 2010 02:03:30 +0000 (02:03 +0000)
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 6 Jul 2010 02:03:30 +0000 (02:03 +0000)
        Reviewed by Darin Adler.

        Fixed a svg crash when setting class of an svg ellipse object.

        Altering the CSS class of an attached SVG element causes WebKit to crash
        https://bugs.webkit.org/show_bug.cgi?id=40857

        * platform/chromium-linux/svg/css/svg-ellipse-render-crash-expected.txt: Added.
        * svg/css/svg-ellipse-render-crash.html: Added.
2010-07-05  Fady Samuel  <fsamuel@chromium.org>

        Reviewed by Darin Adler.

        Fixed a svg crash when setting class of an svg ellipse object.

        Altering the CSS class of an attached SVG element causes WebKit to crash
        https://bugs.webkit.org/show_bug.cgi?id=40857

        Test: svg/css/svg-ellipse-render-crash.html

        * dom/StyledElement.cpp:
        (WebCore::StyledElement::classAttributeChanged):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@62514 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/platform/chromium-linux/svg/css/svg-ellipse-render-crash-expected.txt [new file with mode: 0644]
LayoutTests/svg/css/svg-ellipse-render-crash.html [new file with mode: 0644]
WebCore/ChangeLog
WebCore/dom/StyledElement.cpp

index 33e6dd221b6aca6955e0169629b190e7dd17ebd8..ca843806be38ae058668feefc2371953309a73b4 100644 (file)
@@ -1,3 +1,15 @@
+2010-07-05  Fady Samuel  <fsamuel@chromium.org>
+
+        Reviewed by Darin Adler.
+
+        Fixed a svg crash when setting class of an svg ellipse object.
+
+        Altering the CSS class of an attached SVG element causes WebKit to crash
+        https://bugs.webkit.org/show_bug.cgi?id=40857
+
+        * platform/chromium-linux/svg/css/svg-ellipse-render-crash-expected.txt: Added.
+        * svg/css/svg-ellipse-render-crash.html: Added.
+
 2010-07-05  Dan Bernstein  <mitz@apple.com>
 
         Reviewed by Sam Weinig.
 2010-07-05  Dan Bernstein  <mitz@apple.com>
 
         Reviewed by Sam Weinig.
diff --git a/LayoutTests/platform/chromium-linux/svg/css/svg-ellipse-render-crash-expected.txt b/LayoutTests/platform/chromium-linux/svg/css/svg-ellipse-render-crash-expected.txt
new file mode 100644 (file)
index 0000000..e3c9be4
--- /dev/null
@@ -0,0 +1,3 @@
+Here is an html paragraph. And below is a svg drawing. This should render without crashing.
+
+
diff --git a/LayoutTests/svg/css/svg-ellipse-render-crash.html b/LayoutTests/svg/css/svg-ellipse-render-crash.html
new file mode 100644 (file)
index 0000000..fb74f1c
--- /dev/null
@@ -0,0 +1,40 @@
+<html>
+<head>
+    <style type="text/css">
+      .cls1 {
+        stroke: black;
+        fill: rgb(0,255,0);
+        stroke-width: 1;
+      }
+    </style>
+
+<script type="text/javascript">
+function setup() {
+    if (window.layoutTestController)
+        layoutTestController.dumpAsText();
+    var svg = document.createElementNS("http://www.w3.org/2000/svg", "svg");
+    svg.width.baseVal.valueAsString = "400px";
+    svg.height.baseVal.valueAsString = "400px";
+    svg.viewBox.baseVal.x = 0;
+    svg.viewBox.baseVal.y = 0;
+    svg.viewBox.baseVal.width = 90;
+    svg.viewBox.baseVal.height = 90;
+    var ellipse = document.createElementNS("http://www.w3.org/2000/svg", "ellipse");
+    ellipse.cx.baseVal.value = 50;
+    ellipse.cy.baseVal.value = 50;
+    ellipse.rx.baseVal.value = 30;
+    ellipse.ry.baseVal.value = 10;
+    ellipse.className.baseVal = "cls1";
+    var drawing = document.getElementById("drawing");
+    svg.appendChild(ellipse);
+    drawing.appendChild(svg);
+}
+</script>
+</head>
+<body onload="setup()">
+<p>Here is an html paragraph. And below is a svg drawing. This should render without crashing.</p>
+<div id="drawing"/>
+</body>
+</html>
+
+
index f521ac3320fee87578a9283ead723fdfc983436a..855649f47c544ef844013ff145b326955f991ef0 100644 (file)
@@ -1,3 +1,17 @@
+2010-07-05  Fady Samuel  <fsamuel@chromium.org>
+
+        Reviewed by Darin Adler.
+
+        Fixed a svg crash when setting class of an svg ellipse object.
+
+        Altering the CSS class of an attached SVG element causes WebKit to crash
+        https://bugs.webkit.org/show_bug.cgi?id=40857
+
+        Test: svg/css/svg-ellipse-render-crash.html
+
+        * dom/StyledElement.cpp:
+        (WebCore::StyledElement::classAttributeChanged):
+
 2010-07-05  Dan Bernstein  <mitz@apple.com>
 
         Reviewed by Sam Weinig.
 2010-07-05  Dan Bernstein  <mitz@apple.com>
 
         Reviewed by Sam Weinig.
index 994b084a14c57a4a464895ce4811913540a793bc..45eb1c3cf37b41b08b7648f2a56a9a2f750f2524 100644 (file)
@@ -215,12 +215,13 @@ void StyledElement::classAttributeChanged(const AtomicString& newClassString)
         if (!isClassWhitespace(characters[i]))
             break;
     }
         if (!isClassWhitespace(characters[i]))
             break;
     }
-    setHasClass(i < length);
-    if (namedAttrMap) {
-        if (i < length)
-            mappedAttributes()->setClass(newClassString);
-        else
-            mappedAttributes()->clearClass();
+    bool hasClass = i < length;
+    setHasClass(hasClass);
+    if (hasClass)
+        attributes()->setClass(newClassString);
+    else {
+        if (namedAttrMap)    
+            namedAttrMap->clearClass();
     }
     setNeedsStyleRecalc();
     dispatchSubtreeModifiedEvent();
     }
     setNeedsStyleRecalc();
     dispatchSubtreeModifiedEvent();