diff options
Diffstat (limited to 'src/3rdparty/webkit/WebCore')
19 files changed, 372 insertions, 47 deletions
diff --git a/src/3rdparty/webkit/WebCore/ChangeLog b/src/3rdparty/webkit/WebCore/ChangeLog index a993a97..5189eb5 100644 --- a/src/3rdparty/webkit/WebCore/ChangeLog +++ b/src/3rdparty/webkit/WebCore/ChangeLog @@ -1,3 +1,249 @@ +2010-07-06 Nikolas Zimmermann <nzimmermann@rim.com> + + Reviewed by Dirk Schulze. + + <use> on <font-face> causes crashes, if SVGUseElement gets detached + https://bugs.webkit.org/show_bug.cgi?id=41621 + + Do not call removeFromMappedElementSheet() from the SVGFontFaceElement destructor, + as that can potentially cause the element to be reattached while destructing. + + In order to fix the crash in the testcase, the order of calling the base-class detach + method in SVGUseElement and the instance/shadow tree destruction has to be reversed, + matching the order in removedFromDocument(). + + Test: svg/custom/use-font-face-crash.svg + + * svg/SVGFontFaceElement.cpp: + (WebCore::SVGFontFaceElement::~SVGFontFaceElement): Remove removeFromMappedElementSheet() call. + * svg/SVGUseElement.cpp: + (WebCore::SVGUseElement::detach): Reverse order of calling base-class detach method and instance/shadow tree destruction. + +2010-07-06 Nikolas Zimmermann <nzimmermann@rim.com> + + Reviewed by Darin Adler. + + <use> on <font-face> causes crashes, if SVGUseElement gets detached + https://bugs.webkit.org/show_bug.cgi?id=41621 + + Do not call removeFromMappedElementSheet() from the destructor, as the call to document()->updateStyleSelector() that can potentially + cause the element to be reattached while destructing. It's not needed at all, because removedFromDocument() is called before destruction, + which already calls removeFromMappedElementSheet() - at this point it's still safe to update the style selector. + + The crash is reproducable when using <use> on <font-face>. + + Test: svg/custom/use-font-face-crash.svg + + * svg/SVGFontFaceElement.cpp: + (WebCore::SVGFontFaceElement::~SVGFontFaceElement): + +2010-07-05 Nikolas Zimmermann <nzimmermann@rim.com> + + Reviewed by Darin Adler. + + Memory corruption with SVG <use> element + https://bugs.webkit.org/show_bug.cgi?id=40994 + + Fix race condition in svgAttributeChanged. Never call svgAttributeChanged() from attributeChanged() + when we're synchronizing SVG attributes. It leads to either unnecessary extra work being done or + crashes. Especially together with <polyline>/<polygon> which always synchronize the SVGAnimatedPoints + datastructure with the points attribute, no matter if there are changes are not. This should be + furhter optimized, but this fix is sane and fixes the root of the evil races. + + Test: svg/custom/use-property-synchronization-crash.svg + + * svg/SVGElement.cpp: + (WebCore::SVGElement::attributeChanged): + +2010-06-11 Abhishek Arya <inferno@chromium.org> + + Reviewed by David Hyatt. + + Don't process floats if parent node is not a RenderBlock. + https://bugs.webkit.org/show_bug.cgi?id=40033 + + Test: svg/text/clear-floats-crash.svg + + * rendering/RenderBlock.cpp: + (WebCore::RenderBlock::clearFloats): + +2010-06-23 Nikolas Zimmermann <nzimmermann@rim.com> + + Reviewed by Eric Seidel. + + Reproducible crash in com.apple.WebCore 0x01ed3784 WebCore::RenderLineBoxList::appendLineBox(WebCore::InlineFlowBox*) + 36 + https://bugs.webkit.org/show_bug.cgi?id=40953 + + REGRESSION (r58209-58231): Memory corruption with invalid SVG + https://bugs.webkit.org/show_bug.cgi?id=40173 + + Fix several crashes, all related to <foreignObject> and/or invalid SVG documents. + - Only allow <svg> nodes, as direct children of a <foreignObject>, not any other "partial" SVG content. + - Assure to create RenderSVGRoot objects for <svg> nodes in <foreignObject>, treat them as "outermost SVG elements". + - Never allow any partial SVG content to appear in any document. Only <svg> elements are allowed. + + Tests: svg/custom/bug45331.svg + svg/foreignObject/disallowed-svg-nodes-as-direct-children.svg + svg/foreignObject/no-crash-with-svg-content-in-html-document.svg + svg/foreignObject/svg-document-as-direct-child.svg + svg/foreignObject/svg-document-in-html-document.svg + svg/foreignObject/text-tref-02-b.svg + + * dom/Element.cpp: Added childShouldCreateRenderer, with ENABLE(SVG) guards. + (WebCore::Element::childShouldCreateRenderer): Only create a renderer for a SVG child, if we're a SVG element, or if the child is a <svg> element. + * dom/Element.h: Added childShouldCreateRenderer, with ENABLE(SVG) guards. + * svg/SVGForeignObjectElement.cpp: + (WebCore::SVGForeignObjectElement::childShouldCreateRenderer): Disallow arbitary SVG content, only <svg> elements are allowed as direct children of a <foreignObject> + * svg/SVGSVGElement.cpp: + (WebCore::SVGSVGElement::isOutermostSVG): Be sure to create RenderSVGRoot objects for <svg> elements inside <foreignObject> + +2010-06-10 Abhishek Arya <inferno@chromium.org> + + Reviewed by Dave Hyatt. + + Do not render CSS Styles :first-letter and :first-line in a SVG text element context. + https://bugs.webkit.org/show_bug.cgi?id=40031 + + Test: svg/text/text-style-invalid.svg + + * rendering/RenderSVGText.cpp: + (WebCore::RenderSVGText::firstLineBlock): + (WebCore::RenderSVGText::updateFirstLetter): + * rendering/RenderSVGText.h: + +2010-07-01 Justin Schuh <jschuh@chromium.org> + + Reviewed by Dan Bernstein. + + Prevent crash on counter destruction + https://bugs.webkit.org/show_bug.cgi?id=40032 + + Added counter destruction to RenderWidget::destroy() + + Test: fast/css/counters/destroy-counter-crash.html + + * rendering/RenderWidget.cpp: + (WebCore::RenderWidget::destroy): + +2010-06-29 Dan Bernstein <mitz@apple.com> + + Reviewed by Darin Adler. + + <rdar://problem/7975842> Certain text is repeated after using splitText() + + Tests: fast/text/setData-dirty-lines.html + fast/text/splitText-dirty-lines.html + + * dom/CharacterData.cpp: + (WebCore::CharacterData::setData): Call RenderText::setTextWithOffset() rather than + setText(), because only the former correctly dirties line boxes. + * dom/Text.cpp: + (WebCore::Text::splitText): Ditto. + +2010-06-25 Dan Bernstein <mitz@apple.com> + + Reviewed by Sam Weinig. + + <rdar://problem/8000667> Certain text is repeated before and after a line break + + Test: fast/text/bidi-explicit-embedding-past-end.html + + * platform/text/BidiResolver.h: + (WebCore::::createBidiRunsForLine): Committing explicit embedding past the end of the range + creates BidiRuns up to the end of the range, so at that point, we can stop iterating. + +2010-06-10 Tony Chang <tony@chromium.org> + + Reviewed by Kent Tamura. + + crash when focus is changed while trying to focus next element + https://bugs.webkit.org/show_bug.cgi?id=40407 + + Test: fast/events/focus-change-crash.html + + * dom/Element.cpp: + (WebCore::Element::focus): + +2010-07-01 Andreas Kling <andreas.kling@nokia.com> + + Reviewed by Tor Arne Vestbø. + + [Qt] Clamp color stops passed to QGradient to 1.0 + [https://bugs.webkit.org/show_bug.cgi?id=41484 + + Fixes an issue where color stops would be silently dropped from radial gradients. + + * platform/graphics/qt/GradientQt.cpp: + (WebCore::Gradient::platformGradient): + +2010-07-07 Tor Arne Vestbø <tor.arne.vestbo@nokia.com> + + Reviewed by Darin Adler. + + Prevent assertion/duplicate loads for non-deferred subtitute-data loads + + https://bugs.webkit.org/show_bug.cgi?id=30879 + + MainResourceLoader uses the member m_initialRequest to store requests for future + deferred loads. When doing the actual load in handleDataLoadNow(), we therefore + have to clear this request so that subsequent entries into the loader will not + start yet another load. + + This can happen as a result of a PageGroupLoadDeferrer going out of scope when + returning from Chrome::runJavaScriptAlert(), which calls setDeferredLoading(false), + but only in the case of using both substitute-data and non-deferred main resource + load together. That's why two new DRT functions were added: + + * queueLoadHTMLString() + * setDeferMainResourceLoad() + + The change adds DRT hooks for Mac, Win and Qt for these two functions. For Mac + and Win the hook uses new SPI in WebDataSource. For Qt a new static member was + added to the FrameLoaderClientQt and accessed though DumpRenderTreeSupportQt. + + Test: fast/loader/non-deferred-substitute-load.html + + * loader/MainResourceLoader.cpp: + (WebCore::MainResourceLoader::handleDataLoadNow): + +2010-07-16 Antonio Gomes <tonikitoo@webkit.org> + + Reviewed by Simon Fraser. + + Spatial navigation: do not consider outline for focusable element boundaries + https://bugs.webkit.org/show_bug.cgi?id=42474 + + Test: fast/events/spatial-navigation/snav-zero-margin-content.html + + Currently in WebCore::renderRectRelativeToRootDocument function, we are calling + RenderObject::absoluteClippedOverflowRect to obtain the rect boundary of a given + renderer/element. This method deals with outline, which is out of elements boundary. + It makes spatial navigation to fail on common sites like google.gom: "Web, Images, Map, etc" + are inaccessible. + + Patch replaces RenderObject::absoluteClippedOverflowRect by Node::getRect, + which returns only the absolute bounding box rect of the Element. + + * page/SpatialNavigation.cpp: + (WebCore::renderRectRelativeToRootDocument): + (WebCore::checkNegativeCoordsForNode): + +2010-07-21 Kristian Amlie <kristian.amlie@nokia.com> + + Reviewed by Kenneth Rohde Christiansen. + + Added automatic sqlite extraction for Symbian to QtWebKit. + + Also added sqlite detection in case sqlite is not present in the SDK. + This is possible if WebKit is compiled standalone. + + The inclusion part is a consequence of commit c578c6c1d6d in the Qt + repository. It will not work on Qt versions < 4.7.1, but that is ok, + since the only build system it will affect is marked as experimental + in the whole 4.7 series. + + * WebCore.pro: + 2010-05-14 Abhishek Arya <inferno@chromium.org> Reviewed by David Hyatt. diff --git a/src/3rdparty/webkit/WebCore/WebCore.pro b/src/3rdparty/webkit/WebCore/WebCore.pro index aaa4623..f892f9e 100644 --- a/src/3rdparty/webkit/WebCore/WebCore.pro +++ b/src/3rdparty/webkit/WebCore/WebCore.pro @@ -118,8 +118,16 @@ win32-g++* { QMAKE_LIBDIR_POST += $$split(TMPPATH,";") } -# Assume that symbian OS always comes with sqlite -symbian:!CONFIG(QTDIR_build): CONFIG += system-sqlite +symbian { + !CONFIG(QTDIR_build) { + # Test if symbian OS comes with sqlite + exists($${EPOCROOT}epoc32/release/armv5/lib/sqlite3.dso):CONFIG *= system-sqlite + } else:!symbian-abld:!symbian-sbsv2 { + # When bundled with Qt, all Symbian build systems extract their own sqlite files if + # necessary, but on non-mmp based ones we need to specify this ourselves. + include($$QT_SOURCE_TREE/src/plugins/sqldrivers/sqlite_symbian/sqlite_symbian.pri) + } +} diff --git a/src/3rdparty/webkit/WebCore/dom/CharacterData.cpp b/src/3rdparty/webkit/WebCore/dom/CharacterData.cpp index 3c3dc37..cb12184 100644 --- a/src/3rdparty/webkit/WebCore/dom/CharacterData.cpp +++ b/src/3rdparty/webkit/WebCore/dom/CharacterData.cpp @@ -46,15 +46,15 @@ void CharacterData::setData(const String& data, ExceptionCode&) int oldLength = length(); RefPtr<StringImpl> oldStr = m_data; m_data = dataImpl; - + if ((!renderer() || !rendererIsNeeded(renderer()->style())) && attached()) { detach(); attach(); } else if (renderer()) - toRenderText(renderer())->setText(m_data); - + toRenderText(renderer())->setTextWithOffset(m_data, 0, oldLength); + dispatchModifiedEvent(oldStr.get()); - + document()->textRemoved(this, 0, oldLength); } diff --git a/src/3rdparty/webkit/WebCore/dom/Element.cpp b/src/3rdparty/webkit/WebCore/dom/Element.cpp index a02bb4c..4c93020 100644 --- a/src/3rdparty/webkit/WebCore/dom/Element.cpp +++ b/src/3rdparty/webkit/WebCore/dom/Element.cpp @@ -1311,8 +1311,12 @@ void Element::focus(bool restorePreviousSelection) return; } - if (Page* page = doc->page()) + RefPtr<Node> protect; + if (Page* page = doc->page()) { + // Focus and change event handlers can cause us to lose our last ref. + protect = this; page->focusController()->setFocusedNode(this, doc->frame()); + } // Setting the focused node above might have invalidated the layout due to scripts. doc->updateLayoutIgnorePendingStylesheets(); @@ -1535,4 +1539,15 @@ const QualifiedName& Element::rareIDAttributeName() const return rareData()->m_idAttributeName; } +#if ENABLE(SVG) +bool Element::childShouldCreateRenderer(Node* child) const +{ + // Only create renderers for SVG elements whose parents are SVG elements, or for proper <svg xmlns="svgNS"> subdocuments. + if (child->isSVGElement()) + return child->hasTagName(SVGNames::svgTag) || isSVGElement(); + + return Node::childShouldCreateRenderer(child); +} +#endif + } // namespace WebCore diff --git a/src/3rdparty/webkit/WebCore/dom/Element.h b/src/3rdparty/webkit/WebCore/dom/Element.h index 348ed1c..36c4f1b 100644 --- a/src/3rdparty/webkit/WebCore/dom/Element.h +++ b/src/3rdparty/webkit/WebCore/dom/Element.h @@ -270,6 +270,10 @@ public: virtual void dispatchFormControlChangeEvent() { } +#if ENABLE(SVG) + virtual bool childShouldCreateRenderer(Node*) const; +#endif + protected: Element(const QualifiedName&, Document*, ConstructionType); diff --git a/src/3rdparty/webkit/WebCore/dom/Text.cpp b/src/3rdparty/webkit/WebCore/dom/Text.cpp index 1ce074a..229fa88 100644 --- a/src/3rdparty/webkit/WebCore/dom/Text.cpp +++ b/src/3rdparty/webkit/WebCore/dom/Text.cpp @@ -77,7 +77,7 @@ PassRefPtr<Text> Text::splitText(unsigned offset, ExceptionCode& ec) document()->textNodeSplit(this); if (renderer()) - toRenderText(renderer())->setText(dataImpl()); + toRenderText(renderer())->setTextWithOffset(dataImpl(), 0, oldStr->length()); return newText.release(); } diff --git a/src/3rdparty/webkit/WebCore/loader/MainResourceLoader.cpp b/src/3rdparty/webkit/WebCore/loader/MainResourceLoader.cpp index 28587e2..54c5c34 100644 --- a/src/3rdparty/webkit/WebCore/loader/MainResourceLoader.cpp +++ b/src/3rdparty/webkit/WebCore/loader/MainResourceLoader.cpp @@ -464,6 +464,10 @@ void MainResourceLoader::handleDataLoadNow(MainResourceLoaderTimer*) KURL url = m_substituteData.responseURL(); if (url.isEmpty()) url = m_initialRequest.url(); + + // Clear the initial request here so that subsequent entries into the + // loader will not think there's still a deferred load left to do. + m_initialRequest = ResourceRequest(); ResourceResponse response(url, m_substituteData.mimeType(), m_substituteData.content()->size(), m_substituteData.textEncoding(), ""); didReceiveResponse(response); diff --git a/src/3rdparty/webkit/WebCore/page/SpatialNavigation.cpp b/src/3rdparty/webkit/WebCore/page/SpatialNavigation.cpp index a80626f..fdacebb 100644 --- a/src/3rdparty/webkit/WebCore/page/SpatialNavigation.cpp +++ b/src/3rdparty/webkit/WebCore/page/SpatialNavigation.cpp @@ -102,14 +102,9 @@ void distanceDataForNode(FocusDirection direction, Node* start, FocusCandidate& // FIXME: This function does not behave correctly with transformed frames. static IntRect renderRectRelativeToRootDocument(RenderObject* render) { - ASSERT(render); + ASSERT(render && render->node()); - IntRect rect(render->absoluteClippedOverflowRect()); - - if (rect.isEmpty()) { - Element* e = static_cast<Element*>(render->node()); - rect = e->getRect(); - } + IntRect rect = render->node()->getRect(); // In cases when the |render|'s associated node is in a scrollable inner // document, we only consider its scrollOffset if it is not offscreen. @@ -516,7 +511,7 @@ static bool checkNegativeCoordsForNode(Node* node, const IntRect& curRect) { ASSERT(node || node->renderer()); - if (curRect.x() > 0 && curRect.y() > 0) + if (curRect.x() >= 0 && curRect.y() >= 0) return true; bool canBeScrolled = false; diff --git a/src/3rdparty/webkit/WebCore/platform/graphics/qt/GradientQt.cpp b/src/3rdparty/webkit/WebCore/platform/graphics/qt/GradientQt.cpp index 8b9e2d7..1ec3203 100644 --- a/src/3rdparty/webkit/WebCore/platform/graphics/qt/GradientQt.cpp +++ b/src/3rdparty/webkit/WebCore/platform/graphics/qt/GradientQt.cpp @@ -65,7 +65,7 @@ QGradient* Gradient::platformGradient() lastStop = stopIterator->stop; if (m_radial && m_r0) lastStop = m_r0 / m_r1 + lastStop * (1.0f - m_r0 / m_r1); - m_gradient->setColorAt(lastStop, stopColor); + m_gradient->setColorAt(qMin(lastStop, qreal(1.0f)), stopColor); // Keep the lastStop as orginal value, since the following stopColor depend it lastStop = stopIterator->stop; ++stopIterator; diff --git a/src/3rdparty/webkit/WebCore/platform/text/BidiResolver.h b/src/3rdparty/webkit/WebCore/platform/text/BidiResolver.h index 286cdcd..a99fd01 100644 --- a/src/3rdparty/webkit/WebCore/platform/text/BidiResolver.h +++ b/src/3rdparty/webkit/WebCore/platform/text/BidiResolver.h @@ -806,35 +806,33 @@ void BidiResolver<Iterator, Run>::createBidiRunsForLine(const Iterator& end, boo break; } - if (pastEnd) { - if (eor == current) { - if (!reachedEndOfLine) { - eor = endOfLine; - switch (m_status.eor) { - case LeftToRight: - case RightToLeft: - case ArabicNumber: - m_direction = m_status.eor; - break; - case EuropeanNumber: - m_direction = m_status.lastStrong == LeftToRight ? LeftToRight : EuropeanNumber; - break; - default: - ASSERT(false); - } - appendRun(); + if (pastEnd && eor == current) { + if (!reachedEndOfLine) { + eor = endOfLine; + switch (m_status.eor) { + case LeftToRight: + case RightToLeft: + case ArabicNumber: + m_direction = m_status.eor; + break; + case EuropeanNumber: + m_direction = m_status.lastStrong == LeftToRight ? LeftToRight : EuropeanNumber; + break; + default: + ASSERT(false); } - current = end; - m_status = stateAtEnd.m_status; - sor = stateAtEnd.sor; - eor = stateAtEnd.eor; - last = stateAtEnd.last; - reachedEndOfLine = stateAtEnd.reachedEndOfLine; - lastBeforeET = stateAtEnd.lastBeforeET; - emptyRun = stateAtEnd.emptyRun; - m_direction = OtherNeutral; - break; + appendRun(); } + current = end; + m_status = stateAtEnd.m_status; + sor = stateAtEnd.sor; + eor = stateAtEnd.eor; + last = stateAtEnd.last; + reachedEndOfLine = stateAtEnd.reachedEndOfLine; + lastBeforeET = stateAtEnd.lastBeforeET; + emptyRun = stateAtEnd.emptyRun; + m_direction = OtherNeutral; + break; } // set m_status.last as needed. @@ -887,8 +885,21 @@ void BidiResolver<Iterator, Run>::createBidiRunsForLine(const Iterator& end, boo } increment(); - if (!m_currentExplicitEmbeddingSequence.isEmpty()) + if (!m_currentExplicitEmbeddingSequence.isEmpty()) { commitExplicitEmbedding(); + if (pastEnd) { + current = end; + m_status = stateAtEnd.m_status; + sor = stateAtEnd.sor; + eor = stateAtEnd.eor; + last = stateAtEnd.last; + reachedEndOfLine = stateAtEnd.reachedEndOfLine; + lastBeforeET = stateAtEnd.lastBeforeET; + emptyRun = stateAtEnd.emptyRun; + m_direction = OtherNeutral; + break; + } + } if (emptyRun && (dirCurrent == RightToLeftEmbedding || dirCurrent == LeftToRightEmbedding diff --git a/src/3rdparty/webkit/WebCore/rendering/RenderBlock.cpp b/src/3rdparty/webkit/WebCore/rendering/RenderBlock.cpp index 798663e..e7fa753 100644 --- a/src/3rdparty/webkit/WebCore/rendering/RenderBlock.cpp +++ b/src/3rdparty/webkit/WebCore/rendering/RenderBlock.cpp @@ -2981,6 +2981,12 @@ void RenderBlock::clearFloats() m_floatingObjects->clear(); } + // We should not process floats if the parent node is not a RenderBlock. Otherwise, we will add + // floats in an invalid context. This will cause a crash arising from a bad cast on the parent. + // See <rdar://problem/8049753>, where float property is applied on a text node in a SVG. + if (!parent() || !parent()->isRenderBlock()) + return; + // Attempt to locate a previous sibling with overhanging floats. We skip any elements that are // out of flow (like floating/positioned elements), and we also skip over any objects that may have shifted // to avoid floats. diff --git a/src/3rdparty/webkit/WebCore/rendering/RenderSVGText.cpp b/src/3rdparty/webkit/WebCore/rendering/RenderSVGText.cpp index 76b8b86..de902e0 100644 --- a/src/3rdparty/webkit/WebCore/rendering/RenderSVGText.cpp +++ b/src/3rdparty/webkit/WebCore/rendering/RenderSVGText.cpp @@ -225,6 +225,19 @@ FloatRect RenderSVGText::repaintRectInLocalCoordinates() const return repaintRect; } +// Fix for <rdar://problem/8048875>. We should not render :first-line CSS Style +// in a SVG text element context. +RenderBlock* RenderSVGText::firstLineBlock() const +{ + return 0; +} + +// Fix for <rdar://problem/8048875>. We should not render :first-letter CSS Style +// in a SVG text element context. +void RenderSVGText::updateFirstLetter() +{ +} + } #endif // ENABLE(SVG) diff --git a/src/3rdparty/webkit/WebCore/rendering/RenderSVGText.h b/src/3rdparty/webkit/WebCore/rendering/RenderSVGText.h index ab4b09b..f09e396 100644 --- a/src/3rdparty/webkit/WebCore/rendering/RenderSVGText.h +++ b/src/3rdparty/webkit/WebCore/rendering/RenderSVGText.h @@ -72,6 +72,9 @@ private: virtual RootInlineBox* createRootInlineBox(); + virtual RenderBlock* firstLineBlock() const; + virtual void updateFirstLetter(); + AffineTransform m_localTransform; }; diff --git a/src/3rdparty/webkit/WebCore/rendering/RenderWidget.cpp b/src/3rdparty/webkit/WebCore/rendering/RenderWidget.cpp index 561bead..251a65d 100644 --- a/src/3rdparty/webkit/WebCore/rendering/RenderWidget.cpp +++ b/src/3rdparty/webkit/WebCore/rendering/RenderWidget.cpp @@ -27,6 +27,7 @@ #include "AnimationController.h" #include "GraphicsContext.h" #include "HitTestResult.h" +#include "RenderCounter.h" #include "RenderView.h" #include "RenderWidgetProtector.h" @@ -114,6 +115,9 @@ void RenderWidget::destroy() if (RenderView* v = view()) v->removeWidget(this); + if (m_hasCounterNodeMap) + RenderCounter::destroyCounterNodes(this); + if (AXObjectCache::accessibilityEnabled()) { document()->axObjectCache()->childrenChanged(this->parent()); document()->axObjectCache()->remove(this); diff --git a/src/3rdparty/webkit/WebCore/svg/SVGElement.cpp b/src/3rdparty/webkit/WebCore/svg/SVGElement.cpp index 41bbba4..974bf2a 100644 --- a/src/3rdparty/webkit/WebCore/svg/SVGElement.cpp +++ b/src/3rdparty/webkit/WebCore/svg/SVGElement.cpp @@ -304,6 +304,15 @@ void SVGElement::attributeChanged(Attribute* attr, bool preserveDecls) return; StyledElement::attributeChanged(attr, preserveDecls); + + // When an animated SVG property changes through SVG DOM, svgAttributeChanged() is called, not attributeChanged(). + // Next time someone tries to access the XML attributes, the synchronization code starts. During that synchronization + // SVGAnimatedPropertySynchronizer may call NamedNodeMap::removeAttribute(), which in turn calls attributeChanged(). + // At this point we're not allowed to call svgAttributeChanged() again - it may lead to extra work being done, or crashes + // see bug https://bugs.webkit.org/show_bug.cgi?id=40994. + if (m_synchronizingSVGAttributes) + return; + svgAttributeChanged(attr->name()); } diff --git a/src/3rdparty/webkit/WebCore/svg/SVGFontFaceElement.cpp b/src/3rdparty/webkit/WebCore/svg/SVGFontFaceElement.cpp index 25b3aea..de646c6 100644 --- a/src/3rdparty/webkit/WebCore/svg/SVGFontFaceElement.cpp +++ b/src/3rdparty/webkit/WebCore/svg/SVGFontFaceElement.cpp @@ -59,7 +59,6 @@ SVGFontFaceElement::SVGFontFaceElement(const QualifiedName& tagName, Document* d SVGFontFaceElement::~SVGFontFaceElement() { - removeFromMappedElementSheet(); } static int cssPropertyIdForSVGAttributeName(const QualifiedName& attrName) diff --git a/src/3rdparty/webkit/WebCore/svg/SVGForeignObjectElement.cpp b/src/3rdparty/webkit/WebCore/svg/SVGForeignObjectElement.cpp index d28e2a4..e7b5389 100644 --- a/src/3rdparty/webkit/WebCore/svg/SVGForeignObjectElement.cpp +++ b/src/3rdparty/webkit/WebCore/svg/SVGForeignObjectElement.cpp @@ -125,6 +125,10 @@ RenderObject* SVGForeignObjectElement::createRenderer(RenderArena* arena, Render bool SVGForeignObjectElement::childShouldCreateRenderer(Node* child) const { + // Disallow arbitary SVG content. Only allow proper <svg xmlns="svgNS"> subdocuments. + if (child->isSVGElement()) + return child->hasTagName(SVGNames::svgTag); + // Skip over SVG rules which disallow non-SVG kids return StyledElement::childShouldCreateRenderer(child); } diff --git a/src/3rdparty/webkit/WebCore/svg/SVGSVGElement.cpp b/src/3rdparty/webkit/WebCore/svg/SVGSVGElement.cpp index 4c06008..5237715 100644 --- a/src/3rdparty/webkit/WebCore/svg/SVGSVGElement.cpp +++ b/src/3rdparty/webkit/WebCore/svg/SVGSVGElement.cpp @@ -538,6 +538,10 @@ bool SVGSVGElement::isOutermostSVG() const if (!parentNode()) return true; + // We act like an outermost SVG element, if we're a direct child of a <foreignObject> element. + if (parentNode()->hasTagName(SVGNames::foreignObjectTag)) + return true; + // This is true whenever this is the outermost SVG, even if there are HTML elements outside it return !parentNode()->isSVGElement(); } diff --git a/src/3rdparty/webkit/WebCore/svg/SVGUseElement.cpp b/src/3rdparty/webkit/WebCore/svg/SVGUseElement.cpp index 45bab6a..57d56e1 100644 --- a/src/3rdparty/webkit/WebCore/svg/SVGUseElement.cpp +++ b/src/3rdparty/webkit/WebCore/svg/SVGUseElement.cpp @@ -572,8 +572,8 @@ void SVGUseElement::attach() void SVGUseElement::detach() { - SVGStyledTransformableElement::detach(); m_targetElementInstance = 0; + SVGStyledTransformableElement::detach(); } static bool isDirectReference(Node* n) |