[Webkit-unassigned] [Bug 59136] Null deref when no use element exists for SVG element instance

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Apr 22 05:33:21 PDT 2011 

https://bugs.webkit.org/show_bug.cgi?id=59136


Nikolas Zimmermann <zimmermann at kde.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #90628|review?                     |review-
               Flag|                            |




--- Comment #6 from Nikolas Zimmermann <zimmermann at kde.org>  2011-04-22 05:33:22 PST ---
(From update of attachment 90628)
View in context: https://bugs.webkit.org/attachment.cgi?id=90628&action=review

Sorry Cris, I fear that involves a bit more work:

> Source/WebCore/svg/SVGAnimationElement.cpp:347
> +            useElement->setNeedsStyleRecalc();

I'm confused a shadowTreeElement w/o correspondingUseElement, what _exactly_ forces us into such a state?
What happens if you completely disable the shadowTreeElement modifications, if correspondingUseElement is 0, does the animation still work?

> LayoutTests/svg/custom/use-null-instanceroot-crash.svg:5
> +        document.getElementById("use_elem").instanceRoot.correspondingElement = 0;

Hm, that is needed? Or does it even trigger the bug?? In the code changes, you're checking whether correspondingUseElement is zero, not correspondingElement?
SVGElementInstance.idl defines: readonly attribute SVGElement correspondingElement;
so this shouldn't take any affect at all, does it?

> LayoutTests/svg/custom/use-null-instanceroot-crash.svg:17
> +        <animateTransform attributeName="transform" />

Why are two animations needed, why the transform attribute?
You definately also need a new testcase using the JS SVG Animation test framework, see the other examples in LayoutTests/svg/animation.
We need to be sure that each of the animation runs properly, so you have to setup a real animation, cy from 0 to 15, for example.

Basically we need to sample the animation at various times, and assure both animations, the one of circleID, and the circleID clone through <use> work as expected.

> LayoutTests/svg/custom/use-null-instanceroot-crash.svg:19
> +    <use id="use_elem" xlink:href="#circleID" />

You should use x="30", to translate the second circle, so when running the test in the browser, you'll actually see two circles.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list