SVGAnimateElementBase::calculateAnimatedValue() asserts when reinserting an SVG animating element within the same animation limits
https://bugs.webkit.org/show_bug.cgi?id=143994
Patch by Said Abou-Hallawa <sabouhallawa@apple.com> on 2015-04-21
Reviewed by Simon Fraser.
Source/WebCore:
Make sure the SVG animation variables are reset cleanly such that if the
animation restarts it can rebuild its limit values reliably and correctly.
Tests: svg/animations/crash-reinsert-animate-length-same-limits.svg
svg/animations/crash-reinsert-animate-transform-same-limits.svg
* svg/SVGAnimateElementBase.h:
* svg/SVGAnimateElementBase.cpp:
(WebCore::SVGAnimateElementBase::resetAnimatedPropertyType):
Call the base class resetAnimatedPropertyType() from the derived class.
* svg/SVGAnimationElement.h:
* svg/SVGAnimationElement.cpp:
(WebCore::SVGAnimationElement::resetAnimatedPropertyType):
Make resetAnimatedPropertyType() virtual. The implementation of the base
class of this function resets the values of the animation limits. When
updateAnimation() is called, it will be forced to recalculate the animation
limits by calling calculateFromAndToValues() even if the limits have not
changed.
LayoutTests:
* svg/animations/crash-reinsert-animate-length-same-limits-expected.txt: Added.
* svg/animations/crash-reinsert-animate-length-same-limits.svg: Added.
* svg/animations/crash-reinsert-animate-transform-same-limits-expected.txt: Added.
* svg/animations/crash-reinsert-animate-transform-same-limits.svg: Added.
Make sure when removing an SVG animating element and reinserting it back
within the same animation length or transform limits, we do not crash.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@183085 268f45cc-cd09-0410-ab3c-d52691b4dbfc
10 files changed
