haikuwebkit/LayoutTests/svg/animations/animate-linear-discrete-add...

<?xml version="1.0" encoding="UTF-8"?>
<svg viewBox="0 0 300 200" xmlns="http://www.w3.org/2000/svg">
<g transform="translate(50,20)">
    <text x="2,3,4" y="0">
        ABC
    </text>
    <text x="1" y="30">
        DEF
    </text>
    <text x="90" y="60">
        GHI
    </text>
    <text x="120 0" y="90">
        JKL
    </text>
</g>
</svg>
Prevent crash in animated lists https://bugs.webkit.org/show_bug.cgi?id=85382 Reviewed by Nikolas Zimmermann. Source/WebCore: Animated lists blindly assign the last list value to m_toAtEndOfDurationType in SVGAnimationElement::startedActiveInterval. If the last list value's length is larger or smaller than the animated "to" length, we crash. This change prevents accessing values off the end of toAtEndOfDuration by adding a check for this case. It may seem inefficient to perform this check on every animation update but the "to" value can change (in cardinality) while animating. I checked each of the other animation types (e.g., SVGAnimatedAngle, SVGAnimatedBoolean, etc.) and was only able to hit this style of crash in the three types modified in this change: SVGAnimatedLengthList, SVGAnimatedNumberList, and SVGAnimatedPointList. Tests: svg/animations/animate-linear-discrete-additive-b-expected.svg svg/animations/animate-linear-discrete-additive-b.svg svg/animations/animate-linear-discrete-additive-c-expected.svg svg/animations/animate-linear-discrete-additive-c.svg svg/animations/animate-linear-discrete-additive-expected.svg svg/animations/animate-linear-discrete-additive.svg svg/animations/animate-list-crash.svg * svg/SVGAnimatedLengthList.cpp: (WebCore::SVGAnimatedLengthListAnimator::calculateAnimatedValue): * svg/SVGAnimatedNumberList.cpp: (WebCore::SVGAnimatedNumberListAnimator::calculateAnimatedValue): * svg/SVGAnimatedPointList.cpp: (WebCore::SVGAnimatedPointListAnimator::calculateAnimatedValue): LayoutTests: * svg/animations/animate-linear-discrete-additive-b-expected.svg: Added. * svg/animations/animate-linear-discrete-additive-b.svg: Added. * svg/animations/animate-linear-discrete-additive-c-expected.svg: Added. * svg/animations/animate-linear-discrete-additive-c.svg: Added. * svg/animations/animate-linear-discrete-additive-expected.svg: Added. * svg/animations/animate-linear-discrete-additive.svg: Added. * svg/animations/animate-list-crash-expected.txt: Added. * svg/animations/animate-list-crash.svg: Added. Canonical link: https://commits.webkit.org/103508@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@116458 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2012-05-08 22:29:07 +00:00			`<?xml version="1.0" encoding="UTF-8"?>`
			`<svg viewBox="0 0 300 200" xmlns="http://www.w3.org/2000/svg">`
			`<g transform="translate(50,20)">`
			`<text x="2,3,4" y="0">`
			`ABC`
			`</text>`
			`<text x="1" y="30">`
			`DEF`
			`</text>`
			`<text x="90" y="60">`
			`GHI`
			`</text>`
			`<text x="120 0" y="90">`
			`JKL`
			`</text>`
			`</g>`
			`</svg>`