commit b395bdba54845078294eb9b79cb2ac6f451c752c
author fs@opera.com <fs@opera.com@bbb929c8-8fbe-4397-9dbb-9b2b20218538> Tue Jan 14 13:42:48 2014
committer fs@opera.com <fs@opera.com@bbb929c8-8fbe-4397-9dbb-9b2b20218538> Tue Jan 14 13:42:48 2014
tree ecb7ccbd4081208c99001abe0fbea4ee87a089f4
parent 6b9373a71d25ba96b65bf15191194c78af120028

Ensure ElementData exists before modifying when animating class attribute

This is a merge of http://trac.webkit.org/changeset/153835
by Rob Buis <rwlbuis@webkit.org>.

BUG=334194

Review URL: https://codereview.chromium.org/138173002

git-svn-id: svn://svn.chromium.org/blink/trunk@165068 bbb929c8-8fbe-4397-9dbb-9b2b20218538

third_party/WebKit/LayoutTests/svg/animations/classAttributeSettingCrash-expected.txt

diff --git a/third_party/WebKit/LayoutTests/svg/animations/classAttributeSettingCrash-expected.txt b/third_party/WebKit/LayoutTests/svg/animations/classAttributeSettingCrash-expected.txt
new file mode 100644
index 0000000..69cfc5a9
--- /dev/null
+++ b/third_party/WebKit/LayoutTests/svg/animations/classAttributeSettingCrash-expected.txt
@@ -0,0 +1,2 @@
+PASS
+

third_party/WebKit/LayoutTests/svg/animations/classAttributeSettingCrash.html

diff --git a/third_party/WebKit/LayoutTests/svg/animations/classAttributeSettingCrash.html b/third_party/WebKit/LayoutTests/svg/animations/classAttributeSettingCrash.html
new file mode 100644
index 0000000..e777e45b
--- /dev/null
+++ b/third_party/WebKit/LayoutTests/svg/animations/classAttributeSettingCrash.html
@@ -0,0 +1,12 @@
+<head>
+  <div>PASS</div>
+  <svg xmlns="http://www.w3.org/2000/svg">
+    <g>
+      <set attributename="class"></set>
+    </g>
+    <script type="text/javascript">
+      if (window.testRunner)
+        testRunner.dumpAsText();
+    </script>
+  </svg>
+</head>

third_party/WebKit/Source/core/dom/Element.cpp

diff --git a/third_party/WebKit/Source/core/dom/Element.cpp b/third_party/WebKit/Source/core/dom/Element.cpp
index f00b7e2f..45ff5c3 100644
--- a/third_party/WebKit/Source/core/dom/Element.cpp
+++ b/third_party/WebKit/Source/core/dom/Element.cpp
@@ -1100,11 +1100,11 @@
 
     if (classStringHasClassName(newClassString)) {
         const bool shouldFoldCase = document().inQuirksMode();
-        const SpaceSplitString oldClasses = elementData()->classNames();
+        const SpaceSplitString oldClasses = ensureUniqueElementData()->classNames();
         elementData()->setClass(newClassString, shouldFoldCase);
         const SpaceSplitString& newClasses = elementData()->classNames();
         shouldInvalidateStyle = testShouldInvalidateStyle && checkSelectorForClassChange(oldClasses, newClasses, styleResolver->ensureRuleFeatureSet());
-    } else {
+    } else if (elementData()) {
         const SpaceSplitString& oldClasses = elementData()->classNames();
         shouldInvalidateStyle = testShouldInvalidateStyle && checkSelectorForClassChange(oldClasses, styleResolver->ensureRuleFeatureSet());
         elementData()->clearClass();