Title: [233056] trunk
- Revision
- 233056
- Author
- s...@apple.com
- Date
- 2018-06-21 13:54:32 -0700 (Thu, 21 Jun 2018)
Log Message
RenderSVGInline has to be inline always regardless of its css display value
https://bugs.webkit.org/show_bug.cgi?id=186656
Reviewed by Zalan Bujtas.
Source/WebCore:
According to https://www.w3.org/TR/SVG2/text.html#TextLayout, the <text>
element has to be laid out as if it were a block element and any <tspan>,
<textPath>, <a> and <tref> descendants were inline elements.
If a css rule, which contains the property "display: block;", is applied
to any of children of a <text> element, this property has to be ignored.
We currently ignore this property in RenderSVGInline::updateFromStyle()
by forcing setInline(true). But we do not do the same thing in
RenderTreeBuilder::normalizeTreeAfterStyleChange(). In fact we allow
making the children of the <text> element to be non-inline. This puts
the render tree in weired state and causes many assertions to fire while
laying out RenderSVGText.
Test: svg/dom/svg-inline-text-display-block-crash.html
* rendering/updating/RenderTreeBuilder.cpp:
(WebCore::RenderTreeBuilder::normalizeTreeAfterStyleChange):
LayoutTests:
* svg/dom/svg-inline-text-display-block-crash-expected.txt: Added.
* svg/dom/svg-inline-text-display-block-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (233055 => 233056)
--- trunk/LayoutTests/ChangeLog 2018-06-21 20:34:14 UTC (rev 233055)
+++ trunk/LayoutTests/ChangeLog 2018-06-21 20:54:32 UTC (rev 233056)
@@ -1,3 +1,13 @@
+2018-06-20 Said Abou-Hallawa <sabouhall...@apple.com>
+
+ RenderSVGInline has to be inline always regardless of its css display value
+ https://bugs.webkit.org/show_bug.cgi?id=186656
+
+ Reviewed by Zalan Bujtas.
+
+ * svg/dom/svg-inline-text-display-block-crash-expected.txt: Added.
+ * svg/dom/svg-inline-text-display-block-crash.html: Added.
+
2018-06-20 Zalan Bujtas <za...@apple.com>
Do not reuse generated inline renderer for the first letter.
Added: trunk/LayoutTests/svg/dom/svg-inline-text-display-block-crash-expected.txt (0 => 233056)
--- trunk/LayoutTests/svg/dom/svg-inline-text-display-block-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/svg/dom/svg-inline-text-display-block-crash-expected.txt 2018-06-21 20:54:32 UTC (rev 233056)
@@ -0,0 +1,4 @@
+This test passes if it doesn't crash.
+
+
+
Added: trunk/LayoutTests/svg/dom/svg-inline-text-display-block-crash.html (0 => 233056)
--- trunk/LayoutTests/svg/dom/svg-inline-text-display-block-crash.html (rev 0)
+++ trunk/LayoutTests/svg/dom/svg-inline-text-display-block-crash.html 2018-06-21 20:54:32 UTC (rev 233056)
@@ -0,0 +1,21 @@
+<style>
+ tspan {
+ float: right;
+ display: block;
+ }
+</style>
+<body>
+ <p>This test passes if it doesn't crash.</p>
+ <input id="input">
+ <svg>
+ <text>
+ <tspan id="tspan" />
+ </text>
+ </svg>
+ <script>
+ if (window.testRunner)
+ testRunner.dumpAsText();
+ input.setSelectionRange(0, 1);
+ tspan.style.float = "none";
+ </script>
+</body>
Modified: trunk/Source/WebCore/ChangeLog (233055 => 233056)
--- trunk/Source/WebCore/ChangeLog 2018-06-21 20:34:14 UTC (rev 233055)
+++ trunk/Source/WebCore/ChangeLog 2018-06-21 20:54:32 UTC (rev 233056)
@@ -1,3 +1,29 @@
+2018-06-20 Said Abou-Hallawa <sabouhall...@apple.com>
+
+ RenderSVGInline has to be inline always regardless of its css display value
+ https://bugs.webkit.org/show_bug.cgi?id=186656
+
+ Reviewed by Zalan Bujtas.
+
+ According to https://www.w3.org/TR/SVG2/text.html#TextLayout, the <text>
+ element has to be laid out as if it were a block element and any <tspan>,
+ <textPath>, <a> and <tref> descendants were inline elements.
+
+ If a css rule, which contains the property "display: block;", is applied
+ to any of children of a <text> element, this property has to be ignored.
+
+ We currently ignore this property in RenderSVGInline::updateFromStyle()
+ by forcing setInline(true). But we do not do the same thing in
+ RenderTreeBuilder::normalizeTreeAfterStyleChange(). In fact we allow
+ making the children of the <text> element to be non-inline. This puts
+ the render tree in weired state and causes many assertions to fire while
+ laying out RenderSVGText.
+
+ Test: svg/dom/svg-inline-text-display-block-crash.html
+
+ * rendering/updating/RenderTreeBuilder.cpp:
+ (WebCore::RenderTreeBuilder::normalizeTreeAfterStyleChange):
+
2018-06-20 Zalan Bujtas <za...@apple.com>
Do not reuse generated inline renderer for the first letter.
Modified: trunk/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp (233055 => 233056)
--- trunk/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp 2018-06-21 20:34:14 UTC (rev 233055)
+++ trunk/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp 2018-06-21 20:54:32 UTC (rev 233056)
@@ -544,7 +544,9 @@
// We have gone from not affecting the inline status of the parent flow to suddenly
// having an impact. See if there is a mismatch between the parent flow's
// childrenInline() state and our state.
- renderer.setInline(renderer.style().isDisplayInlineType());
+ // FIXME(186894): startsAffectingParent has clearly nothing to do with resetting the inline state.
+ if (!is<RenderSVGInline>(renderer))
+ renderer.setInline(renderer.style().isDisplayInlineType());
if (renderer.isInline() != renderer.parent()->childrenInline())
childFlowStateChangesAndAffectsParentBlock(renderer);
return;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
