[webkit-changes] [161630] trunk

Fri, 10 Jan 2014 04:35:50 -0800

Title: [161630] trunk
Revision
161630
Author
an...@apple.com
Date
2014-01-10 04:33:09 -0800 (Fri, 10 Jan 2014)

Log Message

Crash when mutating SVG text with transform
https://bugs.webkit.org/show_bug.cgi?id=126744

Reviewed by Dirk Schulze.

Source/WebCore: 

Test: svg/custom/mutation-text-transform-crash.html
        
Text-transform property triggers subtreeTextDidChange when an SVG text renderer is
being added to the render tree. The function assumes the child is already fully in the tree
but in this case we are still in middle of adding it.

* rendering/svg/RenderSVGText.cpp:
(WebCore::RenderSVGText::subtreeTextDidChange):
        
    Bail out if the changed RenderSVGInlineText can't be found from m_layoutAttributes.
    This means that subtreeChildWasAdded hasn't been invoked yet for it and there is nothing
    to update. The required updates will happen in subtreeChildWasAdded.

LayoutTests: 

* svg/custom/mutation-text-transform-crash-expected.txt: Added.
* svg/custom/mutation-text-transform-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (161629 => 161630)


--- trunk/LayoutTests/ChangeLog	2014-01-10 12:03:10 UTC (rev 161629)
+++ trunk/LayoutTests/ChangeLog	2014-01-10 12:33:09 UTC (rev 161630)
@@ -1,3 +1,13 @@
+2014-01-10  Antti Koivisto  <an...@apple.com>
+
+        Crash when mutating SVG text with transform
+        https://bugs.webkit.org/show_bug.cgi?id=126744
+
+        Reviewed by Dirk Schulze.
+
+        * svg/custom/mutation-text-transform-crash-expected.txt: Added.
+        * svg/custom/mutation-text-transform-crash.html: Added.
+
 2014-01-10  Frédéric Wang  <fred.w...@free.fr>
 
         [SVG] Accept HTML and MathML namespaces as valid requiredExtensions

Added: trunk/LayoutTests/svg/custom/mutation-text-transform-crash-expected.txt (0 => 161630)


--- trunk/LayoutTests/svg/custom/mutation-text-transform-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/svg/custom/mutation-text-transform-crash-expected.txt	2014-01-10 12:33:09 UTC (rev 161630)
@@ -0,0 +1,2 @@
+PASS
+

Added: trunk/LayoutTests/svg/custom/mutation-text-transform-crash.html (0 => 161630)


--- trunk/LayoutTests/svg/custom/mutation-text-transform-crash.html	                        (rev 0)
+++ trunk/LayoutTests/svg/custom/mutation-text-transform-crash.html	2014-01-10 12:33:09 UTC (rev 161630)
@@ -0,0 +1,23 @@
+<html>
+<!-- This test passes if there is no crash or assert -->
+<style>
+text { text-transform: uppercase; }
+</style>
+<script>
+function testCrash() {
+    document.body.offsetWidth;
+    var test = document.getElementById('test');
+    test.removeChild(test.firstChild);
+    var textNode = document.createTextNode("PASS");
+    test.appendChild(textNode);
+}
+
+if (window.testRunner)
+    testRunner.dumpAsText();
+</script>
+<body _onload_="testCrash()">
+<svg>
+    <text id="test" x="0" y="15">FAIL</text>
+</svg>
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (161629 => 161630)


--- trunk/Source/WebCore/ChangeLog	2014-01-10 12:03:10 UTC (rev 161629)
+++ trunk/Source/WebCore/ChangeLog	2014-01-10 12:33:09 UTC (rev 161630)
@@ -1,3 +1,23 @@
+2014-01-10  Antti Koivisto  <an...@apple.com>
+
+        Crash when mutating SVG text with transform
+        https://bugs.webkit.org/show_bug.cgi?id=126744
+
+        Reviewed by Dirk Schulze.
+
+        Test: svg/custom/mutation-text-transform-crash.html
+        
+        Text-transform property triggers subtreeTextDidChange when an SVG text renderer is
+        being added to the render tree. The function assumes the child is already fully in the tree
+        but in this case we are still in middle of adding it.
+
+        * rendering/svg/RenderSVGText.cpp:
+        (WebCore::RenderSVGText::subtreeTextDidChange):
+        
+            Bail out if the changed RenderSVGInlineText can't be found from m_layoutAttributes.
+            This means that subtreeChildWasAdded hasn't been invoked yet for it and there is nothing
+            to update. The required updates will happen in subtreeChildWasAdded.
+
 2014-01-10  Frédéric Wang  <fred.w...@free.fr>
 
         [SVG] Accept HTML and MathML namespaces as valid requiredExtensions

Modified: trunk/Source/WebCore/rendering/svg/RenderSVGText.cpp (161629 => 161630)


--- trunk/Source/WebCore/rendering/svg/RenderSVGText.cpp	2014-01-10 12:03:10 UTC (rev 161629)
+++ trunk/Source/WebCore/rendering/svg/RenderSVGText.cpp	2014-01-10 12:33:09 UTC (rev 161630)
@@ -321,6 +321,11 @@
         ASSERT(!m_layoutAttributesBuilder.numberOfTextPositioningElements());
         return;
     }
+    // Text transforms can cause text change to be signaled during addChild before m_layoutAttributes has been updated.
+    if (!m_layoutAttributes.contains(text->layoutAttributes())) {
+        ASSERT(!text->everHadLayout());
+        return;
+    }
 
     // Always protect the cache before clearing text positioning elements when the cache will subsequently be rebuilt.
     FontCachePurgePreventer fontCachePurgePreventer;

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to