- Revision
- 166628
- Author
- jhoneyc...@apple.com
- Date
- 2014-04-01 19:48:14 -0700 (Tue, 01 Apr 2014)
Log Message
Crash in WebCore::RenderLayer::FilterInfo::updateReferenceFilterClients
<https://bugs.webkit.org/show_bug.cgi?id=121887>
<rdar://problem/15073043>
Reviewed by Dean Jackson.
Source/WebCore:
Test: svg/filters/first-letter-crash.html
* rendering/FilterEffectRenderer.cpp:
(WebCore::FilterEffectRenderer::buildReferenceFilter):
Added a null check to prevent crashes for anonymous RenderObjects.
* rendering/RenderLayer.cpp:
(WebCore::RenderLayer::filterNeedsRepaint):
Get the enclosing element, if there is one, and recalculate its style.
We use the enclosing element so that we recalculate style for the
ancestor of an anonymous RenderElement.
(WebCore::RenderLayer::enclosingElement):
Remove an assertion; we may now reach this condition if loading a
cached SVG document results in RenderLayer::filterNeedsRepaint() being
called before the object has been inserted into the render tree.
* rendering/RenderLayerFilterInfo.cpp:
(WebCore::RenderLayer::FilterInfo::notifyFinished):
Tell the RenderLayer that the filter needs repainting.
(WebCore::RenderLayer::FilterInfo::updateReferenceFilterClients):
Get the Element from the renderer rather than asking the renderer's
Element, which will be null for anonymous RenderObjects.
* rendering/RenderLayerFilterInfo.h:
Removed declaration for the old workaround function, layerElement().
LayoutTests:
* svg/filters/first-letter-crash-expected.txt: Added.
* svg/filters/first-letter-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (166627 => 166628)
--- trunk/LayoutTests/ChangeLog 2014-04-02 02:41:12 UTC (rev 166627)
+++ trunk/LayoutTests/ChangeLog 2014-04-02 02:48:14 UTC (rev 166628)
@@ -1,3 +1,15 @@
+2014-04-01 Jon Honeycutt <jhoneyc...@apple.com>
+
+ Crash in WebCore::RenderLayer::FilterInfo::updateReferenceFilterClients
+
+ <https://bugs.webkit.org/show_bug.cgi?id=121887>
+ <rdar://problem/15073043>
+
+ Reviewed by Dean Jackson.
+
+ * svg/filters/first-letter-crash-expected.txt: Added.
+ * svg/filters/first-letter-crash.html: Added.
+
2014-04-01 Zoltan Horvath <zol...@webkit.org>
[CSS Exclusions] Remove exclusions parsing support
Added: trunk/LayoutTests/svg/filters/first-letter-crash-expected.txt (0 => 166628)
--- trunk/LayoutTests/svg/filters/first-letter-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/svg/filters/first-letter-crash-expected.txt 2014-04-02 02:48:14 UTC (rev 166628)
@@ -0,0 +1,2 @@
+PASS.
+WebKit bug #121887: Crash when applying SVG filter to first-letter pseudo element. This test passes if it does not crash.
Added: trunk/LayoutTests/svg/filters/first-letter-crash.html (0 => 166628)
--- trunk/LayoutTests/svg/filters/first-letter-crash.html (rev 0)
+++ trunk/LayoutTests/svg/filters/first-letter-crash.html 2014-04-02 02:48:14 UTC (rev 166628)
@@ -0,0 +1,16 @@
+<head>
+ <style>
+ div:first-letter { -webkit-filter: url(#blurFirstLetter); }
+ </style>
+</head>
+
+<div>PASS.</div>
+
+<p>
+ WebKit bug #<a href="" Crash when applying SVG filter to first-letter pseudo element. This test passes if it does not crash.
+</p>
+
+<script>
+ if (window.testRunner)
+ window.testRunner.dumpAsText();
+</script>
Modified: trunk/Source/WebCore/ChangeLog (166627 => 166628)
--- trunk/Source/WebCore/ChangeLog 2014-04-02 02:41:12 UTC (rev 166627)
+++ trunk/Source/WebCore/ChangeLog 2014-04-02 02:48:14 UTC (rev 166628)
@@ -1,3 +1,38 @@
+2014-04-01 Jon Honeycutt <jhoneyc...@apple.com>
+
+ Crash in WebCore::RenderLayer::FilterInfo::updateReferenceFilterClients
+
+ <https://bugs.webkit.org/show_bug.cgi?id=121887>
+ <rdar://problem/15073043>
+
+ Reviewed by Dean Jackson.
+
+ Test: svg/filters/first-letter-crash.html
+
+ * rendering/FilterEffectRenderer.cpp:
+ (WebCore::FilterEffectRenderer::buildReferenceFilter):
+ Added a null check to prevent crashes for anonymous RenderObjects.
+
+ * rendering/RenderLayer.cpp:
+ (WebCore::RenderLayer::filterNeedsRepaint):
+ Get the enclosing element, if there is one, and recalculate its style.
+ We use the enclosing element so that we recalculate style for the
+ ancestor of an anonymous RenderElement.
+ (WebCore::RenderLayer::enclosingElement):
+ Remove an assertion; we may now reach this condition if loading a
+ cached SVG document results in RenderLayer::filterNeedsRepaint() being
+ called before the object has been inserted into the render tree.
+
+ * rendering/RenderLayerFilterInfo.cpp:
+ (WebCore::RenderLayer::FilterInfo::notifyFinished):
+ Tell the RenderLayer that the filter needs repainting.
+ (WebCore::RenderLayer::FilterInfo::updateReferenceFilterClients):
+ Get the Element from the renderer rather than asking the renderer's
+ Element, which will be null for anonymous RenderObjects.
+
+ * rendering/RenderLayerFilterInfo.h:
+ Removed declaration for the old workaround function, layerElement().
+
2014-04-01 Ryuan Choi <ryuan.c...@samsung.com>
Build break when disabled VIDEO since r166261
Modified: trunk/Source/WebCore/rendering/FilterEffectRenderer.cpp (166627 => 166628)
--- trunk/Source/WebCore/rendering/FilterEffectRenderer.cpp 2014-04-02 02:41:12 UTC (rev 166627)
+++ trunk/Source/WebCore/rendering/FilterEffectRenderer.cpp 2014-04-02 02:48:14 UTC (rev 166628)
@@ -104,9 +104,10 @@
Element* filter = document->getElementById(filterOperation->fragment());
if (!filter) {
- // Although we did not find the referenced filter, it might exist later
- // in the document
- document->accessSVGExtensions()->addPendingResource(filterOperation->fragment(), renderer->element());
+ // Although we did not find the referenced filter, it might exist later in the document.
+ // FIXME: This skips anonymous RenderObjects. <https://webkit.org/b/131085>
+ if (Element* element = renderer->element())
+ document->accessSVGExtensions()->addPendingResource(filterOperation->fragment(), element);
return 0;
}
Modified: trunk/Source/WebCore/rendering/RenderLayer.cpp (166627 => 166628)
--- trunk/Source/WebCore/rendering/RenderLayer.cpp 2014-04-02 02:41:12 UTC (rev 166627)
+++ trunk/Source/WebCore/rendering/RenderLayer.cpp 2014-04-02 02:48:14 UTC (rev 166628)
@@ -4650,7 +4650,6 @@
if (Element* e = r->element())
return e;
}
- ASSERT_NOT_REACHED();
return 0;
}
@@ -6804,7 +6803,9 @@
void RenderLayer::filterNeedsRepaint()
{
- renderer().element()->setNeedsStyleRecalc(SyntheticStyleChange);
+ // We use the enclosing element so that we recalculate style for the ancestor of an anonymous object.
+ if (Element* element = enclosingElement())
+ element->setNeedsStyleRecalc(SyntheticStyleChange);
renderer().repaint();
}
Modified: trunk/Source/WebCore/rendering/RenderLayerFilterInfo.cpp (166627 => 166628)
--- trunk/Source/WebCore/rendering/RenderLayerFilterInfo.cpp 2014-04-02 02:41:12 UTC (rev 166627)
+++ trunk/Source/WebCore/rendering/RenderLayerFilterInfo.cpp 2014-04-02 02:48:14 UTC (rev 166628)
@@ -93,16 +93,9 @@
void RenderLayer::FilterInfo::notifyFinished(CachedResource*)
{
- m_layer.renderer().element()->setNeedsStyleRecalc(SyntheticStyleChange);
- m_layer.renderer().repaint();
+ m_layer.filterNeedsRepaint();
}
-
-// FIXME: Remove this helper function when <rdar://problem/16230015> is fixed.
-NEVER_INLINE Element* RenderLayer::FilterInfo::layerElement() const
-{
- return m_layer.renderer().element();
-}
-
+
void RenderLayer::FilterInfo::updateReferenceFilterClients(const FilterOperations& operations)
{
removeReferenceFilterClients();
@@ -121,7 +114,7 @@
} else {
// Reference is internal; add layer as a client so we can trigger
// filter repaint on SVG attribute change.
- Element* filter = layerElement()->document().getElementById(referenceFilterOperation->fragment());
+ Element* filter = m_layer.renderer().document().getElementById(referenceFilterOperation->fragment());
if (!filter || !filter->renderer() || !filter->renderer()->isSVGResourceFilter())
continue;
Modified: trunk/Source/WebCore/rendering/RenderLayerFilterInfo.h (166627 => 166628)
--- trunk/Source/WebCore/rendering/RenderLayerFilterInfo.h 2014-04-02 02:41:12 UTC (rev 166627)
+++ trunk/Source/WebCore/rendering/RenderLayerFilterInfo.h 2014-04-02 02:48:14 UTC (rev 166628)
@@ -63,8 +63,6 @@
void removeReferenceFilterClients();
private:
- Element* layerElement() const;
-
friend void WTF::deleteOwnedPtr<FilterInfo>(FilterInfo*);
virtual void notifyFinished(CachedResource*) override;