Title: [105549] trunk
- Revision
- 105549
- Author
- timothy_hor...@apple.com
- Date
- 2012-01-20 15:23:56 -0800 (Fri, 20 Jan 2012)
Log Message
Crash in RenderSVGResourceContainer::markAllClientsForInvalidation
https://bugs.webkit.org/show_bug.cgi?id=76606
<rdar://problem/10720970>
Reviewed by Dirk Schulze.
Notify SVGResourcesCache and superclass when RenderSVGInline is about
to be destroyed, preventing a crash.
Test: svg/custom/crash-inline-container-client.html
* rendering/svg/RenderSVGInline.cpp:
(WebCore::RenderSVGInline::willBeDestroyed):
* rendering/svg/RenderSVGInline.h:
* svg/custom/crash-inline-container-client-expected.txt: Added.
* svg/custom/crash-inline-container-client.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (105548 => 105549)
--- trunk/LayoutTests/ChangeLog 2012-01-20 23:22:46 UTC (rev 105548)
+++ trunk/LayoutTests/ChangeLog 2012-01-20 23:23:56 UTC (rev 105549)
@@ -1,3 +1,14 @@
+2012-01-20 Tim Horton <timothy_hor...@apple.com>
+
+ Crash in RenderSVGResourceContainer::markAllClientsForInvalidation
+ https://bugs.webkit.org/show_bug.cgi?id=76606
+ <rdar://problem/10720970>
+
+ Reviewed by Dirk Schulze.
+
+ * svg/custom/crash-inline-container-client-expected.txt: Added.
+ * svg/custom/crash-inline-container-client.html: Added.
+
2012-01-20 Alexey Proskuryakov <a...@apple.com>
WebCore should not send invalid URLs to client createWindow methods.
Added: trunk/LayoutTests/svg/custom/crash-inline-container-client-expected.txt (0 => 105549)
--- trunk/LayoutTests/svg/custom/crash-inline-container-client-expected.txt (rev 0)
+++ trunk/LayoutTests/svg/custom/crash-inline-container-client-expected.txt 2012-01-20 23:23:56 UTC (rev 105549)
@@ -0,0 +1,2 @@
+This test passes if it does not crash.
+
Added: trunk/LayoutTests/svg/custom/crash-inline-container-client.html (0 => 105549)
--- trunk/LayoutTests/svg/custom/crash-inline-container-client.html (rev 0)
+++ trunk/LayoutTests/svg/custom/crash-inline-container-client.html 2012-01-20 23:23:56 UTC (rev 105549)
@@ -0,0 +1,24 @@
+<svg>
+<g>
+<defs><linearGradient id="linearGradient"></linearGradient></defs>
+<text style="fill:url(#linearGradient);">
+ B<tspan>A</tspan>
+</text>
+<text style="filter:url(#dropShadow);">
+ <tspan id="tspan">K</tspan>
+</text>
+</g>
+
+<text x="10" y="30">This test passes if it does not crash.</text>
+
+<script>
+var canvas = document.createElement("canvas");
+document.getElementById("linearGradient").appendChild(canvas);
+range = document.createRange();
+range.setEndAfter(document.getElementById("tspan"));
+range.extractContents();
+
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+</script>
+</svg>
Modified: trunk/Source/WebCore/ChangeLog (105548 => 105549)
--- trunk/Source/WebCore/ChangeLog 2012-01-20 23:22:46 UTC (rev 105548)
+++ trunk/Source/WebCore/ChangeLog 2012-01-20 23:23:56 UTC (rev 105549)
@@ -1,3 +1,20 @@
+2012-01-20 Tim Horton <timothy_hor...@apple.com>
+
+ Crash in RenderSVGResourceContainer::markAllClientsForInvalidation
+ https://bugs.webkit.org/show_bug.cgi?id=76606
+ <rdar://problem/10720970>
+
+ Reviewed by Dirk Schulze.
+
+ Notify SVGResourcesCache and superclass when RenderSVGInline is about
+ to be destroyed, preventing a crash.
+
+ Test: svg/custom/crash-inline-container-client.html
+
+ * rendering/svg/RenderSVGInline.cpp:
+ (WebCore::RenderSVGInline::willBeDestroyed):
+ * rendering/svg/RenderSVGInline.h:
+
2012-01-20 Alexey Proskuryakov <a...@apple.com>
WebCore should not send invalid URLs to client createWindow methods.
Modified: trunk/Source/WebCore/rendering/svg/RenderSVGInline.cpp (105548 => 105549)
--- trunk/Source/WebCore/rendering/svg/RenderSVGInline.cpp 2012-01-20 23:22:46 UTC (rev 105548)
+++ trunk/Source/WebCore/rendering/svg/RenderSVGInline.cpp 2012-01-20 23:23:56 UTC (rev 105549)
@@ -95,6 +95,12 @@
quads.append(localToAbsoluteQuad(FloatRect(textBoundingBox.x() + box->x(), textBoundingBox.y() + box->y(), box->logicalWidth(), box->logicalHeight()), false, wasFixed));
}
+void RenderSVGInline::willBeDestroyed()
+{
+ SVGResourcesCache::clientDestroyed(this);
+ RenderInline::willBeDestroyed();
+}
+
void RenderSVGInline::styleWillChange(StyleDifference diff, const RenderStyle* newStyle)
{
if (diff == StyleDifferenceLayout)
Modified: trunk/Source/WebCore/rendering/svg/RenderSVGInline.h (105548 => 105549)
--- trunk/Source/WebCore/rendering/svg/RenderSVGInline.h 2012-01-20 23:22:46 UTC (rev 105548)
+++ trunk/Source/WebCore/rendering/svg/RenderSVGInline.h 2012-01-20 23:23:56 UTC (rev 105549)
@@ -53,6 +53,7 @@
private:
virtual InlineFlowBox* createInlineFlowBox();
+ virtual void willBeDestroyed();
virtual void styleWillChange(StyleDifference, const RenderStyle* newStyle);
virtual void styleDidChange(StyleDifference, const RenderStyle* oldStyle);
virtual void updateFromElement();
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes