[webkit-changes] [105549] trunk

Fri, 20 Jan 2012 15:24:20 -0800

Title: [105549] trunk
Revision
105549
Author
timothy_hor...@apple.com
Date
2012-01-20 15:23:56 -0800 (Fri, 20 Jan 2012)

Log Message

Crash in RenderSVGResourceContainer::markAllClientsForInvalidation
https://bugs.webkit.org/show_bug.cgi?id=76606
<rdar://problem/10720970>

Reviewed by Dirk Schulze.

Notify SVGResourcesCache and superclass when RenderSVGInline is about
to be destroyed, preventing a crash.

Test: svg/custom/crash-inline-container-client.html

* rendering/svg/RenderSVGInline.cpp:
(WebCore::RenderSVGInline::willBeDestroyed):
* rendering/svg/RenderSVGInline.h:

* svg/custom/crash-inline-container-client-expected.txt: Added.
* svg/custom/crash-inline-container-client.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (105548 => 105549)


--- trunk/LayoutTests/ChangeLog	2012-01-20 23:22:46 UTC (rev 105548)
+++ trunk/LayoutTests/ChangeLog	2012-01-20 23:23:56 UTC (rev 105549)
@@ -1,3 +1,14 @@
+2012-01-20  Tim Horton  <timothy_hor...@apple.com>
+
+        Crash in RenderSVGResourceContainer::markAllClientsForInvalidation
+        https://bugs.webkit.org/show_bug.cgi?id=76606
+        <rdar://problem/10720970>
+
+        Reviewed by Dirk Schulze.
+
+        * svg/custom/crash-inline-container-client-expected.txt: Added.
+        * svg/custom/crash-inline-container-client.html: Added.
+
 2012-01-20  Alexey Proskuryakov  <a...@apple.com>
 
         WebCore should not send invalid URLs to client createWindow methods.

Added: trunk/LayoutTests/svg/custom/crash-inline-container-client-expected.txt (0 => 105549)


--- trunk/LayoutTests/svg/custom/crash-inline-container-client-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/svg/custom/crash-inline-container-client-expected.txt	2012-01-20 23:23:56 UTC (rev 105549)
@@ -0,0 +1,2 @@
+This test passes if it does not crash.
+

Added: trunk/LayoutTests/svg/custom/crash-inline-container-client.html (0 => 105549)


--- trunk/LayoutTests/svg/custom/crash-inline-container-client.html	                        (rev 0)
+++ trunk/LayoutTests/svg/custom/crash-inline-container-client.html	2012-01-20 23:23:56 UTC (rev 105549)
@@ -0,0 +1,24 @@
+<svg>
+<g>
+<defs><linearGradient id="linearGradient"></linearGradient></defs>
+<text style="fill:url(#linearGradient);">
+  B<tspan>A</tspan>
+</text>
+<text style="filter:url(#dropShadow);">
+  <tspan id="tspan">K</tspan>
+</text>
+</g>
+
+<text x="10" y="30">This test passes if it does not crash.</text>
+
+<script>
+var canvas = document.createElement("canvas");
+document.getElementById("linearGradient").appendChild(canvas);
+range = document.createRange();
+range.setEndAfter(document.getElementById("tspan"));
+range.extractContents();
+
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+</script>
+</svg>

Modified: trunk/Source/WebCore/ChangeLog (105548 => 105549)


--- trunk/Source/WebCore/ChangeLog	2012-01-20 23:22:46 UTC (rev 105548)
+++ trunk/Source/WebCore/ChangeLog	2012-01-20 23:23:56 UTC (rev 105549)
@@ -1,3 +1,20 @@
+2012-01-20  Tim Horton  <timothy_hor...@apple.com>
+
+        Crash in RenderSVGResourceContainer::markAllClientsForInvalidation
+        https://bugs.webkit.org/show_bug.cgi?id=76606
+        <rdar://problem/10720970>
+
+        Reviewed by Dirk Schulze.
+
+        Notify SVGResourcesCache and superclass when RenderSVGInline is about
+        to be destroyed, preventing a crash.
+
+        Test: svg/custom/crash-inline-container-client.html
+
+        * rendering/svg/RenderSVGInline.cpp:
+        (WebCore::RenderSVGInline::willBeDestroyed):
+        * rendering/svg/RenderSVGInline.h:
+
 2012-01-20  Alexey Proskuryakov  <a...@apple.com>
 
         WebCore should not send invalid URLs to client createWindow methods.

Modified: trunk/Source/WebCore/rendering/svg/RenderSVGInline.cpp (105548 => 105549)


--- trunk/Source/WebCore/rendering/svg/RenderSVGInline.cpp	2012-01-20 23:22:46 UTC (rev 105548)
+++ trunk/Source/WebCore/rendering/svg/RenderSVGInline.cpp	2012-01-20 23:23:56 UTC (rev 105549)
@@ -95,6 +95,12 @@
         quads.append(localToAbsoluteQuad(FloatRect(textBoundingBox.x() + box->x(), textBoundingBox.y() + box->y(), box->logicalWidth(), box->logicalHeight()), false, wasFixed));
 }
 
+void RenderSVGInline::willBeDestroyed()
+{
+    SVGResourcesCache::clientDestroyed(this);
+    RenderInline::willBeDestroyed();
+}
+
 void RenderSVGInline::styleWillChange(StyleDifference diff, const RenderStyle* newStyle)
 {
     if (diff == StyleDifferenceLayout)

Modified: trunk/Source/WebCore/rendering/svg/RenderSVGInline.h (105548 => 105549)


--- trunk/Source/WebCore/rendering/svg/RenderSVGInline.h	2012-01-20 23:22:46 UTC (rev 105548)
+++ trunk/Source/WebCore/rendering/svg/RenderSVGInline.h	2012-01-20 23:23:56 UTC (rev 105549)
@@ -53,6 +53,7 @@
 private:
     virtual InlineFlowBox* createInlineFlowBox();
 
+    virtual void willBeDestroyed();
     virtual void styleWillChange(StyleDifference, const RenderStyle* newStyle);
     virtual void styleDidChange(StyleDifference, const RenderStyle* oldStyle);
     virtual void updateFromElement();

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to