- Revision
- 108084
- Author
- [email protected]
- Date
- 2012-02-17 09:06:11 -0800 (Fri, 17 Feb 2012)
Log Message
Crash at WebCore::SVGUseElement::expandSymbolElementsInShadowTree
https://bugs.webkit.org/show_bug.cgi?id=77639
Patch by Stephen Chenney <[email protected]> on 2012-02-17
Reviewed by Nikolas Zimmermann.
Source/WebCore:
Fix a SVG crash in Release builds, although it still crashes in Debug builds.
The crash occurred when an SVG use element attempted to reference a style element while the file
contained an error causing the error banner to display. The fix is to prevent SVGUseElement
from recalculating style during tree building and return immediately when style is recalculated and
the tree is building.
Test: svg/custom/use-referencing-style-crash.svg
* svg/SVGUseElement.cpp:
(WebCore::SVGUseElement::willRecalcStyle): Return false if the tree is being built.
(WebCore::SVGUseElement::didRecalcStyle): Check and return if the tree
is being built and we are not yet ready for style update.
LayoutTests:
Fix a SVG crash in Release builds, although it still crashes in Debug builds.
This test is to verify no crash in Release builds, while expectations/Skipped
are added for Debug builds. Bug 77764 tracks the Debug fix.
* platform/chromium/test_expectations.txt:
* platform/gtk/Skipped:
* platform/mac/Skipped:
* platform/qt/Skipped:
* platform/win/Skipped:
* svg/custom/use-referencing-style-crash-expected.txt: Added.
* svg/custom/use-referencing-style-crash.svg: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (108083 => 108084)
--- trunk/LayoutTests/ChangeLog 2012-02-17 16:55:06 UTC (rev 108083)
+++ trunk/LayoutTests/ChangeLog 2012-02-17 17:06:11 UTC (rev 108084)
@@ -1,3 +1,22 @@
+2012-02-17 Stephen Chenney <[email protected]>
+
+ Crash at WebCore::SVGUseElement::expandSymbolElementsInShadowTree
+ https://bugs.webkit.org/show_bug.cgi?id=77639
+
+ Reviewed by Nikolas Zimmermann.
+
+ Fix a SVG crash in Release builds, although it still crashes in Debug builds.
+ This test is to verify no crash in Release builds, while expectations/Skipped
+ are added for Debug builds. Bug 77764 tracks the Debug fix.
+
+ * platform/chromium/test_expectations.txt:
+ * platform/gtk/Skipped:
+ * platform/mac/Skipped:
+ * platform/qt/Skipped:
+ * platform/win/Skipped:
+ * svg/custom/use-referencing-style-crash-expected.txt: Added.
+ * svg/custom/use-referencing-style-crash.svg: Added.
+
2012-02-17 Florin Malita <[email protected]>
chrome.dll!WebCore::SVGTRefElement::updateReferencedText ReadAV@NULL (e85cb8e140071fa7790cad215b0109dc)
Modified: trunk/LayoutTests/platform/chromium/test_expectations.txt (108083 => 108084)
--- trunk/LayoutTests/platform/chromium/test_expectations.txt 2012-02-17 16:55:06 UTC (rev 108083)
+++ trunk/LayoutTests/platform/chromium/test_expectations.txt 2012-02-17 17:06:11 UTC (rev 108084)
@@ -943,6 +943,9 @@
BUGCR23463 LINUX WIN : svg/W3C-SVG-1.1/struct-symbol-01-b.svg = IMAGE+TEXT
BUGCR23463 LINUX WIN : svg/W3C-SVG-1.1/struct-use-01-t.svg = PASS IMAGE+TEXT IMAGE
+// Crashes due to debug assert until we fix issues with style elements in SVG
+BUGWK77764 DEBUG : svg/custom/use-referencing-style-crash.svg = CRASH
+
// Merge 39744:39829 - regression
BUGCR10284 MAC : svg/custom/path-bad-data.svg = FAIL
Modified: trunk/LayoutTests/platform/gtk/Skipped (108083 => 108084)
--- trunk/LayoutTests/platform/gtk/Skipped 2012-02-17 16:55:06 UTC (rev 108083)
+++ trunk/LayoutTests/platform/gtk/Skipped 2012-02-17 17:06:11 UTC (rev 108084)
@@ -852,6 +852,9 @@
svg/custom/circular-marker-reference-2.svg
svg/custom/non-circular-marker-reference.svg
+# Crashes due to debug assert until we fix issues with style elements in SVG
+svg/custom/use-referencing-style-crash.svg
+
# Canvas tests
# Tests that fail across all platforms.
Modified: trunk/LayoutTests/platform/mac/Skipped (108083 => 108084)
--- trunk/LayoutTests/platform/mac/Skipped 2012-02-17 16:55:06 UTC (rev 108083)
+++ trunk/LayoutTests/platform/mac/Skipped 2012-02-17 17:06:11 UTC (rev 108084)
@@ -53,6 +53,10 @@
media/video-controls-zoomed.html
media/video-source-error.html
+# Crashes due to debug assert until we fix issues with style elements in SVG
+# https://bugs.webkit.org/show_bug.cgi?id=77764
+svg/custom/use-referencing-style-crash.svg
+
# This test requires media controls has a volume slider.
media/video-volume-slider.html
Modified: trunk/LayoutTests/platform/qt/Skipped (108083 => 108084)
--- trunk/LayoutTests/platform/qt/Skipped 2012-02-17 16:55:06 UTC (rev 108083)
+++ trunk/LayoutTests/platform/qt/Skipped 2012-02-17 17:06:11 UTC (rev 108084)
@@ -1409,6 +1409,9 @@
svg/custom/mask-invalidation.svg
svg/custom/absolute-sized-content-with-resources.xhtml
+# Crashes due to debug assert until we fix issues with style elements in SVG
+svg/custom/use-referencing-style-crash.svg
+
# ============================================================================= #
# Failing CSS Tests
# ============================================================================= #
Modified: trunk/LayoutTests/platform/win/Skipped (108083 => 108084)
--- trunk/LayoutTests/platform/win/Skipped 2012-02-17 16:55:06 UTC (rev 108083)
+++ trunk/LayoutTests/platform/win/Skipped 2012-02-17 17:06:11 UTC (rev 108084)
@@ -227,6 +227,9 @@
# https://bugs.webkit.org/show_bug.cgi?id=35013 (Impossible to test text-only-zoom from DRT on Windows)
svg/zoom/text
+# Crashes due to debug assert until we fix issues with style elements in SVG
+svg/custom/use-referencing-style-crash.svg
+
# No support for WebArchives in WebKitWin <rdar://problem/6436020>
webarchive
svg/webarchive
Added: trunk/LayoutTests/svg/custom/use-referencing-style-crash-expected.txt (0 => 108084)
--- trunk/LayoutTests/svg/custom/use-referencing-style-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/svg/custom/use-referencing-style-crash-expected.txt 2012-02-17 17:06:11 UTC (rev 108084)
@@ -0,0 +1,6 @@
+This page contains the following errors:
+
+error on line 9 at column 12: Extra content at the end of the document
+Below is a rendering of the page up to the first error.
+
+
Added: trunk/LayoutTests/svg/custom/use-referencing-style-crash.svg (0 => 108084)
--- trunk/LayoutTests/svg/custom/use-referencing-style-crash.svg (rev 0)
+++ trunk/LayoutTests/svg/custom/use-referencing-style-crash.svg 2012-02-17 17:06:11 UTC (rev 108084)
@@ -0,0 +1,9 @@
+<!-- This test is designed to have errors in the svg content. It should not crash. -->
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+ <use xlink:href=""
+ <script>
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+ </script>
+ <symbol id="foo">
+ <style>
Modified: trunk/Source/WebCore/ChangeLog (108083 => 108084)
--- trunk/Source/WebCore/ChangeLog 2012-02-17 16:55:06 UTC (rev 108083)
+++ trunk/Source/WebCore/ChangeLog 2012-02-17 17:06:11 UTC (rev 108084)
@@ -1,3 +1,23 @@
+2012-02-17 Stephen Chenney <[email protected]>
+
+ Crash at WebCore::SVGUseElement::expandSymbolElementsInShadowTree
+ https://bugs.webkit.org/show_bug.cgi?id=77639
+
+ Reviewed by Nikolas Zimmermann.
+
+ Fix a SVG crash in Release builds, although it still crashes in Debug builds.
+ The crash occurred when an SVG use element attempted to reference a style element while the file
+ contained an error causing the error banner to display. The fix is to prevent SVGUseElement
+ from recalculating style during tree building and return immediately when style is recalculated and
+ the tree is building.
+
+ Test: svg/custom/use-referencing-style-crash.svg
+
+ * svg/SVGUseElement.cpp:
+ (WebCore::SVGUseElement::willRecalcStyle): Return false if the tree is being built.
+ (WebCore::SVGUseElement::didRecalcStyle): Check and return if the tree
+ is being built and we are not yet ready for style update.
+
2012-02-17 Ilya Tikhonovsky <[email protected]>
Unreviewed, rolling out r108077.
Modified: trunk/Source/WebCore/svg/SVGUseElement.cpp (108083 => 108084)
--- trunk/Source/WebCore/svg/SVGUseElement.cpp 2012-02-17 16:55:06 UTC (rev 108083)
+++ trunk/Source/WebCore/svg/SVGUseElement.cpp 2012-02-17 17:06:11 UTC (rev 108084)
@@ -345,14 +345,21 @@
if (SVGElement* shadowRoot = m_targetElementInstance->shadowTreeElement())
shadowRoot->setNeedsStyleRecalc();
}
+ // Do not do style calculation during shadow tree construction because it may cause nodes to
+ // be attached before they should be. Style recalc will happen when the tree is constructed
+ // and explicitly attached.
+ if (m_updatesBlocked)
+ return false;
return true;
}
void SVGUseElement::didRecalcStyle(StyleChange change)
{
// Assure that the shadow tree has not been marked for recreation, while we're building it.
- if (m_updatesBlocked)
- ASSERT(!m_needsShadowTreeRecreation);
+ if (m_updatesBlocked && m_needsShadowTreeRecreation) {
+ // We are about to recreate the tree while in the middle of recreating the tree.
+ return;
+ }
RenderSVGShadowTreeRootContainer* shadowRoot = static_cast<RenderSVGShadowTreeRootContainer*>(renderer());
if (!shadowRoot)
