Diff
Modified: trunk/LayoutTests/ChangeLog (110306 => 110307)
--- trunk/LayoutTests/ChangeLog 2012-03-09 19:09:11 UTC (rev 110306)
+++ trunk/LayoutTests/ChangeLog 2012-03-09 19:13:00 UTC (rev 110307)
@@ -1,3 +1,16 @@
+2012-03-09 Tim Horton <[email protected]>
+
+ Crash in SVGTextLayoutAttributesBuilder::fillCharacterDataMap
+ https://bugs.webkit.org/show_bug.cgi?id=78949
+ <rdar://problem/10889440>
+
+ Reviewed by Nikolas Zimmermann.
+
+ Add a test ensuring that we don't crash when removing a child of <a> inside a <text> block.
+
+ * svg/text/text-positioning-remove-child-crash-expected.txt: Added.
+ * svg/text/text-positioning-remove-child-crash.svg: Added.
+
2012-03-09 Ashod Nakashian <[email protected]>
Bash scripts should support LF endings only
Added: trunk/LayoutTests/svg/text/text-positioning-remove-child-crash-expected.txt (0 => 110307)
--- trunk/LayoutTests/svg/text/text-positioning-remove-child-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/svg/text/text-positioning-remove-child-crash-expected.txt 2012-03-09 19:13:00 UTC (rev 110307)
@@ -0,0 +1,2 @@
+Test passes if it does not crash when run with libgmalloc.
+PASS
Added: trunk/LayoutTests/svg/text/text-positioning-remove-child-crash.svg (0 => 110307)
--- trunk/LayoutTests/svg/text/text-positioning-remove-child-crash.svg (rev 0)
+++ trunk/LayoutTests/svg/text/text-positioning-remove-child-crash.svg 2012-03-09 19:13:00 UTC (rev 110307)
@@ -0,0 +1,13 @@
+<svg xmlns="http://www.w3.org/2000/svg">
+ <text y="50">Test passes if it does not crash when run with libgmalloc.</text>
+ <script>
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+ </script>
+ <text><a id="a"><tspan>FAIL</tspan></a></text>
+
+<script><![CDATA[
+document.execCommand("SelectAll");
+document.getElementById("a").textContent = "PASS";
+]]></script>
+</svg>
Modified: trunk/Source/WebCore/ChangeLog (110306 => 110307)
--- trunk/Source/WebCore/ChangeLog 2012-03-09 19:09:11 UTC (rev 110306)
+++ trunk/Source/WebCore/ChangeLog 2012-03-09 19:13:00 UTC (rev 110307)
@@ -1,3 +1,19 @@
+2012-03-09 Tim Horton <[email protected]>
+
+ Crash in SVGTextLayoutAttributesBuilder::fillCharacterDataMap
+ https://bugs.webkit.org/show_bug.cgi?id=78949
+ <rdar://problem/10889440>
+
+ Reviewed by Nikolas Zimmermann.
+
+ Invalidate the text positioning cache when the children of an SVGAElement change,
+ so that we regenerate the list the next time it's needed instead of using stale values.
+
+ Test: svg/text/text-positioning-remove-child-crash.svg
+
+ * rendering/svg/SVGAElement.cpp:
+ (WebCore::SVGAElement::childrenChanged):
+
2012-03-09 Ashod Nakashian <[email protected]>
Bash scripts should support LF endings only
Modified: trunk/Source/WebCore/svg/SVGAElement.cpp (110306 => 110307)
--- trunk/Source/WebCore/svg/SVGAElement.cpp 2012-03-09 19:09:11 UTC (rev 110306)
+++ trunk/Source/WebCore/svg/SVGAElement.cpp 2012-03-09 19:13:00 UTC (rev 110307)
@@ -40,6 +40,7 @@
#include "NodeRenderingContext.h"
#include "PlatformMouseEvent.h"
#include "RenderSVGInline.h"
+#include "RenderSVGText.h"
#include "RenderSVGTransformableContainer.h"
#include "ResourceRequest.h"
#include "SVGElementInstance.h"
@@ -237,6 +238,19 @@
return SVGElement::childShouldCreateRenderer(childContext);
}
+void SVGAElement::childrenChanged(bool changedByParser, Node* beforeChange, Node* afterChange, int childCountDelta)
+{
+ SVGStyledTransformableElement::childrenChanged(changedByParser, beforeChange, afterChange, childCountDelta);
+
+ if (changedByParser || !renderer())
+ return;
+
+ // Invalidate the TextPosition cache in SVGTextLayoutAttributesBuilder as it may now point
+ // to no-longer existing SVGTextPositioningElements and thus needs to be rebuilt.
+ if (RenderSVGText* textRenderer = RenderSVGText::locateRenderSVGTextAncestor(renderer()))
+ textRenderer->textDOMChanged();
+}
+
} // namespace WebCore
#endif // ENABLE(SVG)
Modified: trunk/Source/WebCore/svg/SVGAElement.h (110306 => 110307)
--- trunk/Source/WebCore/svg/SVGAElement.h 2012-03-09 19:09:11 UTC (rev 110306)
+++ trunk/Source/WebCore/svg/SVGAElement.h 2012-03-09 19:13:00 UTC (rev 110307)
@@ -40,6 +40,9 @@
public:
static PassRefPtr<SVGAElement> create(const QualifiedName&, Document*);
+protected:
+ virtual void childrenChanged(bool changedByParser = false, Node* beforeChange = 0, Node* afterChange = 0, int childCountDelta = 0) OVERRIDE;
+
private:
SVGAElement(const QualifiedName&, Document*);
Modified: trunk/Source/WebCore/svg/SVGTextContentElement.cpp (110306 => 110307)
--- trunk/Source/WebCore/svg/SVGTextContentElement.cpp 2012-03-09 19:09:11 UTC (rev 110306)
+++ trunk/Source/WebCore/svg/SVGTextContentElement.cpp 2012-03-09 19:13:00 UTC (rev 110307)
@@ -329,7 +329,7 @@
return;
// Invalidate the TextPosition cache in SVGTextLayoutAttributesBuilder as it may now point
- // to no-longer existing SVGTextPositioningElements and thus needs to be rebuild.
+ // to no-longer existing SVGTextPositioningElements and thus needs to be rebuilt.
if (RenderSVGText* textRenderer = RenderSVGText::locateRenderSVGTextAncestor(renderer()))
textRenderer->textDOMChanged();
}
