[webkit-changes] [110593] trunk

Tue, 13 Mar 2012 12:48:28 -0700

Title: [110593] trunk
Revision
110593
Author
[email protected]
Date
2012-03-13 12:48:20 -0700 (Tue, 13 Mar 2012)

Log Message

Fix the use of stale text fragments
https://bugs.webkit.org/show_bug.cgi?id=80729

Patch by Philip Rogers <[email protected]> on 2012-03-13
Reviewed by Nikolas Zimmermann.

Source/WebCore: 

Previously, we were allowing SVGTextFragments to get out of sync with the
actual text in RenderSVGInlineTextBox. This patch reuses the dirty line
box code in RenderText::setTextWithOffset to force
clearTextFragments() when setTextWithOffset is called, preventing the use
of stale SVGTextFragments.

Test: svg/custom/delete-text-crash.html

* rendering/InlineBox.h:
(InlineBox):
* rendering/svg/SVGInlineTextBox.cpp:
(WebCore::SVGInlineTextBox::dirtyLineBoxes):
(WebCore):
* rendering/svg/SVGInlineTextBox.h:
(SVGInlineTextBox):

LayoutTests: 

* svg/custom/delete-text-crash-expected.png: Added.
* svg/custom/delete-text-crash-expected.txt: Added.
* svg/custom/delete-text-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (110592 => 110593)


--- trunk/LayoutTests/ChangeLog	2012-03-13 19:33:22 UTC (rev 110592)
+++ trunk/LayoutTests/ChangeLog	2012-03-13 19:48:20 UTC (rev 110593)
@@ -1,3 +1,14 @@
+2012-03-13  Philip Rogers  <[email protected]>
+
+        Fix the use of stale text fragments
+        https://bugs.webkit.org/show_bug.cgi?id=80729
+
+        Reviewed by Nikolas Zimmermann.
+
+        * svg/custom/delete-text-crash-expected.png: Added.
+        * svg/custom/delete-text-crash-expected.txt: Added.
+        * svg/custom/delete-text-crash.html: Added.
+
 2012-03-13  Ojan Vafai  <[email protected]>
 
         Fix some broken layout test rebaselines from the various chromium-lion

Added: trunk/LayoutTests/svg/custom/delete-text-crash-expected.png


(Binary files differ)
Property changes on: trunk/LayoutTests/svg/custom/delete-text-crash-expected.png ___________________________________________________________________

Added: svn:mime-type

Added: trunk/LayoutTests/svg/custom/delete-text-crash-expected.txt (0 => 110593)


--- trunk/LayoutTests/svg/custom/delete-text-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/svg/custom/delete-text-crash-expected.txt	2012-03-13 19:48:20 UTC (rev 110593)
@@ -0,0 +1,14 @@
+layer at (0,0) size 800x616
+  RenderView at (0,0) size 800x600
+layer at (0,0) size 800x616
+  RenderBlock {HTML} at (0,0) size 800x616
+    RenderBody {BODY} at (8,8) size 784x600
+      RenderSVGRoot {svg} at (8,8) size 16x4
+        RenderSVGContainer {g} at (8,8) size 16x4
+          RenderSVGRect {rect} at (8,8) size 0x0 [fill={[type=SOLID] [color=#000000]}] [x=0.00] [y=0.00] [width=0.00] [height=0.00]
+            [filter="x"] RenderSVGResourceFilter {filter} at (-78.40,-60) size 940.80x720
+          RenderSVGText {text} at (0,-15) size 14x19 contains 1 chunk(s)
+            RenderSVGInlineText {#text} at (0,0) size 0x0
+        RenderSVGResourceFilter {filter} [id="x"] [filterUnits=objectBoundingBox] [primitiveUnits=userSpaceOnUse]
+      RenderText {#text} at (0,0) size 0x0
+caret: position 1 of child 0 {#text} of child 3 {text} of child 1 {g} of child 1 {svg} of body

Added: trunk/LayoutTests/svg/custom/delete-text-crash.html (0 => 110593)


--- trunk/LayoutTests/svg/custom/delete-text-crash.html	                        (rev 0)
+++ trunk/LayoutTests/svg/custom/delete-text-crash.html	2012-03-13 19:48:20 UTC (rev 110593)
@@ -0,0 +1,33 @@
+<html>
+<!-- This test passes if there is no crash or assert -->
+<!-- This test should be updated to use DumpAsText once WK81006 is fixed -->
+<!-- The style overflow should be removed once we migrate to DumpAsText as well -->
+<style type="text/css">
+    body {
+        overflow: hidden;
+    }
+</style>
+<script>
+    function testCrash() {
+        q = document.getElementById('root');
+        r = document.createRange();
+        r.selectNodeContents( q.getElementById('t') );
+        window.getSelection().addRange(r)
+        document.designMode='on';
+        document.execCommand('delete');
+        document.execCommand('delete');
+    }
+</script>
+<body _onload_="testCrash()">
+<svg id="root" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+    <g>
+        <rect filter="url(#x)"/>
+        <text>aa</text>
+        <rect id="t"/>
+        <style></style>
+        <text>bb</text>
+    </g>
+    <filter id="x"></filter>
+</svg>
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (110592 => 110593)


--- trunk/Source/WebCore/ChangeLog	2012-03-13 19:33:22 UTC (rev 110592)
+++ trunk/Source/WebCore/ChangeLog	2012-03-13 19:48:20 UTC (rev 110593)
@@ -1,3 +1,26 @@
+2012-03-13  Philip Rogers  <[email protected]>
+
+        Fix the use of stale text fragments
+        https://bugs.webkit.org/show_bug.cgi?id=80729
+
+        Reviewed by Nikolas Zimmermann.
+
+        Previously, we were allowing SVGTextFragments to get out of sync with the
+        actual text in RenderSVGInlineTextBox. This patch reuses the dirty line
+        box code in RenderText::setTextWithOffset to force
+        clearTextFragments() when setTextWithOffset is called, preventing the use
+        of stale SVGTextFragments.
+
+        Test: svg/custom/delete-text-crash.html
+
+        * rendering/InlineBox.h:
+        (InlineBox):
+        * rendering/svg/SVGInlineTextBox.cpp:
+        (WebCore::SVGInlineTextBox::dirtyLineBoxes):
+        (WebCore):
+        * rendering/svg/SVGInlineTextBox.h:
+        (SVGInlineTextBox):
+
 2012-03-13  Nikolas Zimmermann  <[email protected]>
 
         SVG Animations update baseVal instead of animVal

Modified: trunk/Source/WebCore/rendering/InlineBox.h (110592 => 110593)


--- trunk/Source/WebCore/rendering/InlineBox.h	2012-03-13 19:33:22 UTC (rev 110592)
+++ trunk/Source/WebCore/rendering/InlineBox.h	2012-03-13 19:48:20 UTC (rev 110593)
@@ -290,7 +290,7 @@
     bool isDirty() const { return m_dirty; }
     void markDirty(bool dirty = true) { m_dirty = dirty; }
 
-    void dirtyLineBoxes();
+    virtual void dirtyLineBoxes();
     
     virtual RenderObject::SelectionState selectionState();

Modified: trunk/Source/WebCore/rendering/svg/SVGInlineTextBox.cpp (110592 => 110593)


--- trunk/Source/WebCore/rendering/svg/SVGInlineTextBox.cpp	2012-03-13 19:33:22 UTC (rev 110592)
+++ trunk/Source/WebCore/rendering/svg/SVGInlineTextBox.cpp	2012-03-13 19:48:20 UTC (rev 110593)
@@ -53,6 +53,14 @@
 {
 }
 
+void SVGInlineTextBox::dirtyLineBoxes()
+{
+    InlineTextBox::dirtyLineBoxes();
+
+    // Clear the now stale text fragments
+    clearTextFragments();
+}
+
 int SVGInlineTextBox::offsetForPosition(float, bool) const
 {
     // SVG doesn't use the standard offset <-> position selection system, as it's not suitable for SVGs complex needs.

Modified: trunk/Source/WebCore/rendering/svg/SVGInlineTextBox.h (110592 => 110593)


--- trunk/Source/WebCore/rendering/svg/SVGInlineTextBox.h	2012-03-13 19:33:22 UTC (rev 110592)
+++ trunk/Source/WebCore/rendering/svg/SVGInlineTextBox.h	2012-03-13 19:48:20 UTC (rev 110593)
@@ -57,6 +57,8 @@
     Vector<SVGTextFragment>& textFragments() { return m_textFragments; }
     const Vector<SVGTextFragment>& textFragments() const { return m_textFragments; }
 
+    void dirtyLineBoxes() OVERRIDE;
+
     bool startsNewTextChunk() const { return m_startsNewTextChunk; }
     void setStartsNewTextChunk(bool newTextChunk) { m_startsNewTextChunk = newTextChunk; }
 

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to