Diff
Modified: releases/WebKitGTK/webkit-1.8/LayoutTests/ChangeLog (114509 => 114510)
--- releases/WebKitGTK/webkit-1.8/LayoutTests/ChangeLog 2012-04-18 16:17:04 UTC (rev 114509)
+++ releases/WebKitGTK/webkit-1.8/LayoutTests/ChangeLog 2012-04-18 16:18:24 UTC (rev 114510)
@@ -1,3 +1,16 @@
+2012-04-18 Tim Horton <[email protected]>
+
+ Crash in SVGTextLayoutAttributesBuilder::fillCharacterDataMap
+ https://bugs.webkit.org/show_bug.cgi?id=78949
+ <rdar://problem/10889440>
+
+ Reviewed by Nikolas Zimmermann.
+
+ Add a test ensuring that we don't crash when removing a child of <a> inside a <text> block.
+
+ * svg/text/text-positioning-remove-child-crash-expected.txt: Added.
+ * svg/text/text-positioning-remove-child-crash.svg: Added.
+
2012-04-03 Dominik Röttsches <[email protected]>
Soup HTTP backend does not send Content-Length in certain cases
Added: releases/WebKitGTK/webkit-1.8/LayoutTests/svg/text/text-positioning-remove-child-crash-expected.txt (0 => 114510)
--- releases/WebKitGTK/webkit-1.8/LayoutTests/svg/text/text-positioning-remove-child-crash-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-1.8/LayoutTests/svg/text/text-positioning-remove-child-crash-expected.txt 2012-04-18 16:18:24 UTC (rev 114510)
@@ -0,0 +1,2 @@
+Test passes if it does not crash when run with libgmalloc.
+PASS
Property changes on: releases/WebKitGTK/webkit-1.8/LayoutTests/svg/text/text-positioning-remove-child-crash-expected.txt
___________________________________________________________________
Added: svn:eol-style
Added: releases/WebKitGTK/webkit-1.8/LayoutTests/svg/text/text-positioning-remove-child-crash.svg (0 => 114510)
--- releases/WebKitGTK/webkit-1.8/LayoutTests/svg/text/text-positioning-remove-child-crash.svg (rev 0)
+++ releases/WebKitGTK/webkit-1.8/LayoutTests/svg/text/text-positioning-remove-child-crash.svg 2012-04-18 16:18:24 UTC (rev 114510)
@@ -0,0 +1,13 @@
+<svg xmlns="http://www.w3.org/2000/svg">
+ <text y="50">Test passes if it does not crash when run with libgmalloc.</text>
+ <script>
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+ </script>
+ <text><a id="a"><tspan>FAIL</tspan></a></text>
+
+<script><![CDATA[
+document.execCommand("SelectAll");
+document.getElementById("a").textContent = "PASS";
+]]></script>
+</svg>
Modified: releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog (114509 => 114510)
--- releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog 2012-04-18 16:17:04 UTC (rev 114509)
+++ releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog 2012-04-18 16:18:24 UTC (rev 114510)
@@ -1,3 +1,19 @@
+2012-04-18 Tim Horton <[email protected]>
+
+ Crash in SVGTextLayoutAttributesBuilder::fillCharacterDataMap
+ https://bugs.webkit.org/show_bug.cgi?id=78949
+ <rdar://problem/10889440>
+
+ Reviewed by Nikolas Zimmermann.
+
+ Invalidate the text positioning cache when the children of an SVGAElement change,
+ so that we regenerate the list the next time it's needed instead of using stale values.
+
+ Test: svg/text/text-positioning-remove-child-crash.svg
+
+ * rendering/svg/SVGAElement.cpp:
+ (WebCore::SVGAElement::childrenChanged):
+
2012-04-16 Adam Barth <[email protected]>
ContainerNode::insertedIntoDocument and removedFromDocument use weak iteration patterns
Modified: releases/WebKitGTK/webkit-1.8/Source/WebCore/svg/SVGAElement.cpp (114509 => 114510)
--- releases/WebKitGTK/webkit-1.8/Source/WebCore/svg/SVGAElement.cpp 2012-04-18 16:17:04 UTC (rev 114509)
+++ releases/WebKitGTK/webkit-1.8/Source/WebCore/svg/SVGAElement.cpp 2012-04-18 16:18:24 UTC (rev 114510)
@@ -39,6 +39,7 @@
#include "MouseEvent.h"
#include "PlatformMouseEvent.h"
#include "RenderSVGInline.h"
+#include "RenderSVGText.h"
#include "RenderSVGTransformableContainer.h"
#include "ResourceRequest.h"
#include "SVGElementInstance.h"
@@ -236,6 +237,19 @@
return SVGElement::childShouldCreateRenderer(child);
}
+void SVGAElement::childrenChanged(bool changedByParser, Node* beforeChange, Node* afterChange, int childCountDelta)
+{
+ SVGStyledTransformableElement::childrenChanged(changedByParser, beforeChange, afterChange, childCountDelta);
+
+ if (changedByParser || !renderer())
+ return;
+
+ // Invalidate the TextPosition cache in SVGTextLayoutAttributesBuilder as it may now point
+ // to no-longer existing SVGTextPositioningElements and thus needs to be rebuilt.
+ if (RenderSVGText* textRenderer = RenderSVGText::locateRenderSVGTextAncestor(renderer()))
+ textRenderer->textDOMChanged();
+}
+
} // namespace WebCore
#endif // ENABLE(SVG)
Modified: releases/WebKitGTK/webkit-1.8/Source/WebCore/svg/SVGAElement.h (114509 => 114510)
--- releases/WebKitGTK/webkit-1.8/Source/WebCore/svg/SVGAElement.h 2012-04-18 16:17:04 UTC (rev 114509)
+++ releases/WebKitGTK/webkit-1.8/Source/WebCore/svg/SVGAElement.h 2012-04-18 16:18:24 UTC (rev 114510)
@@ -40,6 +40,9 @@
public:
static PassRefPtr<SVGAElement> create(const QualifiedName&, Document*);
+protected:
+ virtual void childrenChanged(bool changedByParser = false, Node* beforeChange = 0, Node* afterChange = 0, int childCountDelta = 0) OVERRIDE;
+
private:
SVGAElement(const QualifiedName&, Document*);
Modified: releases/WebKitGTK/webkit-1.8/Source/WebCore/svg/SVGTextContentElement.cpp (114509 => 114510)
--- releases/WebKitGTK/webkit-1.8/Source/WebCore/svg/SVGTextContentElement.cpp 2012-04-18 16:17:04 UTC (rev 114509)
+++ releases/WebKitGTK/webkit-1.8/Source/WebCore/svg/SVGTextContentElement.cpp 2012-04-18 16:18:24 UTC (rev 114510)
@@ -329,7 +329,7 @@
return;
// Invalidate the TextPosition cache in SVGTextLayoutAttributesBuilder as it may now point
- // to no-longer existing SVGTextPositioningElements and thus needs to be rebuild.
+ // to no-longer existing SVGTextPositioningElements and thus needs to be rebuilt.
if (RenderSVGText* textRenderer = RenderSVGText::locateRenderSVGTextAncestor(renderer()))
textRenderer->textDOMChanged();
}
