webkit-1.8

kov Sun, 13 May 2012 06:37:51 -0700

Title: [116866] releases/WebKitGTK/webkit-1.8

Revision: 116866
Author: [email protected]
Date: 2012-05-13 06:38:40 -0700 (Sun, 13 May 2012)

Log Message

Merge 110593 - Fix the use of stale text fragments
https://bugs.webkit.org/show_bug.cgi?id=80729


Patch by Philip Rogers <[email protected]> on 2012-03-13
Reviewed by Nikolas Zimmermann.

Source/WebCore:

Previously, we were allowing SVGTextFragments to get out of sync with the
actual text in RenderSVGInlineTextBox. This patch reuses the dirty line
box code in RenderText::setTextWithOffset to force
clearTextFragments() when setTextWithOffset is called, preventing the use
of stale SVGTextFragments.

Test: svg/custom/delete-text-crash.html

* rendering/InlineBox.h:
(InlineBox):
* rendering/svg/SVGInlineTextBox.cpp:
(WebCore::SVGInlineTextBox::dirtyLineBoxes):
(WebCore):
* rendering/svg/SVGInlineTextBox.h:
(SVGInlineTextBox):

LayoutTests:

* svg/custom/delete-text-crash-expected.png: Added.
* svg/custom/delete-text-crash-expected.txt: Added.
* svg/custom/delete-text-crash.html: Added.

Modified Paths

releases/WebKitGTK/webkit-1.8/LayoutTests/ChangeLog
releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog
releases/WebKitGTK/webkit-1.8/Source/WebCore/rendering/InlineBox.h
releases/WebKitGTK/webkit-1.8/Source/WebCore/rendering/svg/SVGInlineTextBox.cpp
releases/WebKitGTK/webkit-1.8/Source/WebCore/rendering/svg/SVGInlineTextBox.h

Added Paths

releases/WebKitGTK/webkit-1.8/LayoutTests/svg/custom/delete-text-crash-expected.png
releases/WebKitGTK/webkit-1.8/LayoutTests/svg/custom/delete-text-crash-expected.txt
releases/WebKitGTK/webkit-1.8/LayoutTests/svg/custom/delete-text-crash.html

Diff

Modified: releases/WebKitGTK/webkit-1.8/LayoutTests/ChangeLog (116865 => 116866)


--- releases/WebKitGTK/webkit-1.8/LayoutTests/ChangeLog	2012-05-13 06:07:20 UTC (rev 116865)
+++ releases/WebKitGTK/webkit-1.8/LayoutTests/ChangeLog	2012-05-13 13:38:40 UTC (rev 116866)
@@ -1,3 +1,14 @@
+2012-03-13  Philip Rogers  <[email protected]>
+
+        Fix the use of stale text fragments
+        https://bugs.webkit.org/show_bug.cgi?id=80729
+
+        Reviewed by Nikolas Zimmermann.
+
+        * svg/custom/delete-text-crash-expected.png: Added.
+        * svg/custom/delete-text-crash-expected.txt: Added.
+        * svg/custom/delete-text-crash.html: Added.
+
 2012-03-27  Adam Klein  <[email protected]>
 
         Hold a reference to refChild in insertBefore before calling collectChildrenAndRemoveFromOldParent

Added: releases/WebKitGTK/webkit-1.8/LayoutTests/svg/custom/delete-text-crash-expected.png (0 => 116866)


--- releases/WebKitGTK/webkit-1.8/LayoutTests/svg/custom/delete-text-crash-expected.png	                        (rev 0)
+++ releases/WebKitGTK/webkit-1.8/LayoutTests/svg/custom/delete-text-crash-expected.png	2012-05-13 13:38:40 UTC (rev 116866)
@@ -0,0 +1,6 @@
+\x89PNG
+
+
+IHDR X')tEXtchecksum853de00567d121bea0b7bece66a5d61c`7\xFF\xFB
+\xAAIDATx\x9C\xED\xD6\xC1	 \xC00u\xFF\x9D\xCF%
+\x82$\xF4\xD9=3\x80\xCEy\xF0\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X1\x833X\xB1d\xAD4\xD1ӅIEND\xAEB`\x82
\ No newline at end of file

Added: releases/WebKitGTK/webkit-1.8/LayoutTests/svg/custom/delete-text-crash-expected.txt (0 => 116866)


--- releases/WebKitGTK/webkit-1.8/LayoutTests/svg/custom/delete-text-crash-expected.txt	                        (rev 0)
+++ releases/WebKitGTK/webkit-1.8/LayoutTests/svg/custom/delete-text-crash-expected.txt	2012-05-13 13:38:40 UTC (rev 116866)
@@ -0,0 +1,14 @@
+layer at (0,0) size 800x616
+  RenderView at (0,0) size 800x600
+layer at (0,0) size 800x616
+  RenderBlock {HTML} at (0,0) size 800x616
+    RenderBody {BODY} at (8,8) size 784x600
+      RenderSVGRoot {svg} at (8,8) size 16x4
+        RenderSVGContainer {g} at (8,8) size 16x4
+          RenderSVGRect {rect} at (8,8) size 0x0 [fill={[type=SOLID] [color=#000000]}] [x=0.00] [y=0.00] [width=0.00] [height=0.00]
+            [filter="x"] RenderSVGResourceFilter {filter} at (-78.40,-60) size 940.80x720
+          RenderSVGText {text} at (0,-15) size 14x19 contains 1 chunk(s)
+            RenderSVGInlineText {#text} at (0,0) size 0x0
+        RenderSVGResourceFilter {filter} [id="x"] [filterUnits=objectBoundingBox] [primitiveUnits=userSpaceOnUse]
+      RenderText {#text} at (0,0) size 0x0
+caret: position 1 of child 0 {#text} of child 3 {text} of child 1 {g} of child 1 {svg} of body

Added: releases/WebKitGTK/webkit-1.8/LayoutTests/svg/custom/delete-text-crash.html (0 => 116866)


--- releases/WebKitGTK/webkit-1.8/LayoutTests/svg/custom/delete-text-crash.html	                        (rev 0)
+++ releases/WebKitGTK/webkit-1.8/LayoutTests/svg/custom/delete-text-crash.html	2012-05-13 13:38:40 UTC (rev 116866)
@@ -0,0 +1,33 @@
+<html>
+<!-- This test passes if there is no crash or assert -->
+<!-- This test should be updated to use DumpAsText once WK81006 is fixed -->
+<!-- The style overflow should be removed once we migrate to DumpAsText as well -->
+<style type="text/css">
+    body {
+        overflow: hidden;
+    }
+</style>
+<script>
+    function testCrash() {
+        q = document.getElementById('root');
+        r = document.createRange();
+        r.selectNodeContents( q.getElementById('t') );
+        window.getSelection().addRange(r)
+        document.designMode='on';
+        document.execCommand('delete');
+        document.execCommand('delete');
+    }
+</script>
+<body _onload_="testCrash()">
+<svg id="root" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+    <g>
+        <rect filter="url(#x)"/>
+        <text>aa</text>
+        <rect id="t"/>
+        <style></style>
+        <text>bb</text>
+    </g>
+    <filter id="x"></filter>
+</svg>
+</body>
+</html>

Modified: releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog (116865 => 116866)


--- releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog	2012-05-13 06:07:20 UTC (rev 116865)
+++ releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog	2012-05-13 13:38:40 UTC (rev 116866)
@@ -1,3 +1,26 @@
+2012-03-13  Philip Rogers  <[email protected]>
+
+        Fix the use of stale text fragments
+        https://bugs.webkit.org/show_bug.cgi?id=80729
+
+        Reviewed by Nikolas Zimmermann.
+
+        Previously, we were allowing SVGTextFragments to get out of sync with the
+        actual text in RenderSVGInlineTextBox. This patch reuses the dirty line
+        box code in RenderText::setTextWithOffset to force
+        clearTextFragments() when setTextWithOffset is called, preventing the use
+        of stale SVGTextFragments.
+
+        Test: svg/custom/delete-text-crash.html
+
+        * rendering/InlineBox.h:
+        (InlineBox):
+        * rendering/svg/SVGInlineTextBox.cpp:
+        (WebCore::SVGInlineTextBox::dirtyLineBoxes):
+        (WebCore):
+        * rendering/svg/SVGInlineTextBox.h:
+        (SVGInlineTextBox):
+
 2012-03-27  Adam Klein  <[email protected]>
 
         Hold a reference to refChild in insertBefore before calling collectChildrenAndRemoveFromOldParent

Modified: releases/WebKitGTK/webkit-1.8/Source/WebCore/rendering/InlineBox.h (116865 => 116866)


--- releases/WebKitGTK/webkit-1.8/Source/WebCore/rendering/InlineBox.h	2012-05-13 06:07:20 UTC (rev 116865)
+++ releases/WebKitGTK/webkit-1.8/Source/WebCore/rendering/InlineBox.h	2012-05-13 13:38:40 UTC (rev 116866)
@@ -290,7 +290,7 @@
     bool isDirty() const { return m_dirty; }
     void markDirty(bool dirty = true) { m_dirty = dirty; }
 
-    void dirtyLineBoxes();
+    virtual void dirtyLineBoxes();
     
     virtual RenderObject::SelectionState selectionState();

Modified: releases/WebKitGTK/webkit-1.8/Source/WebCore/rendering/svg/SVGInlineTextBox.cpp (116865 => 116866)


--- releases/WebKitGTK/webkit-1.8/Source/WebCore/rendering/svg/SVGInlineTextBox.cpp	2012-05-13 06:07:20 UTC (rev 116865)
+++ releases/WebKitGTK/webkit-1.8/Source/WebCore/rendering/svg/SVGInlineTextBox.cpp	2012-05-13 13:38:40 UTC (rev 116866)
@@ -53,6 +53,14 @@
 {
 }
 
+void SVGInlineTextBox::dirtyLineBoxes()
+{
+    InlineTextBox::dirtyLineBoxes();
+
+    // Clear the now stale text fragments
+    clearTextFragments();
+}
+
 int SVGInlineTextBox::offsetForPosition(float, bool) const
 {
     // SVG doesn't use the standard offset <-> position selection system, as it's not suitable for SVGs complex needs.

Modified: releases/WebKitGTK/webkit-1.8/Source/WebCore/rendering/svg/SVGInlineTextBox.h (116865 => 116866)


--- releases/WebKitGTK/webkit-1.8/Source/WebCore/rendering/svg/SVGInlineTextBox.h	2012-05-13 06:07:20 UTC (rev 116865)
+++ releases/WebKitGTK/webkit-1.8/Source/WebCore/rendering/svg/SVGInlineTextBox.h	2012-05-13 13:38:40 UTC (rev 116866)
@@ -57,6 +57,8 @@
     Vector<SVGTextFragment>& textFragments() { return m_textFragments; }
     const Vector<SVGTextFragment>& textFragments() const { return m_textFragments; }
 
+    void dirtyLineBoxes() OVERRIDE;
+
     bool startsNewTextChunk() const { return m_startsNewTextChunk; }
     void setStartsNewTextChunk(bool newTextChunk) { m_startsNewTextChunk = newTextChunk; }

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

[webkit-changes] [116866] releases/WebKitGTK/webkit-1.8

Log Message

Modified Paths

Added Paths

Diff

Modified: releases/WebKitGTK/webkit-1.8/LayoutTests/ChangeLog (116865 => 116866)

Added: releases/WebKitGTK/webkit-1.8/LayoutTests/svg/custom/delete-text-crash-expected.png (0 => 116866)

Added: releases/WebKitGTK/webkit-1.8/LayoutTests/svg/custom/delete-text-crash-expected.txt (0 => 116866)

Added: releases/WebKitGTK/webkit-1.8/LayoutTests/svg/custom/delete-text-crash.html (0 => 116866)

Modified: releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog (116865 => 116866)

Modified: releases/WebKitGTK/webkit-1.8/Source/WebCore/rendering/InlineBox.h (116865 => 116866)

Modified: releases/WebKitGTK/webkit-1.8/Source/WebCore/rendering/svg/SVGInlineTextBox.cpp (116865 => 116866)

Modified: releases/WebKitGTK/webkit-1.8/Source/WebCore/rendering/svg/SVGInlineTextBox.h (116865 => 116866)

Reply via email to