Title: [121041] trunk
- Revision
- 121041
- Author
- [email protected]
- Date
- 2012-06-22 11:19:32 -0700 (Fri, 22 Jun 2012)
Log Message
REGRESSION (Safari 5.1.5 - ToT): Crash in RenderSVGRoot::computeReplacedLogicalWidth
https://bugs.webkit.org/show_bug.cgi?id=85797
Reviewed by Darin Adler.
Source/WebCore:
Test: svg/custom/svg-width-intrinsic-crash.html
RenderSVGRoot::computeReplacedLogicalWidth assumes that if
SVGSVGElement::widthAttributeEstablishesViewport returns false, the
SVG must be embedded via <object>. This is not always the case, though:
widthAttributeEstablishesViewport can also return false for inline
SVG if it doesn't have a replaced logical width.
Updated computeReplacedLogical{Width,Height} to handle the
!widthAttributeEstablishesViewport && !isEmbeddedThroughFrameContainingSVGDocument
case gracefully.
* rendering/svg/RenderSVGRoot.cpp:
(WebCore::RenderSVGRoot::computeReplacedLogicalWidth):
(WebCore::RenderSVGRoot::computeReplacedLogicalHeight):
LayoutTests:
* svg/custom/svg-width-intrinsic-crash-expected.txt: Added.
* svg/custom/svg-width-intrinsic-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (121040 => 121041)
--- trunk/LayoutTests/ChangeLog 2012-06-22 18:10:03 UTC (rev 121040)
+++ trunk/LayoutTests/ChangeLog 2012-06-22 18:19:32 UTC (rev 121041)
@@ -1,3 +1,13 @@
+2012-06-22 Florin Malita <[email protected]>
+
+ REGRESSION (Safari 5.1.5 - ToT): Crash in RenderSVGRoot::computeReplacedLogicalWidth
+ https://bugs.webkit.org/show_bug.cgi?id=85797
+
+ Reviewed by Darin Adler.
+
+ * svg/custom/svg-width-intrinsic-crash-expected.txt: Added.
+ * svg/custom/svg-width-intrinsic-crash.html: Added.
+
2012-06-22 Hayato Ito <[email protected]>
Modify event re-targeting algorithm so that we can tell which distributed node is clicked.
Added: trunk/LayoutTests/svg/custom/svg-width-intrinsic-crash-expected.txt (0 => 121041)
--- trunk/LayoutTests/svg/custom/svg-width-intrinsic-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/svg/custom/svg-width-intrinsic-crash-expected.txt 2012-06-22 18:19:32 UTC (rev 121041)
@@ -0,0 +1,2 @@
+PASS (didn't crash).
+
Added: trunk/LayoutTests/svg/custom/svg-width-intrinsic-crash.html (0 => 121041)
--- trunk/LayoutTests/svg/custom/svg-width-intrinsic-crash.html (rev 0)
+++ trunk/LayoutTests/svg/custom/svg-width-intrinsic-crash.html 2012-06-22 18:19:32 UTC (rev 121041)
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<body>
+ <!-- Test for https://bugs.webkit.org/show_bug.cgi?id=85797 -->
+ <div>PASS (didn't crash).</div>
+ <div style="width: 100px;">
+ <svg style="width: intrinsic;"/>
+ </div>
+ <script>
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+ </script>
+</body>
+</html>
+
Modified: trunk/Source/WebCore/ChangeLog (121040 => 121041)
--- trunk/Source/WebCore/ChangeLog 2012-06-22 18:10:03 UTC (rev 121040)
+++ trunk/Source/WebCore/ChangeLog 2012-06-22 18:19:32 UTC (rev 121041)
@@ -1,3 +1,26 @@
+2012-06-22 Florin Malita <[email protected]>
+
+ REGRESSION (Safari 5.1.5 - ToT): Crash in RenderSVGRoot::computeReplacedLogicalWidth
+ https://bugs.webkit.org/show_bug.cgi?id=85797
+
+ Reviewed by Darin Adler.
+
+ Test: svg/custom/svg-width-intrinsic-crash.html
+
+ RenderSVGRoot::computeReplacedLogicalWidth assumes that if
+ SVGSVGElement::widthAttributeEstablishesViewport returns false, the
+ SVG must be embedded via <object>. This is not always the case, though:
+ widthAttributeEstablishesViewport can also return false for inline
+ SVG if it doesn't have a replaced logical width.
+
+ Updated computeReplacedLogical{Width,Height} to handle the
+ !widthAttributeEstablishesViewport && !isEmbeddedThroughFrameContainingSVGDocument
+ case gracefully.
+
+ * rendering/svg/RenderSVGRoot.cpp:
+ (WebCore::RenderSVGRoot::computeReplacedLogicalWidth):
+ (WebCore::RenderSVGRoot::computeReplacedLogicalHeight):
+
2012-06-22 Hayato Ito <[email protected]>
Modify event re-targeting algorithm so that we can tell which distributed node is clicked.
Modified: trunk/Source/WebCore/rendering/svg/RenderSVGRoot.cpp (121040 => 121041)
--- trunk/Source/WebCore/rendering/svg/RenderSVGRoot.cpp 2012-06-22 18:10:03 UTC (rev 121040)
+++ trunk/Source/WebCore/rendering/svg/RenderSVGRoot.cpp 2012-06-22 18:19:32 UTC (rev 121041)
@@ -173,9 +173,12 @@
if (svg->widthAttributeEstablishesViewport())
return resolveLengthAttributeForSVG(svg->intrinsicWidth(SVGSVGElement::IgnoreCSSProperties), style()->effectiveZoom(), containingBlock()->availableLogicalWidth(), view());
- // Only SVGs embedded in <object> reach this point.
- ASSERT(isEmbeddedThroughFrameContainingSVGDocument());
- return document()->frame()->ownerRenderer()->availableLogicalWidth();
+ // SVG embedded through object/embed/iframe.
+ if (isEmbeddedThroughFrameContainingSVGDocument())
+ return document()->frame()->ownerRenderer()->availableLogicalWidth();
+
+ // SVG embedded via SVGImage (background-image/border-image/etc) / Inline SVG.
+ return RenderReplaced::computeReplacedLogicalWidth(includeMaxWidth);
}
LayoutUnit RenderSVGRoot::computeReplacedLogicalHeight() const
@@ -205,9 +208,12 @@
return resolveLengthAttributeForSVG(height, style()->effectiveZoom(), containingBlock()->availableLogicalHeight(), view());
}
- // Only SVGs embedded in <object> reach this point.
- ASSERT(isEmbeddedThroughFrameContainingSVGDocument());
- return document()->frame()->ownerRenderer()->availableLogicalHeight();
+ // SVG embedded through object/embed/iframe.
+ if (isEmbeddedThroughFrameContainingSVGDocument())
+ return document()->frame()->ownerRenderer()->availableLogicalHeight();
+
+ // SVG embedded via SVGImage (background-image/border-image/etc) / Inline SVG.
+ return RenderReplaced::computeReplacedLogicalHeight();
}
void RenderSVGRoot::layout()
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
