Title: [136845] trunk
- Revision
- 136845
- Author
- [email protected]
- Date
- 2012-12-06 08:53:10 -0800 (Thu, 06 Dec 2012)
Log Message
SVG <use> element inside an svg-as-image fails
https://bugs.webkit.org/show_bug.cgi?id=104007
Reviewed by Eric Seidel.
Upon redraw, SVGImage calls layout on the document it is drawing into
the image if the image, provided it believes the redraw does not need
to be delayed. Unfortunately, when an SVG <use> element is modified
(by animation, say) and regenerates its shadow tree, the destructors
invoke redraw, causing the SVGImage to call layout on something that
is in the process of being deleted. That's bad.
This change causes SVGImage to always delay the redraw. It is the most robust
way to protect against this problem, as there may be any number of
ways to cause this issue (a node being deleted in an svg-as-image
target) and this protects against them all.
The test case crashes in Asan Chromium.
Source/WebCore:
Test: svg/as-image/animated-use-as-image-crash.html
* svg/graphics/SVGImageCache.cpp:
(WebCore::SVGImageCache::imageContentChanged): Always redraw on the timer.
LayoutTests:
* platform/chromium-win/svg/custom/use-disappears-after-style-update-expected.png: Changed as a result of this change.
* svg/as-image/animated-use-as-image-crash-expected.txt: Added.
* svg/as-image/animated-use-as-image-crash.html: Added.
* svg/as-image/resources/animated-href-on-use.svg: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (136844 => 136845)
--- trunk/LayoutTests/ChangeLog 2012-12-06 16:41:34 UTC (rev 136844)
+++ trunk/LayoutTests/ChangeLog 2012-12-06 16:53:10 UTC (rev 136845)
@@ -1,3 +1,29 @@
+2012-12-06 Stephen Chenney <[email protected]>
+
+ SVG <use> element inside an svg-as-image fails
+ https://bugs.webkit.org/show_bug.cgi?id=104007
+
+ Reviewed by Eric Seidel.
+
+ Upon redraw, SVGImage calls layout on the document it is drawing into
+ the image if the image, provided it believes the redraw does not need
+ to be delayed. Unfortunately, when an SVG <use> element is modified
+ (by animation, say) and regenerates its shadow tree, the destructors
+ invoke redraw, causing the SVGImage to call layout on something that
+ is in the process of being deleted. That's bad.
+
+ This change causes SVGImage to always delay the redraw. It is the most robust
+ way to protect against this problem, as there may be any number of
+ ways to cause this issue (a node being deleted in an svg-as-image
+ target) and this protects against them all.
+
+ The test case crashes in Asan Chromium.
+
+ * platform/chromium-win/svg/custom/use-disappears-after-style-update-expected.png: Changed as a result of this change.
+ * svg/as-image/animated-use-as-image-crash-expected.txt: Added.
+ * svg/as-image/animated-use-as-image-crash.html: Added.
+ * svg/as-image/resources/animated-href-on-use.svg: Added.
+
2012-12-06 Csaba Osztrogonác <[email protected]>
[Qt] Unreviewed gardening, update an expected file.
Modified: trunk/LayoutTests/platform/chromium-win/svg/custom/use-disappears-after-style-update-expected.png
(Binary files differ)
Added: trunk/LayoutTests/svg/as-image/animated-use-as-image-crash-expected.txt (0 => 136845)
--- trunk/LayoutTests/svg/as-image/animated-use-as-image-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/svg/as-image/animated-use-as-image-crash-expected.txt 2012-12-06 16:53:10 UTC (rev 136845)
@@ -0,0 +1,3 @@
+Test passes if loaded into Chromium with Asan enabled and does not crash.
+
+
Added: trunk/LayoutTests/svg/as-image/animated-use-as-image-crash.html (0 => 136845)
--- trunk/LayoutTests/svg/as-image/animated-use-as-image-crash.html (rev 0)
+++ trunk/LayoutTests/svg/as-image/animated-use-as-image-crash.html 2012-12-06 16:53:10 UTC (rev 136845)
@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+ <p>Test passes if loaded into Chromium with Asan enabled and does not crash.</p>
+ <img src=''></img>
+ <script type="text/_javascript_">
+ if (window.testRunner) {
+ testRunner.waitUntilDone();
+ testRunner.dumpAsText();
+ }
+
+ setTimeout(function() { if (window.testRunner) testRunner.notifyDone(); }, 500);
+ </script>
+</html>
+
Added: trunk/LayoutTests/svg/as-image/resources/animated-href-on-use.svg (0 => 136845)
--- trunk/LayoutTests/svg/as-image/resources/animated-href-on-use.svg (rev 0)
+++ trunk/LayoutTests/svg/as-image/resources/animated-href-on-use.svg 2012-12-06 16:53:10 UTC (rev 136845)
@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1 Tiny//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11-tiny.dtd">
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" baseProfile="tiny" id="svg-root" width="100%" height="100%" viewBox="0 0 480 360">
+ <g>
+ <g transform="translate(10,10)">
+ <defs>
+ <text font-size="10pt" id="useA">Pass if no crash in Asan builds, message 1</text>
+ <text font-size="10pt" id="useB">Pass if no crash in Asan builds, message 2</text>
+ </defs>
+ <use xlink:href=""
+ <set id="useSet" attributeName="xlink:href" begin="0s;useSet.end+0.05s" dur="0.05s" to="#useB"/>
+ </use>
+ </g>
+ </g>
+</svg>
Modified: trunk/Source/WebCore/ChangeLog (136844 => 136845)
--- trunk/Source/WebCore/ChangeLog 2012-12-06 16:41:34 UTC (rev 136844)
+++ trunk/Source/WebCore/ChangeLog 2012-12-06 16:53:10 UTC (rev 136845)
@@ -1,3 +1,29 @@
+2012-12-06 Stephen Chenney <[email protected]>
+
+ SVG <use> element inside an svg-as-image fails
+ https://bugs.webkit.org/show_bug.cgi?id=104007
+
+ Reviewed by Eric Seidel.
+
+ Upon redraw, SVGImage calls layout on the document it is drawing into
+ the image if the image, provided it believes the redraw does not need
+ to be delayed. Unfortunately, when an SVG <use> element is modified
+ (by animation, say) and regenerates its shadow tree, the destructors
+ invoke redraw, causing the SVGImage to call layout on something that
+ is in the process of being deleted. That's bad.
+
+ This change causes SVGImage to always delay the redraw. It is the most robust
+ way to protect against this problem, as there may be any number of
+ ways to cause this issue (a node being deleted in an svg-as-image
+ target) and this protects against them all.
+
+ The test case crashes in Asan Chromium.
+
+ Test: svg/as-image/animated-use-as-image-crash.html
+
+ * svg/graphics/SVGImageCache.cpp:
+ (WebCore::SVGImageCache::imageContentChanged): Always redraw on the timer.
+
2012-12-06 Antoine Quint <[email protected]>
TextTrack's .cues not ordered correctly when two cues have the same .startTime
Modified: trunk/Source/WebCore/svg/graphics/SVGImageCache.cpp (136844 => 136845)
--- trunk/Source/WebCore/svg/graphics/SVGImageCache.cpp 2012-12-06 16:41:34 UTC (rev 136844)
+++ trunk/Source/WebCore/svg/graphics/SVGImageCache.cpp 2012-12-06 16:53:10 UTC (rev 136845)
@@ -90,14 +90,9 @@
for (ImageDataMap::iterator it = m_imageDataMap.begin(); it != end; ++it)
it->value.imageNeedsUpdate = true;
- // If we're in the middle of layout, start redrawing dirty
- // images on a timer; otherwise it's safe to draw immediately.
- FrameView* frameView = m_svgImage->frameView();
- if (frameView && (frameView->needsLayout() || frameView->isInLayout())) {
- if (!m_redrawTimer.isActive())
- m_redrawTimer.startOneShot(0);
- } else
- redraw();
+ // Always redraw on a timer because this method may be invoked from destructors of things we are intending to draw.
+ if (!m_redrawTimer.isActive())
+ m_redrawTimer.startOneShot(0);
}
void SVGImageCache::redraw()
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
