Changeset 287076 in webkit


Ignore:
Timestamp:
Dec 15, 2021 8:59:20 AM (7 months ago)
Author:
commit-queue@webkit.org
Message:

Fix SVG resource invalidation logic causing incorrect layout state.
https://bugs.webkit.org/show_bug.cgi?id=233190
<rdar://82895369>

When SVG resources perform parent layout/resource invalidation, we can incorrectly
cross the SVG boundary when operating on a node which isn't an SVGRoot.
This can cause us to exit layout() with elements that still needsLayout().

Patch by Gavin Phillips <gavin.p@apple.com> on 2021-12-15
Reviewed by Darin Adler.

  • rendering/svg/RenderSVGResource.cpp:

(WebCore::RenderSVGResource::markForLayoutAndParentResourceInvalidation):

Location:
trunk/Source/WebCore
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/WebCore/ChangeLog

    r287075 r287076  
     12021-12-15  Gavin Phillips  <gavin.p@apple.com>
     2
     3        Fix SVG resource invalidation logic causing incorrect layout state.
     4        https://bugs.webkit.org/show_bug.cgi?id=233190
     5        <rdar://82895369>
     6
     7        When SVG resources perform parent layout/resource invalidation, we can incorrectly
     8        cross the SVG boundary when operating on a node which isn't an SVGRoot.
     9        This can cause us to exit layout() with elements that still needsLayout().
     10
     11        Reviewed by Darin Adler.
     12
     13        * rendering/svg/RenderSVGResource.cpp:
     14        (WebCore::RenderSVGResource::markForLayoutAndParentResourceInvalidation):
     15
    1162021-12-15  Chris Lord  <clord@igalia.com>
    217

  • trunk/Source/WebCore/rendering/svg/RenderSVGResource.cpp

    r286843 r287076  
    208208            object.setNeedsLayout(MarkOnlyThis);
    209209#endif
    210         else
    211             object.setNeedsLayout(MarkContainingBlockChain);
     210        else {
     211            if (!is<RenderElement>(object))
     212                object.setNeedsLayout(MarkOnlyThis);
     213            else {
     214                auto svgRoot = SVGRenderSupport::findTreeRootObject(downcast<RenderElement>(object));
     215                if (!svgRoot || !svgRoot->isInLayout())
     216                    object.setNeedsLayout(MarkContainingBlockChain);
     217                else {
     218                    // We just want to re-layout the ancestors up to the RenderSVGRoot.
     219                    object.setNeedsLayout(MarkOnlyThis);
     220                    for (auto current = object.parent(); current != svgRoot; current = current->parent())
     221                        current->setNeedsLayout(MarkOnlyThis);
     222                    svgRoot->setNeedsLayout(MarkOnlyThis);
     223                }
     224            }
     225        }
    212226    }
    213227
Note: See TracChangeset for help on using the changeset viewer.