Changeset 116801 in webkit
- Timestamp:
- May 11, 2012 2:12:02 PM (12 years ago)
- Location:
- trunk
- Files:
-
- 4 deleted
- 8 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r116795 r116801 1 2012-05-11 Sheriff Bot <webkit.review.bot@gmail.com> 2 3 Unreviewed, rolling out r116498. 4 http://trac.webkit.org/changeset/116498 5 https://bugs.webkit.org/show_bug.cgi?id=86251 6 7 Causes crashes in major sites and security issues (Requested 8 by schenney on #webkit). 9 10 * svg/text/add-tspan-position-bug-expected.html: Removed. 11 * svg/text/add-tspan-position-bug.html: Removed. 12 * svg/text/modify-tspan-position-bug-expected.html: Removed. 13 * svg/text/modify-tspan-position-bug.html: Removed. 14 1 15 2012-05-11 Alexandru Chiculita <achicu@adobe.com> 2 16 -
trunk/Source/WebCore/ChangeLog
r116799 r116801 1 2012-05-11 Sheriff Bot <webkit.review.bot@gmail.com> 2 3 Unreviewed, rolling out r116498. 4 http://trac.webkit.org/changeset/116498 5 https://bugs.webkit.org/show_bug.cgi?id=86251 6 7 Causes crashes in major sites and security issues (Requested 8 by schenney on #webkit). 9 10 * rendering/svg/RenderSVGInline.cpp: 11 (WebCore::RenderSVGInline::addChild): 12 * rendering/svg/RenderSVGInlineText.cpp: 13 (WebCore::RenderSVGInlineText::willBeDestroyed): 14 (WebCore::RenderSVGInlineText::setTextInternal): 15 (WebCore::RenderSVGInlineText::styleDidChange): 16 * rendering/svg/RenderSVGText.cpp: 17 (WebCore::recursiveUpdateLayoutAttributes): 18 (WebCore::RenderSVGText::layoutAttributesChanged): 19 (WebCore::RenderSVGText::layoutAttributesWillBeDestroyed): 20 (WebCore::RenderSVGText::invalidateTextPositioningElements): 21 (WebCore::recursiveUpdateScaledFont): 22 (WebCore::RenderSVGText::layout): 23 (WebCore::RenderSVGText::addChild): 24 (WebCore::recursiveCollectLayoutAttributes): 25 (WebCore::RenderSVGText::rebuildLayoutAttributes): 26 (WebCore): 27 * rendering/svg/RenderSVGText.h: 28 (RenderSVGText): 29 (WebCore::RenderSVGText::layoutAttributes): 30 * rendering/svg/SVGRootInlineBox.cpp: 31 (WebCore::SVGRootInlineBox::computePerCharacterLayoutInformation): 32 * rendering/svg/SVGTextLayoutAttributesBuilder.cpp: 33 (WebCore::SVGTextLayoutAttributesBuilder::buildLayoutAttributes): 34 1 35 2012-05-11 Tim Horton <timothy_horton@apple.com> 2 36 -
trunk/Source/WebCore/rendering/svg/RenderSVGInline.cpp
r116498 r116801 125 125 RenderInline::addChild(child, beforeChild); 126 126 if (RenderSVGText* textRenderer = RenderSVGText::locateRenderSVGTextAncestor(this)) 127 textRenderer-> subtreeChildAdded(child);127 textRenderer->layoutAttributesChanged(child); 128 128 } 129 129 -
trunk/Source/WebCore/rendering/svg/RenderSVGInlineText.cpp
r116498 r116801 82 82 83 83 Vector<SVGTextLayoutAttributes*> affectedAttributes; 84 textRenderer->subtreeChildWillBeDestroyed(this, affectedAttributes); 84 textRenderer->layoutAttributesWillBeDestroyed(this, affectedAttributes); 85 85 86 RenderText::willBeDestroyed(); 86 textRenderer->subtreeChildWasDestroyed(this, affectedAttributes); 87 if (affectedAttributes.isEmpty()) 88 return; 89 90 if (!documentBeingDestroyed()) 91 textRenderer->rebuildLayoutAttributes(affectedAttributes); 87 92 } 88 93 … … 90 95 { 91 96 RenderText::setTextInternal(text); 92 if (RenderSVGText* textRenderer = RenderSVGText::locateRenderSVGTextAncestor(this)) 93 textRenderer->subtreeTextChanged(this); 97 98 // When the underlying text content changes, call both textDOMChanged() & layoutAttributesChanged() 99 // The former will clear the SVGTextPositioningElement cache, which depends on the textLength() of 100 // the RenderSVGInlineText objects, and thus needs to be rebuild. The latter will assure that the 101 // SVGTextLayoutAttributes associated with the RenderSVGInlineText will be updated. 102 if (RenderSVGText* textRenderer = RenderSVGText::locateRenderSVGTextAncestor(this)) { 103 textRenderer->invalidateTextPositioningElements(); 104 textRenderer->layoutAttributesChanged(this); 105 } 94 106 } 95 107 … … 116 128 // The text metrics may be influenced by style changes. 117 129 if (RenderSVGText* textRenderer = RenderSVGText::locateRenderSVGTextAncestor(this)) 118 textRenderer-> subtreeStyleChanged(this);130 textRenderer->layoutAttributesChanged(this); 119 131 } 120 132 -
trunk/Source/WebCore/rendering/svg/RenderSVGText.cpp
r116498 r116801 111 111 } 112 112 113 void RenderSVGText::subtreeChildAdded(RenderObject* child) 113 static inline void recursiveUpdateLayoutAttributes(RenderObject* start, SVGTextLayoutAttributesBuilder& builder) 114 { 115 if (start->isSVGInlineText()) { 116 builder.buildLayoutAttributesForTextRenderer(toRenderSVGInlineText(start)); 117 return; 118 } 119 120 for (RenderObject* child = start->firstChild(); child; child = child->nextSibling()) 121 recursiveUpdateLayoutAttributes(child, builder); 122 } 123 124 void RenderSVGText::layoutAttributesChanged(RenderObject* child) 114 125 { 115 126 ASSERT(child); 116 127 if (m_needsPositioningValuesUpdate) 117 128 return; 118 119 // The positioning elements cache doesn't include the new 'child' yet. Clear the120 // cache, as the next buildLayoutAttributesForTextRenderer() call rebuilds it.121 invalidateTextPositioningElements();122 123 129 FontCachePurgePreventer fontCachePurgePreventer; 124 for (RenderObject* descendant = child; descendant; descendant = descendant->nextInPreOrder(child)) { 125 if (descendant->isSVGInlineText()) 126 m_layoutAttributesBuilder.buildLayoutAttributesForTextRenderer(toRenderSVGInlineText(descendant)); 127 } 128 130 recursiveUpdateLayoutAttributes(child, m_layoutAttributesBuilder); 129 131 rebuildLayoutAttributes(); 130 132 } … … 161 163 } 162 164 163 void RenderSVGText:: subtreeChildWillBeDestroyed(RenderSVGInlineText* text, Vector<SVGTextLayoutAttributes*>& affectedAttributes)165 void RenderSVGText::layoutAttributesWillBeDestroyed(RenderSVGInlineText* text, Vector<SVGTextLayoutAttributes*>& affectedAttributes) 164 166 { 165 167 ASSERT(text); 166 167 // The positioning elements cache depends on the size of each text renderer in the168 // subtree. If this changes, clear the cache. It's going to be rebuilt below.169 invalidateTextPositioningElements();170 171 168 if (m_needsPositioningValuesUpdate) 172 169 return; 173 170 174 // This logic requires that the 'text' child is still inserted in the tree.175 171 bool stopAfterNext = false; 176 172 SVGTextLayoutAttributes* previous = 0; … … 181 177 if (next) 182 178 affectedAttributes.append(next); 183 184 SVGTextLayoutAttributes* currentLayoutAttributes = text->layoutAttributes();185 186 size_t position = m_layoutAttributes.find(currentLayoutAttributes);187 ASSERT(position != notFound);188 m_layoutAttributes.remove(position);189 190 ASSERT(!m_layoutAttributes.contains(currentLayoutAttributes));191 }192 193 static inline void recursiveCollectLayoutAttributes(RenderObject* start, Vector<SVGTextLayoutAttributes*>& attributes)194 {195 for (RenderObject* child = start->firstChild(); child; child = child->nextSibling()) {196 if (child->isSVGInlineText()) {197 attributes.append(toRenderSVGInlineText(child)->layoutAttributes());198 continue;199 }200 201 recursiveCollectLayoutAttributes(child, attributes);202 }203 }204 205 static inline void checkLayoutAttributesConsistency(RenderSVGText* text, Vector<SVGTextLayoutAttributes*>& expectedLayoutAttributes)206 {207 #ifndef NDEBUG208 Vector<SVGTextLayoutAttributes*> newLayoutAttributes;209 recursiveCollectLayoutAttributes(text, newLayoutAttributes);210 ASSERT(newLayoutAttributes == expectedLayoutAttributes);211 #else212 UNUSED_PARAM(text);213 UNUSED_PARAM(expectedLayoutAttributes);214 #endif215 }216 217 void RenderSVGText::subtreeChildWasDestroyed(RenderSVGInlineText*, Vector<SVGTextLayoutAttributes*>& affectedAttributes)218 {219 if (documentBeingDestroyed() || affectedAttributes.isEmpty())220 return;221 222 checkLayoutAttributesConsistency(this, m_layoutAttributes);223 224 size_t size = affectedAttributes.size();225 for (size_t i = 0; i < size; ++i)226 m_layoutAttributesBuilder.rebuildMetricsForTextRenderer(affectedAttributes[i]->context());227 }228 229 void RenderSVGText::subtreeStyleChanged(RenderSVGInlineText* text)230 {231 ASSERT(text);232 if (m_needsPositioningValuesUpdate)233 return;234 235 // Only update the metrics cache, but not the text positioning element cache236 // nor the layout attributes cached in the leaf #text renderers.237 FontCachePurgePreventer fontCachePurgePreventer;238 for (RenderObject* descendant = text; descendant; descendant = descendant->nextInPreOrder(text)) {239 if (descendant->isSVGInlineText())240 m_layoutAttributesBuilder.rebuildMetricsForTextRenderer(toRenderSVGInlineText(descendant));241 }242 }243 244 void RenderSVGText::subtreeTextChanged(RenderSVGInlineText* text)245 {246 ASSERT(text);247 248 // The positioning elements cache depends on the size of each text renderer in the249 // subtree. If this changes, clear the cache. It's going to be rebuilt below.250 invalidateTextPositioningElements();251 252 if (m_needsPositioningValuesUpdate)253 return;254 255 FontCachePurgePreventer fontCachePurgePreventer;256 for (RenderObject* descendant = text; descendant; descendant = descendant->nextInPreOrder(text)) {257 if (descendant->isSVGInlineText())258 m_layoutAttributesBuilder.buildLayoutAttributesForTextRenderer(toRenderSVGInlineText(descendant));259 }260 179 } 261 180 … … 267 186 // do not always cause the position elements to be marked invalid before use. 268 187 m_layoutAttributesBuilder.clearTextPositioningElements(); 188 } 189 190 static inline void recursiveUpdateScaledFont(RenderObject* start) 191 { 192 for (RenderObject* child = start->firstChild(); child; child = child->nextSibling()) { 193 if (child->isSVGInlineText()) { 194 toRenderSVGInlineText(child)->updateScaledFont(); 195 continue; 196 } 197 198 recursiveUpdateScaledFont(child); 199 } 269 200 } 270 201 … … 285 216 // or the transform to the root context has changed then recompute the on-screen font size. 286 217 if (m_needsTextMetricsUpdate || SVGRenderSupport::findTreeRootObject(this)->isLayoutSizeChanged()) { 287 for (RenderObject* descendant = this; descendant; descendant = descendant->nextInPreOrder(this)) { 288 if (descendant->isSVGInlineText()) 289 toRenderSVGInlineText(descendant)->updateScaledFont(); 290 } 291 292 rebuildAllLayoutAttributes(); 218 recursiveUpdateScaledFont(this); 219 rebuildLayoutAttributes(true); 293 220 updateCachedBoundariesInParents = true; 294 221 m_needsTextMetricsUpdate = false; … … 438 365 { 439 366 RenderSVGBlock::addChild(child, beforeChild); 440 subtreeChildAdded(child);367 layoutAttributesChanged(child); 441 368 } 442 369 … … 454 381 } 455 382 456 void RenderSVGText::rebuildAllLayoutAttributes() 457 { 458 m_layoutAttributes.clear(); 459 recursiveCollectLayoutAttributes(this, m_layoutAttributes); 460 if (m_layoutAttributes.isEmpty()) 461 return; 462 463 m_layoutAttributesBuilder.rebuildMetricsForWholeTree(this); 464 } 465 466 void RenderSVGText::rebuildLayoutAttributes() 467 { 383 static inline void recursiveCollectLayoutAttributes(RenderObject* start, Vector<SVGTextLayoutAttributes*>& attributes) 384 { 385 for (RenderObject* child = start->firstChild(); child; child = child->nextSibling()) { 386 if (child->isSVGInlineText()) { 387 attributes.append(toRenderSVGInlineText(child)->layoutAttributes()); 388 continue; 389 } 390 391 recursiveCollectLayoutAttributes(child, attributes); 392 } 393 } 394 395 void RenderSVGText::rebuildLayoutAttributes(bool performFullRebuild) 396 { 397 if (performFullRebuild) 398 m_layoutAttributes.clear(); 399 468 400 if (m_layoutAttributes.isEmpty()) { 469 rebuildAllLayoutAttributes(); 470 return; 471 } 472 401 recursiveCollectLayoutAttributes(this, m_layoutAttributes); 402 if (m_layoutAttributes.isEmpty() || !performFullRebuild) 403 return; 404 405 m_layoutAttributesBuilder.rebuildMetricsForWholeTree(this); 406 return; 407 } 408 409 Vector<SVGTextLayoutAttributes*> affectedAttributes; 410 rebuildLayoutAttributes(affectedAttributes); 411 } 412 413 void RenderSVGText::rebuildLayoutAttributes(Vector<SVGTextLayoutAttributes*>& affectedAttributes) 414 { 473 415 // Detect changes in layout attributes and only measure those text parts that have changed! 474 416 Vector<SVGTextLayoutAttributes*> newLayoutAttributes; … … 479 421 } 480 422 481 // Compare m_layoutAttributes with newLayoutAttributes to figure out which attributes got added .423 // Compare m_layoutAttributes with newLayoutAttributes to figure out which attributes got added/removed. 482 424 size_t size = newLayoutAttributes.size(); 483 425 for (size_t i = 0; i < size; ++i) { … … 487 429 } 488 430 431 size = affectedAttributes.size(); 432 for (size_t i = 0; i < size; ++i) 433 m_layoutAttributesBuilder.rebuildMetricsForTextRenderer(affectedAttributes[i]->context()); 434 489 435 m_layoutAttributes = newLayoutAttributes; 490 436 } -
trunk/Source/WebCore/rendering/svg/RenderSVGText.h
r116498 r116801 49 49 50 50 bool needsReordering() const { return m_needsReordering; } 51 Vector<SVGTextLayoutAttributes*>& layoutAttributes() { return m_layoutAttributes; }52 53 void subtreeChildAdded(RenderObject*);54 void subtreeChildWillBeDestroyed(RenderSVGInlineText*, Vector<SVGTextLayoutAttributes*>& affectedAttributes);55 void subtreeChildWasDestroyed(RenderSVGInlineText*, Vector<SVGTextLayoutAttributes*>& affectedAttributes);56 void subtreeStyleChanged(RenderSVGInlineText*);57 void subtreeTextChanged(RenderSVGInlineText*);58 51 59 52 // Call this method when either the children of a DOM text element have changed, or the length of 60 53 // the text in any child element has changed. 61 54 void invalidateTextPositioningElements(); 55 56 void layoutAttributesChanged(RenderObject*); 57 void layoutAttributesWillBeDestroyed(RenderSVGInlineText*, Vector<SVGTextLayoutAttributes*>& affectedAttributes); 58 void rebuildLayoutAttributes(bool performFullRebuild = false); 59 void rebuildLayoutAttributes(Vector<SVGTextLayoutAttributes*>& affectedAttributes); 60 61 Vector<SVGTextLayoutAttributes*>& layoutAttributes() { return m_layoutAttributes; } 62 62 63 63 private: … … 92 92 virtual void updateFirstLetter(); 93 93 94 void rebuildAllLayoutAttributes();95 void rebuildLayoutAttributes();96 97 94 bool m_needsReordering : 1; 98 95 bool m_needsPositioningValuesUpdate : 1; -
trunk/Source/WebCore/rendering/svg/SVGRootInlineBox.cpp
r116498 r116801 74 74 ASSERT(textRoot); 75 75 76 textRoot->rebuildLayoutAttributes(); 76 77 Vector<SVGTextLayoutAttributes*>& layoutAttributes = textRoot->layoutAttributes(); 77 78 if (layoutAttributes.isEmpty()) -
trunk/Source/WebCore/rendering/svg/SVGTextLayoutAttributesBuilder.cpp
r116498 r116801 27 27 #include "SVGTextPositioningElement.h" 28 28 29 // Set to a value > 0 to dump the text layout attributes 30 #define DUMP_TEXT_LAYOUT_ATTRIBUTES 0 31 29 32 namespace WebCore { 30 33 … … 171 174 for (unsigned i = 0; i < size; ++i) 172 175 fillCharacterDataMap(m_textPositions[i]); 176 177 #if DUMP_TEXT_LAYOUT_ATTRIBUTES > 0 178 fprintf(stderr, "\nDumping ALL layout attributes for RenderSVGText, renderer=%p, node=%p (m_textLength: %i)\n", textRoot, textRoot->node(), m_textLength); 179 m_characterDataMap.dump(); 180 #endif 173 181 } 174 182
Note: See TracChangeset
for help on using the changeset viewer.