Changeset 116801 in webkit


Ignore:
Timestamp:
May 11, 2012 2:12:02 PM (12 years ago)
Author:
commit-queue@webkit.org
Message:

Unreviewed, rolling out r116498.
http://trac.webkit.org/changeset/116498
https://bugs.webkit.org/show_bug.cgi?id=86251

Causes crashes in major sites and security issues (Requested
by schenney on #webkit).

Patch by Sheriff Bot <webkit.review.bot@gmail.com> on 2012-05-11

Source/WebCore:

  • rendering/svg/RenderSVGInline.cpp:

(WebCore::RenderSVGInline::addChild):

  • rendering/svg/RenderSVGInlineText.cpp:

(WebCore::RenderSVGInlineText::willBeDestroyed):
(WebCore::RenderSVGInlineText::setTextInternal):
(WebCore::RenderSVGInlineText::styleDidChange):

  • rendering/svg/RenderSVGText.cpp:

(WebCore::recursiveUpdateLayoutAttributes):
(WebCore::RenderSVGText::layoutAttributesChanged):
(WebCore::RenderSVGText::layoutAttributesWillBeDestroyed):
(WebCore::RenderSVGText::invalidateTextPositioningElements):
(WebCore::recursiveUpdateScaledFont):
(WebCore::RenderSVGText::layout):
(WebCore::RenderSVGText::addChild):
(WebCore::recursiveCollectLayoutAttributes):
(WebCore::RenderSVGText::rebuildLayoutAttributes):
(WebCore):

  • rendering/svg/RenderSVGText.h:

(RenderSVGText):
(WebCore::RenderSVGText::layoutAttributes):

  • rendering/svg/SVGRootInlineBox.cpp:

(WebCore::SVGRootInlineBox::computePerCharacterLayoutInformation):

  • rendering/svg/SVGTextLayoutAttributesBuilder.cpp:

(WebCore::SVGTextLayoutAttributesBuilder::buildLayoutAttributes):

LayoutTests:

  • svg/text/add-tspan-position-bug-expected.html: Removed.
  • svg/text/add-tspan-position-bug.html: Removed.
  • svg/text/modify-tspan-position-bug-expected.html: Removed.
  • svg/text/modify-tspan-position-bug.html: Removed.
Location:
trunk
Files:
4 deleted
8 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r116795 r116801  
     12012-05-11  Sheriff Bot  <webkit.review.bot@gmail.com>
     2
     3        Unreviewed, rolling out r116498.
     4        http://trac.webkit.org/changeset/116498
     5        https://bugs.webkit.org/show_bug.cgi?id=86251
     6
     7        Causes crashes in major sites and security issues (Requested
     8        by schenney on #webkit).
     9
     10        * svg/text/add-tspan-position-bug-expected.html: Removed.
     11        * svg/text/add-tspan-position-bug.html: Removed.
     12        * svg/text/modify-tspan-position-bug-expected.html: Removed.
     13        * svg/text/modify-tspan-position-bug.html: Removed.
     14
    1152012-05-11  Alexandru Chiculita  <achicu@adobe.com>
    216
  • trunk/Source/WebCore/ChangeLog

    r116799 r116801  
     12012-05-11  Sheriff Bot  <webkit.review.bot@gmail.com>
     2
     3        Unreviewed, rolling out r116498.
     4        http://trac.webkit.org/changeset/116498
     5        https://bugs.webkit.org/show_bug.cgi?id=86251
     6
     7        Causes crashes in major sites and security issues (Requested
     8        by schenney on #webkit).
     9
     10        * rendering/svg/RenderSVGInline.cpp:
     11        (WebCore::RenderSVGInline::addChild):
     12        * rendering/svg/RenderSVGInlineText.cpp:
     13        (WebCore::RenderSVGInlineText::willBeDestroyed):
     14        (WebCore::RenderSVGInlineText::setTextInternal):
     15        (WebCore::RenderSVGInlineText::styleDidChange):
     16        * rendering/svg/RenderSVGText.cpp:
     17        (WebCore::recursiveUpdateLayoutAttributes):
     18        (WebCore::RenderSVGText::layoutAttributesChanged):
     19        (WebCore::RenderSVGText::layoutAttributesWillBeDestroyed):
     20        (WebCore::RenderSVGText::invalidateTextPositioningElements):
     21        (WebCore::recursiveUpdateScaledFont):
     22        (WebCore::RenderSVGText::layout):
     23        (WebCore::RenderSVGText::addChild):
     24        (WebCore::recursiveCollectLayoutAttributes):
     25        (WebCore::RenderSVGText::rebuildLayoutAttributes):
     26        (WebCore):
     27        * rendering/svg/RenderSVGText.h:
     28        (RenderSVGText):
     29        (WebCore::RenderSVGText::layoutAttributes):
     30        * rendering/svg/SVGRootInlineBox.cpp:
     31        (WebCore::SVGRootInlineBox::computePerCharacterLayoutInformation):
     32        * rendering/svg/SVGTextLayoutAttributesBuilder.cpp:
     33        (WebCore::SVGTextLayoutAttributesBuilder::buildLayoutAttributes):
     34
    1352012-05-11  Tim Horton  <timothy_horton@apple.com>
    236
  • trunk/Source/WebCore/rendering/svg/RenderSVGInline.cpp

    r116498 r116801  
    125125    RenderInline::addChild(child, beforeChild);
    126126    if (RenderSVGText* textRenderer = RenderSVGText::locateRenderSVGTextAncestor(this))
    127         textRenderer->subtreeChildAdded(child);
     127        textRenderer->layoutAttributesChanged(child);
    128128}
    129129
  • trunk/Source/WebCore/rendering/svg/RenderSVGInlineText.cpp

    r116498 r116801  
    8282
    8383    Vector<SVGTextLayoutAttributes*> affectedAttributes;
    84     textRenderer->subtreeChildWillBeDestroyed(this, affectedAttributes);
     84    textRenderer->layoutAttributesWillBeDestroyed(this, affectedAttributes);
     85
    8586    RenderText::willBeDestroyed();
    86     textRenderer->subtreeChildWasDestroyed(this, affectedAttributes);
     87    if (affectedAttributes.isEmpty())
     88        return;
     89
     90    if (!documentBeingDestroyed())
     91        textRenderer->rebuildLayoutAttributes(affectedAttributes);
    8792}
    8893
     
    9095{
    9196    RenderText::setTextInternal(text);
    92     if (RenderSVGText* textRenderer = RenderSVGText::locateRenderSVGTextAncestor(this))
    93         textRenderer->subtreeTextChanged(this);
     97
     98    // When the underlying text content changes, call both textDOMChanged() & layoutAttributesChanged()
     99    // The former will clear the SVGTextPositioningElement cache, which depends on the textLength() of
     100    // the RenderSVGInlineText objects, and thus needs to be rebuild. The latter will assure that the
     101    // SVGTextLayoutAttributes associated with the RenderSVGInlineText will be updated.
     102    if (RenderSVGText* textRenderer = RenderSVGText::locateRenderSVGTextAncestor(this)) {
     103        textRenderer->invalidateTextPositioningElements();
     104        textRenderer->layoutAttributesChanged(this);
     105    }
    94106}
    95107
     
    116128    // The text metrics may be influenced by style changes.
    117129    if (RenderSVGText* textRenderer = RenderSVGText::locateRenderSVGTextAncestor(this))
    118         textRenderer->subtreeStyleChanged(this);
     130        textRenderer->layoutAttributesChanged(this);
    119131}
    120132
  • trunk/Source/WebCore/rendering/svg/RenderSVGText.cpp

    r116498 r116801  
    111111}
    112112
    113 void RenderSVGText::subtreeChildAdded(RenderObject* child)
     113static inline void recursiveUpdateLayoutAttributes(RenderObject* start, SVGTextLayoutAttributesBuilder& builder)
     114{
     115    if (start->isSVGInlineText()) {
     116        builder.buildLayoutAttributesForTextRenderer(toRenderSVGInlineText(start));
     117        return;
     118    }
     119
     120    for (RenderObject* child = start->firstChild(); child; child = child->nextSibling())
     121        recursiveUpdateLayoutAttributes(child, builder);
     122}
     123
     124void RenderSVGText::layoutAttributesChanged(RenderObject* child)
    114125{
    115126    ASSERT(child);
    116127    if (m_needsPositioningValuesUpdate)
    117128        return;
    118 
    119     // The positioning elements cache doesn't include the new 'child' yet. Clear the
    120     // cache, as the next buildLayoutAttributesForTextRenderer() call rebuilds it.
    121     invalidateTextPositioningElements();
    122 
    123129    FontCachePurgePreventer fontCachePurgePreventer;
    124     for (RenderObject* descendant = child; descendant; descendant = descendant->nextInPreOrder(child)) {
    125         if (descendant->isSVGInlineText())
    126             m_layoutAttributesBuilder.buildLayoutAttributesForTextRenderer(toRenderSVGInlineText(descendant));
    127     }
    128 
     130    recursiveUpdateLayoutAttributes(child, m_layoutAttributesBuilder);
    129131    rebuildLayoutAttributes();
    130132}
     
    161163}
    162164
    163 void RenderSVGText::subtreeChildWillBeDestroyed(RenderSVGInlineText* text, Vector<SVGTextLayoutAttributes*>& affectedAttributes)
     165void RenderSVGText::layoutAttributesWillBeDestroyed(RenderSVGInlineText* text, Vector<SVGTextLayoutAttributes*>& affectedAttributes)
    164166{
    165167    ASSERT(text);
    166 
    167     // The positioning elements cache depends on the size of each text renderer in the
    168     // subtree. If this changes, clear the cache. It's going to be rebuilt below.
    169     invalidateTextPositioningElements();
    170 
    171168    if (m_needsPositioningValuesUpdate)
    172169        return;
    173170
    174     // This logic requires that the 'text' child is still inserted in the tree.
    175171    bool stopAfterNext = false;
    176172    SVGTextLayoutAttributes* previous = 0;
     
    181177    if (next)
    182178        affectedAttributes.append(next);
    183 
    184     SVGTextLayoutAttributes* currentLayoutAttributes = text->layoutAttributes();
    185 
    186     size_t position = m_layoutAttributes.find(currentLayoutAttributes);
    187     ASSERT(position != notFound);
    188     m_layoutAttributes.remove(position);
    189 
    190     ASSERT(!m_layoutAttributes.contains(currentLayoutAttributes));
    191 }
    192 
    193 static inline void recursiveCollectLayoutAttributes(RenderObject* start, Vector<SVGTextLayoutAttributes*>& attributes)
    194 {
    195     for (RenderObject* child = start->firstChild(); child; child = child->nextSibling()) {
    196         if (child->isSVGInlineText()) {
    197             attributes.append(toRenderSVGInlineText(child)->layoutAttributes());
    198             continue;
    199         }
    200 
    201         recursiveCollectLayoutAttributes(child, attributes);
    202     }
    203 }
    204 
    205 static inline void checkLayoutAttributesConsistency(RenderSVGText* text, Vector<SVGTextLayoutAttributes*>& expectedLayoutAttributes)
    206 {
    207 #ifndef NDEBUG
    208     Vector<SVGTextLayoutAttributes*> newLayoutAttributes;
    209     recursiveCollectLayoutAttributes(text, newLayoutAttributes);
    210     ASSERT(newLayoutAttributes == expectedLayoutAttributes);
    211 #else
    212     UNUSED_PARAM(text);
    213     UNUSED_PARAM(expectedLayoutAttributes);
    214 #endif
    215 }
    216 
    217 void RenderSVGText::subtreeChildWasDestroyed(RenderSVGInlineText*, Vector<SVGTextLayoutAttributes*>& affectedAttributes)
    218 {
    219     if (documentBeingDestroyed() || affectedAttributes.isEmpty())
    220         return;
    221 
    222     checkLayoutAttributesConsistency(this, m_layoutAttributes);
    223 
    224     size_t size = affectedAttributes.size();
    225     for (size_t i = 0; i < size; ++i)
    226         m_layoutAttributesBuilder.rebuildMetricsForTextRenderer(affectedAttributes[i]->context());
    227 }
    228 
    229 void RenderSVGText::subtreeStyleChanged(RenderSVGInlineText* text)
    230 {
    231     ASSERT(text);
    232     if (m_needsPositioningValuesUpdate)
    233         return;
    234 
    235     // Only update the metrics cache, but not the text positioning element cache
    236     // nor the layout attributes cached in the leaf #text renderers.
    237     FontCachePurgePreventer fontCachePurgePreventer;
    238     for (RenderObject* descendant = text; descendant; descendant = descendant->nextInPreOrder(text)) {
    239         if (descendant->isSVGInlineText())
    240             m_layoutAttributesBuilder.rebuildMetricsForTextRenderer(toRenderSVGInlineText(descendant));
    241     }
    242 }
    243 
    244 void RenderSVGText::subtreeTextChanged(RenderSVGInlineText* text)
    245 {
    246     ASSERT(text);
    247 
    248     // The positioning elements cache depends on the size of each text renderer in the
    249     // subtree. If this changes, clear the cache. It's going to be rebuilt below.
    250     invalidateTextPositioningElements();
    251 
    252     if (m_needsPositioningValuesUpdate)
    253         return;
    254 
    255     FontCachePurgePreventer fontCachePurgePreventer;
    256     for (RenderObject* descendant = text; descendant; descendant = descendant->nextInPreOrder(text)) {
    257         if (descendant->isSVGInlineText())
    258             m_layoutAttributesBuilder.buildLayoutAttributesForTextRenderer(toRenderSVGInlineText(descendant));
    259     }
    260179}
    261180
     
    267186    // do not always cause the position elements to be marked invalid before use.
    268187    m_layoutAttributesBuilder.clearTextPositioningElements();
     188}
     189
     190static inline void recursiveUpdateScaledFont(RenderObject* start)
     191{
     192    for (RenderObject* child = start->firstChild(); child; child = child->nextSibling()) {
     193        if (child->isSVGInlineText()) {
     194            toRenderSVGInlineText(child)->updateScaledFont();
     195            continue;
     196        }
     197
     198        recursiveUpdateScaledFont(child);
     199    }
    269200}
    270201
     
    285216    // or the transform to the root context has changed then recompute the on-screen font size.
    286217    if (m_needsTextMetricsUpdate || SVGRenderSupport::findTreeRootObject(this)->isLayoutSizeChanged()) {
    287         for (RenderObject* descendant = this; descendant; descendant = descendant->nextInPreOrder(this)) {
    288             if (descendant->isSVGInlineText())
    289                 toRenderSVGInlineText(descendant)->updateScaledFont();
    290         }
    291 
    292         rebuildAllLayoutAttributes();
     218        recursiveUpdateScaledFont(this);
     219        rebuildLayoutAttributes(true);
    293220        updateCachedBoundariesInParents = true;
    294221        m_needsTextMetricsUpdate = false;
     
    438365{
    439366    RenderSVGBlock::addChild(child, beforeChild);
    440     subtreeChildAdded(child);
     367    layoutAttributesChanged(child);
    441368}
    442369
     
    454381}
    455382
    456 void RenderSVGText::rebuildAllLayoutAttributes()
    457 {
    458     m_layoutAttributes.clear();
    459     recursiveCollectLayoutAttributes(this, m_layoutAttributes);
    460     if (m_layoutAttributes.isEmpty())
    461         return;
    462 
    463     m_layoutAttributesBuilder.rebuildMetricsForWholeTree(this);
    464 }
    465 
    466 void RenderSVGText::rebuildLayoutAttributes()
    467 {
     383static inline void recursiveCollectLayoutAttributes(RenderObject* start, Vector<SVGTextLayoutAttributes*>& attributes)
     384{
     385    for (RenderObject* child = start->firstChild(); child; child = child->nextSibling()) {
     386        if (child->isSVGInlineText()) {
     387            attributes.append(toRenderSVGInlineText(child)->layoutAttributes());
     388            continue;
     389        }
     390
     391        recursiveCollectLayoutAttributes(child, attributes);
     392    }
     393}
     394
     395void RenderSVGText::rebuildLayoutAttributes(bool performFullRebuild)
     396{
     397    if (performFullRebuild)
     398        m_layoutAttributes.clear();
     399
    468400    if (m_layoutAttributes.isEmpty()) {
    469         rebuildAllLayoutAttributes();
    470         return;
    471     }
    472 
     401        recursiveCollectLayoutAttributes(this, m_layoutAttributes);
     402        if (m_layoutAttributes.isEmpty() || !performFullRebuild)
     403            return;
     404
     405        m_layoutAttributesBuilder.rebuildMetricsForWholeTree(this);
     406        return;
     407    }
     408
     409    Vector<SVGTextLayoutAttributes*> affectedAttributes;
     410    rebuildLayoutAttributes(affectedAttributes);
     411}
     412
     413void RenderSVGText::rebuildLayoutAttributes(Vector<SVGTextLayoutAttributes*>& affectedAttributes)
     414{
    473415    // Detect changes in layout attributes and only measure those text parts that have changed!
    474416    Vector<SVGTextLayoutAttributes*> newLayoutAttributes;
     
    479421    }
    480422
    481     // Compare m_layoutAttributes with newLayoutAttributes to figure out which attributes got added.
     423    // Compare m_layoutAttributes with newLayoutAttributes to figure out which attributes got added/removed.
    482424    size_t size = newLayoutAttributes.size();
    483425    for (size_t i = 0; i < size; ++i) {
     
    487429    }
    488430
     431    size = affectedAttributes.size();
     432    for (size_t i = 0; i < size; ++i)
     433        m_layoutAttributesBuilder.rebuildMetricsForTextRenderer(affectedAttributes[i]->context());
     434
    489435    m_layoutAttributes = newLayoutAttributes;
    490436}
  • trunk/Source/WebCore/rendering/svg/RenderSVGText.h

    r116498 r116801  
    4949
    5050    bool needsReordering() const { return m_needsReordering; }
    51     Vector<SVGTextLayoutAttributes*>& layoutAttributes() { return m_layoutAttributes; }
    52 
    53     void subtreeChildAdded(RenderObject*);
    54     void subtreeChildWillBeDestroyed(RenderSVGInlineText*, Vector<SVGTextLayoutAttributes*>& affectedAttributes);
    55     void subtreeChildWasDestroyed(RenderSVGInlineText*, Vector<SVGTextLayoutAttributes*>& affectedAttributes);
    56     void subtreeStyleChanged(RenderSVGInlineText*);
    57     void subtreeTextChanged(RenderSVGInlineText*);
    5851
    5952    // Call this method when either the children of a DOM text element have changed, or the length of
    6053    // the text in any child element has changed.
    6154    void invalidateTextPositioningElements();
     55
     56    void layoutAttributesChanged(RenderObject*);
     57    void layoutAttributesWillBeDestroyed(RenderSVGInlineText*, Vector<SVGTextLayoutAttributes*>& affectedAttributes);
     58    void rebuildLayoutAttributes(bool performFullRebuild = false);
     59    void rebuildLayoutAttributes(Vector<SVGTextLayoutAttributes*>& affectedAttributes);
     60
     61    Vector<SVGTextLayoutAttributes*>& layoutAttributes() { return m_layoutAttributes; }
    6262
    6363private:
     
    9292    virtual void updateFirstLetter();
    9393
    94     void rebuildAllLayoutAttributes();
    95     void rebuildLayoutAttributes();
    96 
    9794    bool m_needsReordering : 1;
    9895    bool m_needsPositioningValuesUpdate : 1;
  • trunk/Source/WebCore/rendering/svg/SVGRootInlineBox.cpp

    r116498 r116801  
    7474    ASSERT(textRoot);
    7575
     76    textRoot->rebuildLayoutAttributes();
    7677    Vector<SVGTextLayoutAttributes*>& layoutAttributes = textRoot->layoutAttributes();
    7778    if (layoutAttributes.isEmpty())
  • trunk/Source/WebCore/rendering/svg/SVGTextLayoutAttributesBuilder.cpp

    r116498 r116801  
    2727#include "SVGTextPositioningElement.h"
    2828
     29// Set to a value > 0 to dump the text layout attributes
     30#define DUMP_TEXT_LAYOUT_ATTRIBUTES 0
     31
    2932namespace WebCore {
    3033
     
    171174    for (unsigned i = 0; i < size; ++i)
    172175        fillCharacterDataMap(m_textPositions[i]);
     176
     177#if DUMP_TEXT_LAYOUT_ATTRIBUTES > 0
     178    fprintf(stderr, "\nDumping ALL layout attributes for RenderSVGText, renderer=%p, node=%p (m_textLength: %i)\n", textRoot, textRoot->node(), m_textLength);
     179    m_characterDataMap.dump();
     180#endif
    173181}
    174182
Note: See TracChangeset for help on using the changeset viewer.