Context Navigation

← Previous Changeset
Next Changeset →

Changeset 161630 in webkit

Timestamp:

Jan 10, 2014 4:33:09 AM (10 years ago)

Author:

Antti Koivisto

Message:

Crash when mutating SVG text with transform
https://bugs.webkit.org/show_bug.cgi?id=126744

Reviewed by Dirk Schulze.

Source/WebCore:

Test: svg/custom/mutation-text-transform-crash.html

Text-transform property triggers subtreeTextDidChange when an SVG text renderer is
being added to the render tree. The function assumes the child is already fully in the tree
but in this case we are still in middle of adding it.

rendering/svg/RenderSVGText.cpp:

(WebCore::RenderSVGText::subtreeTextDidChange):

Bail out if the changed RenderSVGInlineText can't be found from m_layoutAttributes.
This means that subtreeChildWasAdded hasn't been invoked yet for it and there is nothing
to update. The required updates will happen in subtreeChildWasAdded.

LayoutTests:

svg/custom/mutation-text-transform-crash-expected.txt: Added.
svg/custom/mutation-text-transform-crash.html: Added.

Location:

trunk

Files:

: 2 added
: 3 edited

LayoutTests/ChangeLog (modified) (1 diff)
LayoutTests/svg/custom/mutation-text-transform-crash-expected.txt (added)
LayoutTests/svg/custom/mutation-text-transform-crash.html (added)
Source/WebCore/ChangeLog (modified) (1 diff)
Source/WebCore/rendering/svg/RenderSVGText.cpp (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/LayoutTests/ChangeLog

-                      r161629
+                      r161630
+-01-10  Antti Koivisto  <antti@apple.com>
+        Crash when mutating SVG text with transform
+        https://bugs.webkit.org/show_bug.cgi?id=126744
+        Reviewed by Dirk Schulze.
+        * svg/custom/mutation-text-transform-crash-expected.txt: Added.
+        * svg/custom/mutation-text-transform-crash.html: Added.
 -01-10  Frédéric Wang  <fred.wang@free.fr>

trunk/Source/WebCore/ChangeLog

-                      r161629
+                      r161630
+-01-10  Antti Koivisto  <antti@apple.com>
+        Crash when mutating SVG text with transform
+        https://bugs.webkit.org/show_bug.cgi?id=126744
+        Reviewed by Dirk Schulze.
+        Test: svg/custom/mutation-text-transform-crash.html
+        Text-transform property triggers subtreeTextDidChange when an SVG text renderer is
+        being added to the render tree. The function assumes the child is already fully in the tree
+        but in this case we are still in middle of adding it.
+        * rendering/svg/RenderSVGText.cpp:
+        (WebCore::RenderSVGText::subtreeTextDidChange):
+            Bail out if the changed RenderSVGInlineText can't be found from m_layoutAttributes.
+            This means that subtreeChildWasAdded hasn't been invoked yet for it and there is nothing
+            to update. The required updates will happen in subtreeChildWasAdded.
 -01-10  Frédéric Wang  <fred.wang@free.fr>

trunk/Source/WebCore/rendering/svg/RenderSVGText.cpp

-                      r161418
+                      r161630
         return;
+    }
+    // Text transforms can cause text change to be signaled during addChild before m_layoutAttributes has been updated.
+    if (!m_layoutAttributes.contains(text->layoutAttributes())) {
+        ASSERT(!text->everHadLayout());
+        return;
+    }
     // Always protect the cache before clearing text positioning elements when the cache will subsequently be rebuilt.

Note: See TracChangeset for help on using the changeset viewer.