Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 129b14f468f58370e544d83bf0c9e34b4c0664a9
https://github.com/WebKit/WebKit/commit/129b14f468f58370e544d83bf0c9e34b4c0664a9
Author: Ahmad Saleem <[email protected]>
Date: 2026-05-31 (Sun, 31 May 2026)
Changed paths:
M Source/WebCore/rendering/svg/RenderSVGText.cpp
Log Message:
-----------
ASSERTION FAILED: newLayoutAttributes == expectedLayoutAttributes in
RenderSVGText::subtreeChildWillBeRemoved with display:contents <tspan>/<svg>
https://bugs.webkit.org/show_bug.cgi?id=315918
rdar://178328790
Reviewed by Taher Ali.
RenderSVGText caches the layout attributes of its RenderSVGInlineText
descendants in m_layoutAttributes, kept in sync via subtreeChildWasAdded()
and subtreeChildWillBeRemoved(). subtreeChildWillBeRemoved() began with a
debug-only checkLayoutAttributesConsistency() call that re-walks the subtree
and asserts the freshly collected attributes equal the cached vector.
That invariant does not always hold. While a subtree is being mutated the
cache can be transiently out of sync with the render tree -- for example when
display:contents reparenting moves inline text around, or when a
text-transform: capitalize driven setTextInternal() fires mid-mutation before
subtreeChildWasAdded() has updated m_layoutAttributes. The removeFirst() that
follows tolerates this and the cache is rebuilt afterwards, so the assertion
is over-strict. In debug builds it could crash (intermittently, depending on
mutation/teardown timing), e.g. on
css/css-display/display-contents-svg-elements.html during navigation teardown.
Remove the consistency check from subtreeChildWillBeRemoved(). The checks
in layout(), where the attributes are expected to be consistent, are left in
place.
* Source/WebCore/rendering/svg/RenderSVGText.cpp:
(WebCore::RenderSVGText::subtreeChildWillBeRemoved):
Canonical link: https://commits.webkit.org/314245@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
