[webkit-changes] [139457] trunk

Fri, 11 Jan 2013 10:08:29 -0800

Title: [139457] trunk
Revision
139457
Author
fmal...@chromium.org
Date
2013-01-11 10:10:10 -0800 (Fri, 11 Jan 2013)

Log Message

[SVG] Suppress resource rebuilding for unattached and shadow elements
https://bugs.webkit.org/show_bug.cgi?id=106664

Reviewed by Dirk Schulze.

Source/WebCore:

SVGStyledElement::buildPendingResourcesIfNeeded() can be called while cloning a subtree
(as nodes are inserted into the clone, while still detached) or when elements are inserted
into the shadow tree. Both of these cases are problematic for SVGUseElement and can trigger
indirect recursion in SVGUseElement::buildPendingResource.

Since shadow and !inDocument() nodes are of no interest to ID dependents (they cannot be
found by ID in the document), the patch short-circuits buildPendingResource() for these
cases.

Test: svg/custom/use-rebuild-resources-crash.svg

* svg/SVGStyledElement.cpp:
(WebCore::SVGStyledElement::buildPendingResourcesIfNeeded):

LayoutTests:

* svg/custom/use-rebuild-resources-crash-expected.txt: Added.
* svg/custom/use-rebuild-resources-crash.svg: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (139456 => 139457)


--- trunk/LayoutTests/ChangeLog	2013-01-11 18:06:57 UTC (rev 139456)
+++ trunk/LayoutTests/ChangeLog	2013-01-11 18:10:10 UTC (rev 139457)
@@ -1,3 +1,13 @@
+2013-01-11  Florin Malita  <fmal...@chromium.org>
+
+        [SVG] Suppress resource rebuilding for unattached and shadow elements
+        https://bugs.webkit.org/show_bug.cgi?id=106664
+
+        Reviewed by Dirk Schulze.
+
+        * svg/custom/use-rebuild-resources-crash-expected.txt: Added.
+        * svg/custom/use-rebuild-resources-crash.svg: Added.
+
 2013-01-11  Dominic Mazzoni  <dmazz...@google.com>
 
         AX: Computed hierarchical level is not consistent with aria-level

Added: trunk/LayoutTests/svg/custom/use-rebuild-resources-crash-expected.txt (0 => 139457)


--- trunk/LayoutTests/svg/custom/use-rebuild-resources-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/svg/custom/use-rebuild-resources-crash-expected.txt	2013-01-11 18:10:10 UTC (rev 139457)
@@ -0,0 +1,2 @@
+PASS: Did not crash.
+

Added: trunk/LayoutTests/svg/custom/use-rebuild-resources-crash.svg (0 => 139457)


--- trunk/LayoutTests/svg/custom/use-rebuild-resources-crash.svg	                        (rev 0)
+++ trunk/LayoutTests/svg/custom/use-rebuild-resources-crash.svg	2013-01-11 18:10:10 UTC (rev 139457)
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="iso-8859-1" standalone="no"?>
+<svg id="svg" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns="http://www.w3.org/2000/svg">
+  <!-- Test for https://bugs.webkit.org/show_bug.cgi?id=106664 -->
+  <defs>
+    <symbol id="s1">
+      <use/>
+      <rect id="r1"/>
+    </symbol>
+
+    <use id="u1" xlink:href=""
+
+    <style>
+      use { clip-path: url(#r1); }
+    </style>
+  </defs>
+
+  <text>PASS: Did not crash.</text>
+
+  <script>
+    function initCF() {
+      u1 = document.getElementById('u1');
+      clone = u1.cloneNode(false);
+      document.getElementById('svg').appendChild(clone);
+    }
+
+    if (window.testRunner)
+      testRunner.dumpAsText();
+
+    document.addEventListener("DOMContentLoaded", initCF, false);
+  </script>
+</svg>

Modified: trunk/Source/WebCore/ChangeLog (139456 => 139457)


--- trunk/Source/WebCore/ChangeLog	2013-01-11 18:06:57 UTC (rev 139456)
+++ trunk/Source/WebCore/ChangeLog	2013-01-11 18:10:10 UTC (rev 139457)
@@ -1,3 +1,24 @@
+2013-01-11  Florin Malita  <fmal...@chromium.org>
+
+        [SVG] Suppress resource rebuilding for unattached and shadow elements
+        https://bugs.webkit.org/show_bug.cgi?id=106664
+
+        Reviewed by Dirk Schulze.
+
+        SVGStyledElement::buildPendingResourcesIfNeeded() can be called while cloning a subtree
+        (as nodes are inserted into the clone, while still detached) or when elements are inserted
+        into the shadow tree. Both of these cases are problematic for SVGUseElement and can trigger
+        indirect recursion in SVGUseElement::buildPendingResource.
+
+        Since shadow and !inDocument() nodes are of no interest to ID dependents (they cannot be
+        found by ID in the document), the patch short-circuits buildPendingResource() for these
+        cases.
+
+        Test: svg/custom/use-rebuild-resources-crash.svg
+
+        * svg/SVGStyledElement.cpp:
+        (WebCore::SVGStyledElement::buildPendingResourcesIfNeeded):
+
 2013-01-11  Dominic Mazzoni  <dmazz...@google.com>
 
         AX: Computed hierarchical level is not consistent with aria-level

Modified: trunk/Source/WebCore/svg/SVGStyledElement.cpp (139456 => 139457)


--- trunk/Source/WebCore/svg/SVGStyledElement.cpp	2013-01-11 18:06:57 UTC (rev 139456)
+++ trunk/Source/WebCore/svg/SVGStyledElement.cpp	2013-01-11 18:10:10 UTC (rev 139457)
@@ -356,7 +356,7 @@
 void SVGStyledElement::buildPendingResourcesIfNeeded()
 {
     Document* document = this->document();
-    if (!needsPendingResourceHandling() || !document)
+    if (!needsPendingResourceHandling() || !document || !inDocument() || isInShadowTree())
         return;
 
     SVGDocumentExtensions* extensions = document->accessSVGExtensions();

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to