https://bugs.webkit.org/show_bug.cgi?id=80729
Patch by Philip Rogers <pdr@google.com> on 2012-03-13
Reviewed by Nikolas Zimmermann.
Source/WebCore:
Previously, we were allowing SVGTextFragments to get out of sync with the
actual text in RenderSVGInlineTextBox. This patch reuses the dirty line
box code in RenderText::setTextWithOffset to force
clearTextFragments() when setTextWithOffset is called, preventing the use
of stale SVGTextFragments.
Test: svg/custom/delete-text-crash.html
* rendering/InlineBox.h:
(InlineBox):
* rendering/svg/SVGInlineTextBox.cpp:
(WebCore::SVGInlineTextBox::dirtyLineBoxes):
(WebCore):
* rendering/svg/SVGInlineTextBox.h:
(SVGInlineTextBox):
LayoutTests:
* svg/custom/delete-text-crash-expected.png: Added.
* svg/custom/delete-text-crash-expected.txt: Added.
* svg/custom/delete-text-crash.html: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@110593
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2012-03-13 Philip Rogers <pdr@google.com>
+
+ Fix the use of stale text fragments
+ https://bugs.webkit.org/show_bug.cgi?id=80729
+
+ Reviewed by Nikolas Zimmermann.
+
+ * svg/custom/delete-text-crash-expected.png: Added.
+ * svg/custom/delete-text-crash-expected.txt: Added.
+ * svg/custom/delete-text-crash.html: Added.
+
2012-03-13 Ojan Vafai <ojan@chromium.org>
Fix some broken layout test rebaselines from the various chromium-lion
--- /dev/null
+layer at (0,0) size 800x616
+ RenderView at (0,0) size 800x600
+layer at (0,0) size 800x616
+ RenderBlock {HTML} at (0,0) size 800x616
+ RenderBody {BODY} at (8,8) size 784x600
+ RenderSVGRoot {svg} at (8,8) size 16x4
+ RenderSVGContainer {g} at (8,8) size 16x4
+ RenderSVGRect {rect} at (8,8) size 0x0 [fill={[type=SOLID] [color=#000000]}] [x=0.00] [y=0.00] [width=0.00] [height=0.00]
+ [filter="x"] RenderSVGResourceFilter {filter} at (-78.40,-60) size 940.80x720
+ RenderSVGText {text} at (0,-15) size 14x19 contains 1 chunk(s)
+ RenderSVGInlineText {#text} at (0,0) size 0x0
+ RenderSVGResourceFilter {filter} [id="x"] [filterUnits=objectBoundingBox] [primitiveUnits=userSpaceOnUse]
+ RenderText {#text} at (0,0) size 0x0
+caret: position 1 of child 0 {#text} of child 3 {text} of child 1 {g} of child 1 {svg} of body
--- /dev/null
+<html>
+<!-- This test passes if there is no crash or assert -->
+<!-- This test should be updated to use DumpAsText once WK81006 is fixed -->
+<!-- The style overflow should be removed once we migrate to DumpAsText as well -->
+<style type="text/css">
+ body {
+ overflow: hidden;
+ }
+</style>
+<script>
+ function testCrash() {
+ q = document.getElementById('root');
+ r = document.createRange();
+ r.selectNodeContents( q.getElementById('t') );
+ window.getSelection().addRange(r)
+ document.designMode='on';
+ document.execCommand('delete');
+ document.execCommand('delete');
+ }
+</script>
+<body onload="testCrash()">
+<svg id="root" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+ <g>
+ <rect filter="url(#x)"/>
+ <text>aa</text>
+ <rect id="t"/>
+ <style></style>
+ <text>bb</text>
+ </g>
+ <filter id="x"></filter>
+</svg>
+</body>
+</html>
+2012-03-13 Philip Rogers <pdr@google.com>
+
+ Fix the use of stale text fragments
+ https://bugs.webkit.org/show_bug.cgi?id=80729
+
+ Reviewed by Nikolas Zimmermann.
+
+ Previously, we were allowing SVGTextFragments to get out of sync with the
+ actual text in RenderSVGInlineTextBox. This patch reuses the dirty line
+ box code in RenderText::setTextWithOffset to force
+ clearTextFragments() when setTextWithOffset is called, preventing the use
+ of stale SVGTextFragments.
+
+ Test: svg/custom/delete-text-crash.html
+
+ * rendering/InlineBox.h:
+ (InlineBox):
+ * rendering/svg/SVGInlineTextBox.cpp:
+ (WebCore::SVGInlineTextBox::dirtyLineBoxes):
+ (WebCore):
+ * rendering/svg/SVGInlineTextBox.h:
+ (SVGInlineTextBox):
+
2012-03-13 Nikolas Zimmermann <nzimmermann@rim.com>
SVG Animations update baseVal instead of animVal
bool isDirty() const { return m_dirty; }
void markDirty(bool dirty = true) { m_dirty = dirty; }
- void dirtyLineBoxes();
+ virtual void dirtyLineBoxes();
virtual RenderObject::SelectionState selectionState();
{
}
+void SVGInlineTextBox::dirtyLineBoxes()
+{
+ InlineTextBox::dirtyLineBoxes();
+
+ // Clear the now stale text fragments
+ clearTextFragments();
+}
+
int SVGInlineTextBox::offsetForPosition(float, bool) const
{
// SVG doesn't use the standard offset <-> position selection system, as it's not suitable for SVGs complex needs.
Vector<SVGTextFragment>& textFragments() { return m_textFragments; }
const Vector<SVGTextFragment>& textFragments() const { return m_textFragments; }
+ void dirtyLineBoxes() OVERRIDE;
+
bool startsNewTextChunk() const { return m_startsNewTextChunk; }
void setStartsNewTextChunk(bool newTextChunk) { m_startsNewTextChunk = newTextChunk; }
projects / profile / ivi / webkit-efl.git / commitdiff
