REGRESSION (Safari 5.1.5 - ToT): Crash in RenderSVGRoot::computeReplacedLogicalWidth
authorfmalita@chromium.org <fmalita@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 22 Jun 2012 18:19:32 +0000 (18:19 +0000)
committerfmalita@chromium.org <fmalita@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 22 Jun 2012 18:19:32 +0000 (18:19 +0000)
commit4090fe999122603e4cd316b3a4db1ddf9ccb5fbf
tree6809368946cc3c12f65532bd48f32bf657453963
parent6320f5945240725003d526dbe9b4492fa4822d8f
REGRESSION (Safari 5.1.5 - ToT): Crash in RenderSVGRoot::computeReplacedLogicalWidth
https://bugs.webkit.org/show_bug.cgi?id=85797

Reviewed by Darin Adler.

Source/WebCore:

Test: svg/custom/svg-width-intrinsic-crash.html

RenderSVGRoot::computeReplacedLogicalWidth assumes that if
SVGSVGElement::widthAttributeEstablishesViewport returns false, the
SVG must be embedded via <object>. This is not always the case, though:
widthAttributeEstablishesViewport can also return false for inline
SVG if it doesn't have a replaced logical width.

Updated computeReplacedLogical{Width,Height} to handle the
!widthAttributeEstablishesViewport && !isEmbeddedThroughFrameContainingSVGDocument
case gracefully.

* rendering/svg/RenderSVGRoot.cpp:
(WebCore::RenderSVGRoot::computeReplacedLogicalWidth):
(WebCore::RenderSVGRoot::computeReplacedLogicalHeight):

LayoutTests:

* svg/custom/svg-width-intrinsic-crash-expected.txt: Added.
* svg/custom/svg-width-intrinsic-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@121041 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/svg/custom/svg-width-intrinsic-crash-expected.txt [new file with mode: 0644]
LayoutTests/svg/custom/svg-width-intrinsic-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/rendering/svg/RenderSVGRoot.cpp