SVG <use> element inside an svg-as-image fails
authorschenney@chromium.org <schenney@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 6 Dec 2012 16:53:10 +0000 (16:53 +0000)
committerschenney@chromium.org <schenney@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 6 Dec 2012 16:53:10 +0000 (16:53 +0000)
commit528fa51a05d73c611740160e30782557134262dd
tree4afbcdf276f9188346602aff1cbf499e305e348f
parentafa630b13203e91be62750a966b3001dfb25fc4b
SVG <use> element inside an svg-as-image fails
https://bugs.webkit.org/show_bug.cgi?id=104007

Reviewed by Eric Seidel.

Upon redraw, SVGImage calls layout on the document it is drawing into
the image if the image, provided it believes the redraw does not need
to be delayed. Unfortunately, when an SVG <use> element is modified
(by animation, say) and regenerates its shadow tree, the destructors
invoke redraw, causing the SVGImage to call layout on something that
is in the process of being deleted. That's bad.

This change causes SVGImage to always delay the redraw. It is the most robust
way to protect against this problem, as there may be any number of
ways to cause this issue (a node being deleted in an svg-as-image
target) and this protects against them all.

The test case crashes in Asan Chromium.

Source/WebCore:

Test: svg/as-image/animated-use-as-image-crash.html

* svg/graphics/SVGImageCache.cpp:
(WebCore::SVGImageCache::imageContentChanged): Always redraw on the timer.

LayoutTests:

* platform/chromium-win/svg/custom/use-disappears-after-style-update-expected.png: Changed as a result of this change.
* svg/as-image/animated-use-as-image-crash-expected.txt: Added.
* svg/as-image/animated-use-as-image-crash.html: Added.
* svg/as-image/resources/animated-href-on-use.svg: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@136845 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/platform/chromium-win/svg/custom/use-disappears-after-style-update-expected.png
LayoutTests/svg/as-image/animated-use-as-image-crash-expected.txt [new file with mode: 0644]
LayoutTests/svg/as-image/animated-use-as-image-crash.html [new file with mode: 0644]
LayoutTests/svg/as-image/resources/animated-href-on-use.svg [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/svg/graphics/SVGImageCache.cpp