Crash due to floats not cleared before starting SVG <text> layout.
authorinferno@chromium.org <inferno@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 9 Apr 2012 18:21:05 +0000 (18:21 +0000)
committerinferno@chromium.org <inferno@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 9 Apr 2012 18:21:05 +0000 (18:21 +0000)
https://bugs.webkit.org/show_bug.cgi?id=83021

Reviewed by Dirk Schulze.

.:

* ManualTests/svg-text-float-not-removed-crash.html: Added.

Source/WebCore:

Manual Test - ManualTests/svg-text-float-not-removed-crash.html.
Can't reproduce the failure in DRT.

forceLayoutInlineChildren is used in SVG <text> layout and overrides
RenderBlock::layoutBlock. However, it missed the 'clearFloats' step,
which will cause a crash when trying to access removed renderers.

* rendering/RenderBlock.h:
(WebCore::RenderBlock::forceLayoutInlineChildren):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@113597 268f45cc-cd09-0410-ab3c-d52691b4dbfc

ChangeLog
ManualTests/svg-text-float-not-removed-crash.html [new file with mode: 0755]
Source/WebCore/ChangeLog
Source/WebCore/rendering/RenderBlock.h

index a1f954f..48d1955 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2012-04-09  Abhishek Arya  <inferno@chromium.org>
+
+        Crash due to floats not cleared before starting SVG <text> layout.
+        https://bugs.webkit.org/show_bug.cgi?id=83021
+
+        Reviewed by Dirk Schulze.
+
+        * ManualTests/svg-text-float-not-removed-crash.html: Added.
+
 2012-04-09  Patrick Gansterer  <paroga@webkit.org>
 
         [CMake] Build fix for USE_SYSTEM_MALLOC after r113570.
diff --git a/ManualTests/svg-text-float-not-removed-crash.html b/ManualTests/svg-text-float-not-removed-crash.html
new file mode 100755 (executable)
index 0000000..e03937f
--- /dev/null
@@ -0,0 +1,34 @@
+<!DOCTYPE html>
+<html>
+<script>
+setInterval(function(){
+    var elements = document.getElementsByTagName("*");
+    var didRemoveElement = false;
+    for (var i = 0; i < elements.length; i++) {
+        var element = elements.item(i);
+        if (!element.firstElementChild && element != document.documentElement) {
+            didRemoveElement = true;
+            try { 
+                element.parentNode.removeChild(element)
+            } catch(e) { }
+        }
+    }
+
+    if (!didRemoveElement)
+        document.documentElement.innerHTML = "PASS. WebKit didn't crash.";
+}, 100);
+</script>
+<style>
+#test1:after {
+    float: left; 
+    content: 'A';
+}
+</style>
+<svg>
+<text>
+<a id="test1">
+A
+</a>
+</text>
+</svg>
+</html>
index 63fe4ac..dced877 100644 (file)
@@ -1,3 +1,20 @@
+2012-04-09  Abhishek Arya  <inferno@chromium.org>
+
+        Crash due to floats not cleared before starting SVG <text> layout.
+        https://bugs.webkit.org/show_bug.cgi?id=83021
+
+        Reviewed by Dirk Schulze.
+
+        Manual Test - ManualTests/svg-text-float-not-removed-crash.html.
+        Can't reproduce the failure in DRT.
+
+        forceLayoutInlineChildren is used in SVG <text> layout and overrides
+        RenderBlock::layoutBlock. However, it missed the 'clearFloats' step,
+        which will cause a crash when trying to access removed renderers.
+
+        * rendering/RenderBlock.h:
+        (WebCore::RenderBlock::forceLayoutInlineChildren):
+
 2012-04-09  Jeffrey Pfau  <jpfau@apple.com>
 
         Filter files from dataTransfer.getData on Mac
index 25d8228..b2d8283 100644 (file)
@@ -458,6 +458,7 @@ protected:
     {
         LayoutUnit repaintLogicalTop = 0;
         LayoutUnit repaintLogicalBottom = 0;
+        clearFloats(NormalLayoutPass);
         layoutInlineChildren(true, repaintLogicalTop, repaintLogicalBottom);
     }
 #endif