Reviewed by Eric.
authorzimmermann@webkit.org <zimmermann@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 22 Jan 2008 11:10:45 +0000 (11:10 +0000)
committerzimmermann@webkit.org <zimmermann@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 22 Jan 2008 11:10:45 +0000 (11:10 +0000)
- fix http://bugs.webkit.org/show_bug.cgi?id=16967
<rdar://problem/5699344> Reproducible crash when navigating back to a page using SVG fonts

Test: svg/custom/font-platformDestroy-crash.svg

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@29717 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/platform/mac/svg/custom/font-platformDestroy-crash-expected.checksum [new file with mode: 0644]
LayoutTests/platform/mac/svg/custom/font-platformDestroy-crash-expected.png [new file with mode: 0644]
LayoutTests/svg/custom/font-platformDestroy-crash-expected.txt [new file with mode: 0644]
LayoutTests/svg/custom/font-platformDestroy-crash.svg [new file with mode: 0644]
WebCore/ChangeLog
WebCore/platform/graphics/SimpleFontData.cpp

index 8d50d5a..2af8186 100644 (file)
@@ -1,3 +1,15 @@
+2008-01-22  Dan Bernstein  <mitz@apple.com>
+         Reviewed by Eric.
+         - test for http://bugs.webkit.org/show_bug.cgi?id=16967
+           <rdar://problem/5699344> Reproducible crash when navigating back to a page using SVG fonts
+         * platform/mac/svg/custom/font-platformDestroy-crash-expected.checksum: Added.
+         * platform/mac/svg/custom/font-platformDestroy-crash-expected.png: Added.
+         * svg/custom/font-platformDestroy-crash-expected.txt: Added.
+         * svg/custom/font-platformDestroy-crash.svg: Added.
 2008-01-22  Lars Knoll  <lars@trolltech.com>
 
         Reviewed by Simon.
diff --git a/LayoutTests/platform/mac/svg/custom/font-platformDestroy-crash-expected.checksum b/LayoutTests/platform/mac/svg/custom/font-platformDestroy-crash-expected.checksum
new file mode 100644 (file)
index 0000000..29254ce
--- /dev/null
@@ -0,0 +1 @@
+36495a84eddd8c4a721713c5c5fc27a7
\ No newline at end of file
diff --git a/LayoutTests/platform/mac/svg/custom/font-platformDestroy-crash-expected.png b/LayoutTests/platform/mac/svg/custom/font-platformDestroy-crash-expected.png
new file mode 100644 (file)
index 0000000..1d30f04
Binary files /dev/null and b/LayoutTests/platform/mac/svg/custom/font-platformDestroy-crash-expected.png differ
diff --git a/LayoutTests/svg/custom/font-platformDestroy-crash-expected.txt b/LayoutTests/svg/custom/font-platformDestroy-crash-expected.txt
new file mode 100644 (file)
index 0000000..ee332d6
--- /dev/null
@@ -0,0 +1,2 @@
+1
+Test for http://bugs.webkit.org/show_bug.cgi?id=16967
diff --git a/LayoutTests/svg/custom/font-platformDestroy-crash.svg b/LayoutTests/svg/custom/font-platformDestroy-crash.svg
new file mode 100644 (file)
index 0000000..42538d2
--- /dev/null
@@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1 Tiny//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11-tiny.dtd">
+
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" id="svg-root" width="100%" height="100%" viewBox="0 0 480 360">
+    <style id="style">
+        text { }
+    </style>
+    <g id="test-body-content" font-size="10">
+        <defs>
+        <font id="embeded" horiz-adv-x="224">
+<font-face font-family="embeded" units-per-em="1000" panose-1="0 0 0 0 0 0 0 0 0 0" ascent="917" descent="-250" alphabetic="0"/>
+            <glyph unicode="1" glyph-name="gl_1" horiz-adv-x="1500" d="M 0 0 L 250 0 L 250 250 L 0 250 Z"/>
+        </font>
+        </defs>
+
+        <g transform="translate(100, 40)">
+            <text font-family="embeded">1</text>
+        </g>
+        <g transform="translate(100, 60)">
+            <text>Test for http://bugs.webkit.org/show_bug.cgi?id=16967</text>
+        </g>
+    </g>
+
+    <script><![CDATA[
+        if (window.layoutTestController)
+            layoutTestController.dumpAsText();
+
+        var style = document.getElementById("style");
+        var parent = style.parentNode;
+
+        for (var t = 0; t < 50; t++) {
+            parent.offsetTop;
+            parent.removeChild(style);
+            parent.appendChild(style);
+        }
+    ]]></script>
+</svg>
index b6ef1c7..c797129 100644 (file)
@@ -1,3 +1,17 @@
+2008-01-22  Dan Bernstein  <mitz@apple.com>
+         Reviewed by Eric.
+         - fix http://bugs.webkit.org/show_bug.cgi?id=16967
+           <rdar://problem/5699344> Reproducible crash when navigating back to a page using SVG fonts
+         Test: svg/custom/font-platformDestroy-crash.svg
+         * platform/graphics/SimpleFontData.cpp:
+         (WebCore::SimpleFontData::~SimpleFontData): Changed to call
+         platformDestroy() only if platformInit() was called from the
+         constructor.
+
 2008-01-22  Lars Knoll  <lars@trolltech.com>
 
         Reviewed by Simon.
index ffe2569..b11c552 100644 (file)
@@ -113,7 +113,10 @@ SimpleFontData::SimpleFontData(const FontPlatformData& f, bool customFont, bool
 
 SimpleFontData::~SimpleFontData()
 {
-    platformDestroy();
+#if ENABLE(SVG_FONTS) && !PLATFORM(QT)
+    if (!m_svgFontData || !m_svgFontData->svgFontFaceElement())
+#endif
+        platformDestroy();
 
     // We only get deleted when the cache gets cleared.  Since the smallCapsRenderer is also in that cache,
     // it will be deleted then, so we don't need to do anything here.