[SCM] WebKit Debian packaging branch, debian/unstable, updated. debian/1.2.3-2-25-gb2c19be

Gustavo Noronha Silva gns at gnome.org
Mon Sep 6 13:09:45 UTC 2010 

The following commit has been merged in the debian/unstable branch:
commit e5bad7c10655bc20dee226113612684a80474147
Author: zimmermann at webkit.org <zimmermann at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Wed Jul 7 14:17:27 2010 +0000

    2010-07-06  Nikolas Zimmermann  <nzimmermann at rim.com>
    
            Reviewed by Dirk Schulze.
    
            <use> on <font-face> causes crashes, if SVGUseElement gets detached
            https://bugs.webkit.org/show_bug.cgi?id=41621
    
            Do not call removeFromMappedElementSheet() from the SVGFontFaceElement destructor,
            as that can potentially cause the element to be reattached while destructing.
    
            In order to fix the crash in the testcase, the order of calling the base-class detach
            method in SVGUseElement and the instance/shadow tree destruction has to be reversed,
            matching the order in removedFromDocument().
    
            Test: svg/custom/use-font-face-crash.svg
    
            * svg/SVGFontFaceElement.cpp:
            (WebCore::SVGFontFaceElement::~SVGFontFaceElement): Remove removeFromMappedElementSheet() call.
            * svg/SVGUseElement.cpp:
            (WebCore::SVGUseElement::detach): Reverse order of calling base-class detach method and instance/shadow tree destruction.
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@62662 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 19e349a..4095925 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,15 @@
+2010-07-06  Nikolas Zimmermann  <nzimmermann at rim.com>
+
+        Reviewed by Dirk Schulze.
+
+        <use> on <font-face> causes crashes, if SVGUseElement gets detached
+        https://bugs.webkit.org/show_bug.cgi?id=41621
+
+        * platform/mac/svg/custom/use-font-face-crash-expected.checksum: Added.
+        * platform/mac/svg/custom/use-font-face-crash-expected.png: Added.
+        * platform/mac/svg/custom/use-font-face-crash-expected.txt: Added.
+        * svg/custom/use-font-face-crash.svg: Added.
+
 2010-07-05  Nikolas Zimmermann  <nzimmermann at rim.com>
 
         Reviewed by Darin Adler.
diff --git a/LayoutTests/platform/mac/svg/custom/use-font-face-crash-expected.checksum b/LayoutTests/platform/mac/svg/custom/use-font-face-crash-expected.checksum
new file mode 100644
index 0000000..e899888
--- /dev/null
+++ b/LayoutTests/platform/mac/svg/custom/use-font-face-crash-expected.checksum
@@ -0,0 +1 @@
+e2453e081881660aae0be67c2ac82345
\ No newline at end of file
diff --git a/LayoutTests/platform/mac/svg/custom/use-font-face-crash-expected.png b/LayoutTests/platform/mac/svg/custom/use-font-face-crash-expected.png
new file mode 100644
index 0000000..e009288
Binary files /dev/null and b/LayoutTests/platform/mac/svg/custom/use-font-face-crash-expected.png differ
diff --git a/LayoutTests/platform/mac/svg/custom/use-font-face-crash-expected.txt b/LayoutTests/platform/mac/svg/custom/use-font-face-crash-expected.txt
new file mode 100644
index 0000000..960b9e8
--- /dev/null
+++ b/LayoutTests/platform/mac/svg/custom/use-font-face-crash-expected.txt
@@ -0,0 +1,23 @@
+layer at (0,0) size 785x778
+  RenderView at (0,0) size 785x600
+layer at (0,0) size 785x778
+  RenderBlock {html} at (0,0) size 785x778
+    RenderBody {body} at (8,16) size 769x754
+      RenderBlock {parsererror} at (16,0) size 737x134 [bgcolor=#FFDDDD] [border: (2px solid #CC7777)]
+        RenderBlock {h3} at (18,20) size 701x22
+          RenderText {#text} at (0,0) size 324x22
+            text run at (0,0) width 324: "This page contains the following errors:"
+        RenderBlock {div} at (18,60) size 701x14
+          RenderText {#text} at (0,0) size 490x14
+            text run at (0,0) width 490: "error on line 1 at column 74: Extra content at the end of the document"
+            text run at (490,0) width 0: " "
+        RenderBlock {h3} at (18,92) size 701x22
+          RenderText {#text} at (0,0) size 429x22
+            text run at (0,0) width 429: "Below is a rendering of the page up to the first error."
+      RenderBlock (anonymous) at (0,150) size 769x604
+        RenderSVGRoot {svg} at (8,166) size 769x600
+          RenderSVGText {text} at (0,6) size 335x18 contains 1 chunk(s)
+            RenderSVGInlineText {#text} at (0,0) size 335x18
+              chunk 1 text run 1 at (0.00,20.00) startOffset 0 endOffset 53 width 335.00: "This should not crash, but display an error document."
+          RenderSVGContainer {use} at (8,166) size 0x0
+            RenderSVGContainer {g} at (8,166) size 0x0
diff --git a/LayoutTests/svg/custom/use-font-face-crash.svg b/LayoutTests/svg/custom/use-font-face-crash.svg
new file mode 100644
index 0000000..c3e9d4b
--- /dev/null
+++ b/LayoutTests/svg/custom/use-font-face-crash.svg
@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><text y="20">This should not crash, but display an error document.</text><font-face id="foo"/> <use xlink:href="#foo"/><error>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index cc8cff2..d7173ee 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,24 @@
+2010-07-06  Nikolas Zimmermann  <nzimmermann at rim.com>
+
+        Reviewed by Dirk Schulze.
+
+        <use> on <font-face> causes crashes, if SVGUseElement gets detached
+        https://bugs.webkit.org/show_bug.cgi?id=41621
+
+        Do not call removeFromMappedElementSheet() from the SVGFontFaceElement destructor,
+        as that can potentially cause the element to be reattached while destructing.
+
+        In order to fix the crash in the testcase, the order of calling the base-class detach
+        method in SVGUseElement and the instance/shadow tree destruction has to be reversed,
+        matching the order in removedFromDocument().
+
+        Test: svg/custom/use-font-face-crash.svg
+
+        * svg/SVGFontFaceElement.cpp:
+        (WebCore::SVGFontFaceElement::~SVGFontFaceElement): Remove removeFromMappedElementSheet() call.
+        * svg/SVGUseElement.cpp:
+        (WebCore::SVGUseElement::detach): Reverse order of calling base-class detach method and instance/shadow tree destruction.
+
 2010-07-05  Nikolas Zimmermann  <nzimmermann at rim.com>
 
         Reviewed by Darin Adler.
diff --git a/WebCore/svg/SVGFontFaceElement.cpp b/WebCore/svg/SVGFontFaceElement.cpp
index 25b3aea..de646c6 100644
--- a/WebCore/svg/SVGFontFaceElement.cpp
+++ b/WebCore/svg/SVGFontFaceElement.cpp
@@ -59,7 +59,6 @@ SVGFontFaceElement::SVGFontFaceElement(const QualifiedName& tagName, Document* d
 
 SVGFontFaceElement::~SVGFontFaceElement()
 {
-    removeFromMappedElementSheet();
 }
 
 static int cssPropertyIdForSVGAttributeName(const QualifiedName& attrName)
diff --git a/WebCore/svg/SVGUseElement.cpp b/WebCore/svg/SVGUseElement.cpp
index 45bab6a..57d56e1 100644
--- a/WebCore/svg/SVGUseElement.cpp
+++ b/WebCore/svg/SVGUseElement.cpp
@@ -572,8 +572,8 @@ void SVGUseElement::attach()
 
 void SVGUseElement::detach()
 {
-    SVGStyledTransformableElement::detach();
     m_targetElementInstance = 0;
+    SVGStyledTransformableElement::detach();
 }
 
 static bool isDirectReference(Node* n)

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list