SVG <use> element inside an svg-as-image fails

https://bugs.webkit.org/show_bug.cgi?id=104007

Reviewed by Eric Seidel.

Upon redraw, SVGImage calls layout on the document it is drawing into
the image if the image, provided it believes the redraw does not need
to be delayed. Unfortunately, when an SVG <use> element is modified
(by animation, say) and regenerates its shadow tree, the destructors
invoke redraw, causing the SVGImage to call layout on something that
is in the process of being deleted. That's bad.

This change causes SVGImage to always delay the redraw. It is the most robust
way to protect against this problem, as there may be any number of
ways to cause this issue (a node being deleted in an svg-as-image
target) and this protects against them all.

The test case crashes in Asan Chromium.

Source/WebCore:

Test: svg/as-image/animated-use-as-image-crash.html

* svg/graphics/SVGImageCache.cpp:
(WebCore::SVGImageCache::imageContentChanged): Always redraw on the timer.

LayoutTests:

* platform/chromium-win/svg/custom/use-disappears-after-style-update-expected.png: Changed as a result of this change.
* svg/as-image/animated-use-as-image-crash-expected.txt: Added.
* svg/as-image/animated-use-as-image-crash.html: Added.
* svg/as-image/resources/animated-href-on-use.svg: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@136845 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Change-Id: I83b299c26582db115bc921435f2c96da42f761d3
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>

0 files changed, 0 insertions, 0 deletions