diff options
| -rw-r--r-- | Source/WebCore/ChangeLog | 26 | ||||
| -rw-r--r-- | Source/WebCore/svg/graphics/SVGImageCache.cpp | 11 |
2 files changed, 29 insertions, 8 deletions
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog index da13e071b..1d256fe87 100644 --- a/Source/WebCore/ChangeLog +++ b/Source/WebCore/ChangeLog @@ -455,6 +455,32 @@ since BGR is not supported by QImage. (WebCore::MediaPlayerPrivateQTKit::paint): +2012-12-06 Stephen Chenney <schenney@chromium.org> + + SVG <use> element inside an svg-as-image fails + https://bugs.webkit.org/show_bug.cgi?id=104007 + + Reviewed by Eric Seidel. + + Upon redraw, SVGImage calls layout on the document it is drawing into + the image if the image, provided it believes the redraw does not need + to be delayed. Unfortunately, when an SVG <use> element is modified + (by animation, say) and regenerates its shadow tree, the destructors + invoke redraw, causing the SVGImage to call layout on something that + is in the process of being deleted. That's bad. + + This change causes SVGImage to always delay the redraw. It is the most robust + way to protect against this problem, as there may be any number of + ways to cause this issue (a node being deleted in an svg-as-image + target) and this protects against them all. + + The test case crashes in Asan Chromium. + + Test: svg/as-image/animated-use-as-image-crash.html + + * svg/graphics/SVGImageCache.cpp: + (WebCore::SVGImageCache::imageContentChanged): Always redraw on the timer. + 2012-12-03 Jocelyn Turcotte <jocelyn.turcotte@digia.com> Document::initSecurityContext() fails to call securityOrigin().grantLoadLocalResources() diff --git a/Source/WebCore/svg/graphics/SVGImageCache.cpp b/Source/WebCore/svg/graphics/SVGImageCache.cpp index 358f2caa8..e5ae5a7e6 100644 --- a/Source/WebCore/svg/graphics/SVGImageCache.cpp +++ b/Source/WebCore/svg/graphics/SVGImageCache.cpp @@ -90,14 +90,9 @@ void SVGImageCache::imageContentChanged() for (ImageDataMap::iterator it = m_imageDataMap.begin(); it != end; ++it) it->value.imageNeedsUpdate = true; - // If we're in the middle of layout, start redrawing dirty - // images on a timer; otherwise it's safe to draw immediately. - FrameView* frameView = m_svgImage->frameView(); - if (frameView && (frameView->needsLayout() || frameView->isInLayout())) { - if (!m_redrawTimer.isActive()) - m_redrawTimer.startOneShot(0); - } else - redraw(); + // Always redraw on a timer because this method may be invoked from destructors of things we are intending to draw. + if (!m_redrawTimer.isActive()) + m_redrawTimer.startOneShot(0); } void SVGImageCache::redraw() |