2 files changed, 29 insertions, 8 deletions

diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index da13e071b..1d256fe87 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -455,6 +455,32 @@
             since BGR is not supported by QImage.
         (WebCore::MediaPlayerPrivateQTKit::paint):
 
+2012-12-06  Stephen Chenney  <schenney@chromium.org>
+
+        SVG <use> element inside an svg-as-image fails
+        https://bugs.webkit.org/show_bug.cgi?id=104007
+
+        Reviewed by Eric Seidel.
+
+        Upon redraw, SVGImage calls layout on the document it is drawing into
+        the image if the image, provided it believes the redraw does not need
+        to be delayed. Unfortunately, when an SVG <use> element is modified
+        (by animation, say) and regenerates its shadow tree, the destructors
+        invoke redraw, causing the SVGImage to call layout on something that
+        is in the process of being deleted. That's bad.
+
+        This change causes SVGImage to always delay the redraw. It is the most robust
+        way to protect against this problem, as there may be any number of
+        ways to cause this issue (a node being deleted in an svg-as-image
+        target) and this protects against them all.
+
+        The test case crashes in Asan Chromium.
+
+        Test: svg/as-image/animated-use-as-image-crash.html
+
+        * svg/graphics/SVGImageCache.cpp:
+        (WebCore::SVGImageCache::imageContentChanged): Always redraw on the timer.
+
 2012-12-03  Jocelyn Turcotte  <jocelyn.turcotte@digia.com>
 
         Document::initSecurityContext() fails to call securityOrigin().grantLoadLocalResources()
diff --git a/Source/WebCore/svg/graphics/SVGImageCache.cpp b/Source/WebCore/svg/graphics/SVGImageCache.cpp
index 358f2caa8..e5ae5a7e6 100644
--- a/Source/WebCore/svg/graphics/SVGImageCache.cpp
+++ b/Source/WebCore/svg/graphics/SVGImageCache.cpp
@@ -90,14 +90,9 @@ void SVGImageCache::imageContentChanged()
     for (ImageDataMap::iterator it = m_imageDataMap.begin(); it != end; ++it)
         it->value.imageNeedsUpdate = true;
 
-    // If we're in the middle of layout, start redrawing dirty
-    // images on a timer; otherwise it's safe to draw immediately.
-    FrameView* frameView = m_svgImage->frameView();
-    if (frameView && (frameView->needsLayout() || frameView->isInLayout())) {
-        if (!m_redrawTimer.isActive())
-            m_redrawTimer.startOneShot(0);
-    } else
-       redraw();
+    // Always redraw on a timer because this method may be invoked from destructors of things we are intending to draw.
+    if (!m_redrawTimer.isActive())
+        m_redrawTimer.startOneShot(0);
 }
 
 void SVGImageCache::redraw()