SVG <use> element inside an svg-as-image fails
authorStephen Chenney <schenney@chromium.org>
Wed, 6 Feb 2013 17:00:57 +0000 (18:00 +0100)
committerThe Qt Project <gerrit-noreply@qt-project.org>
Thu, 7 Feb 2013 18:21:24 +0000 (19:21 +0100)
commita135670457d4124569d2beeb3935d0763d047a20
treefdf857a21f3693d4f0c389b00e421bd59fed9852
parentf47c0b0c6d7a96558273254f014d7515c04b42fb
SVG <use> element inside an svg-as-image fails

https://bugs.webkit.org/show_bug.cgi?id=104007

Reviewed by Eric Seidel.

Upon redraw, SVGImage calls layout on the document it is drawing into
the image if the image, provided it believes the redraw does not need
to be delayed. Unfortunately, when an SVG <use> element is modified
(by animation, say) and regenerates its shadow tree, the destructors
invoke redraw, causing the SVGImage to call layout on something that
is in the process of being deleted. That's bad.

This change causes SVGImage to always delay the redraw. It is the most robust
way to protect against this problem, as there may be any number of
ways to cause this issue (a node being deleted in an svg-as-image
target) and this protects against them all.

The test case crashes in Asan Chromium.

Source/WebCore:

Test: svg/as-image/animated-use-as-image-crash.html

* svg/graphics/SVGImageCache.cpp:
(WebCore::SVGImageCache::imageContentChanged): Always redraw on the timer.

LayoutTests:

* platform/chromium-win/svg/custom/use-disappears-after-style-update-expected.png: Changed as a result of this change.
* svg/as-image/animated-use-as-image-crash-expected.txt: Added.
* svg/as-image/animated-use-as-image-crash.html: Added.
* svg/as-image/resources/animated-href-on-use.svg: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@136845 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Change-Id: I83b299c26582db115bc921435f2c96da42f761d3
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
Source/WebCore/ChangeLog
Source/WebCore/svg/graphics/SVGImageCache.cpp