[Webkit-unassigned] [Bug 20400] Infinite recursion crash in WebCore::RenderSVGRoot::absoluteClippedOverflowRect on a <stop> element outside of a gradient block
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Oct 21 13:55:14 PDT 2008
https://bugs.webkit.org/show_bug.cgi?id=20400
eric at webkit.org changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |hyatt at apple.com
------- Comment #4 from eric at webkit.org 2008-10-21 13:55 PDT -------
This seems like a fundamental misunderstanding in SVG's
absoluteClippedOverflowRect implementation:
IntRect RenderSVGRoot::absoluteClippedOverflowRect()
{
IntRect repaintRect;
for (RenderObject* current = firstChild(); current != 0; current =
current->nextSibling())
repaintRect.unite(current->absoluteClippedOverflowRect());
#if ENABLE(SVG_FILTERS)
// Filters can expand the bounding box
SVGResourceFilter* filter = getFilterById(document(),
style()->svgStyle()->filter());
if (filter)
repaintRect.unite(enclosingIntRect(filter->filterBBoxForItemBBox(repaintRect)));
#endif
return repaintRect;
}
IntRect RenderObject::absoluteClippedOverflowRect()
{
if (parent())
return parent()->absoluteClippedOverflowRect();
return IntRect();
}
These two recursively call each other. :(
One fix would be to add a absoluteClippedOverflowRect() implementation to
RenderSVGGradientStop. I'll do that for now, but I think we may need more
fixes to SVG here.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list