[Webkit-unassigned] [Bug 40366] REGRESSION (r59263): Google Docs Drawing is broken, and probably other SVG-based sites

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Jun 22 13:28:32 PDT 2010 

https://bugs.webkit.org/show_bug.cgi?id=40366





--- Comment #5 from James Robinson <jamesr at chromium.org>  2010-06-22 13:28:32 PST ---
I still haven't been able to construct a repro page but have caught the page going awry in a debugger.

Here's the render tree when things go wrong:

RenderView
- RenderBlock (relayout boundary) 0x1145e5e68
-- RenderSVGRoot (relayout boundary) 0x119fc7968
--- RenderPath

and the stack:

(gdb) bt
#0  WebCore::RenderObject::markContainingBlocksForLayout (this=0x119fc7968, scheduleRelayout=false, newRoot=0x1145e5e68) at RenderObject.h:1036
#1  0x000000010176499f in WebCore::FrameView::scheduleRelayoutOfSubtree (this=0x11799f130, relayoutRoot=0x1145e5e68) at /usr/local/home/jamesr/WebKit/WebCore/page/FrameView.cpp:1330
#2  0x0000000101d1b513 in WebCore::RenderObject::scheduleRelayout (this=0x1145e5e68) at /usr/local/home/jamesr/WebKit/WebCore/rendering/RenderObject.cpp:2092
#3  0x00000001014dd795 in WebCore::RenderObject::markContainingBlocksForLayout (this=0x119fc7968, scheduleRelayout=true, newRoot=0x0) at RenderObject.h:1035
#4  0x00000001014dd83d in WebCore::RenderObject::setNeedsLayout (this=0x119fc7968, b=true, markParents=true) at RenderObject.h:941
#5  0x0000000101f0a1e8 in WebCore::SVGSVGElement::svgAttributeChanged (this=0x119f76b50, attrName=@0x119e13758) at /usr/local/home/jamesr/WebKit/WebCore/svg/SVGSVGElement.cpp:312
#6  0x0000000101e7fc30 in WebCore::SVGElement::attributeChanged (this=0x119f76b50, attr=0x119e13750, preserveDecls=false) at /usr/local/home/jamesr/WebKit/WebCore/svg/SVGElement.cpp:304
#7  0x00000001016e6f18 in WebCore::Element::setAttribute (this=0x119f76b50, name=@0x103180b60, value=@0x7fff5fbfad50) at /usr/local/home/jamesr/WebKit/WebCore/dom/Element.cpp:598
#8  0x00000001016e718f in WebCore::Element::setAttribute (this=0x119f76b50, name=@0x103180b60, value=@0x7fff5fbfad50) at /usr/local/home/jamesr/WebKit/WebCore/dom/Element.cpp:180
#9  0x0000000101e52074 in WebCore::StyledElement::updateStyleAttribute (this=0x119f76b50) at /usr/local/home/jamesr/WebKit/WebCore/dom/StyledElement.cpp:110
#10 0x000000010140c527 in WebCore::Element::attributes (this=0x119f76b50, readonly=true) at Element.h:372
#11 0x00000001016e5e78 in WebCore::Element::hasAttributeNS (this=0x119f76b50, namespaceURI=@0x108d8a008, localName=@0x108d8a000) at /usr/local/home/jamesr/WebKit/WebCore/dom/Element.cpp:1284
#12 0x00000001016e5f3d in WebCore::Element::hasAttribute (this=0x119f76b50, name=@0x1031816a8) at /usr/local/home/jamesr/WebKit/WebCore/dom/Element.cpp:212
#13 0x0000000101ec20f3 in WebCore::SVGLength::PercentageOfViewport (value=1, context=0x119ef3ac0, mode=WebCore::LengthModeHeight) at /usr/local/home/jamesr/WebKit/WebCore/svg/SVGLength.cpp:294
#14 0x0000000101ec1d6f in WebCore::SVGLength::value (this=0x7fff5fbfb000, context=0x119ef3ac0) at /usr/local/home/jamesr/WebKit/WebCore/svg/SVGLength.cpp:136
#15 0x0000000101eeb6e7 in WebCore::SVGRectElement::toPathData (this=0x119ef3ac0) at /usr/local/home/jamesr/WebKit/WebCore/svg/SVGRectElement.cpp:148
#16 0x0000000101d26aca in WebCore::RenderPath::layout (this=0x119fc6f78) at /usr/local/home/jamesr/WebKit/WebCore/rendering/RenderPath.cpp:112
#17 0x0000000101ca0aab in WebCore::RenderObject::layoutIfNeeded (this=0x119fc6f78) at RenderObject.h:544
#18 0x0000000101ef2788 in WebCore::SVGRenderBase::layoutChildren (start=0x119fc7968, selfNeedsLayout=false) at /usr/local/home/jamesr/WebKit/WebCore/rendering/SVGRenderSupport.cpp:256
#19 0x0000000101d58953 in WebCore::RenderSVGRoot::layout (this=0x119fc7968) at /usr/local/home/jamesr/WebKit/WebCore/rendering/RenderSVGRoot.cpp:121
#20 0x00000001017666a8 in WebCore::FrameView::layout (this=0x11799f130, allowSubtree=true) at /usr/local/home/jamesr/WebKit/WebCore/page/FrameView.cpp:764
#21 0x00000001015cc409 in WebCore::Document::updateLayout (this=0x1180f9400) at /usr/local/home/jamesr/WebKit/WebCore/dom/Document.cpp:1454
#22 0x00000001015ce5fd in WebCore::Document::updateLayoutIgnorePendingStylesheets (this=0x1180f9400) at /usr/local/home/jamesr/WebKit/WebCore/dom/Document.cpp:1485
#23 0x00000001014b80bc in WebCore::CSSComputedStyleDeclaration::getPropertyCSSValue (this=0x11b214870, propertyID=1002, updateLayout=WebCore::UpdateLayout) at /usr/local/home/jamesr/WebKit/WebCore/css/CSSComputedStyleDeclaration.cpp:669
#24 0x00000001014c0375 in WebCore::CSSComputedStyleDeclaration::getPropertyCSSValue (this=0x11b214870, propertyID=1002) at /usr/local/home/jamesr/WebKit/WebCore/css/CSSComputedStyleDeclaration.cpp:588
#25 0x00000001015307df in WebCore::CSSStyleDeclaration::getPropertyCSSValue (this=0x11b214870, propertyName=@0x7fff5fbfcd80) at /usr/local/home/jamesr/WebKit/WebCore/css/CSSStyleDeclaration.cpp:45
#26 0x000000010193b455 in WebCore::JSCSSStyleDeclaration::nameGetter (exec=0x112a110f0, slotBase={m_ptr = 0x11a1b29c0}, propertyName=@0x7fff5fbfcf00) at /usr/local/home/jamesr/WebKit/WebCore/bindings/js/JSCSSStyleDeclarationCustom.cpp:156
#27 0x000000010075bc5c in JSC::PropertySlot::getValue (this=0x7fff5fbfce30, exec=0x112a110f0, propertyName=@0x7fff5fbfcf00) at PropertySlot.h:78

A JS query for style.direction forces a subtree layout rooted at the FrameView's m_layoutRoot, which happens to be the RenderSVGRoot.  This manages to mark its containing RenderBlock as m_posChildNeedsLayout and attempts to schedule a new relayout rooted at this renderer.  This changes the m_layoutRoot from the RenderSVGRoot to the RenderBlock, but since layout is already underway this doesn't set the layout timer.  Instead layout proceeds normally (but still rooted at the RenderSVGRoot).  The end of the layout algorithm clears out the FrameView's m_layoutRoot.  This leaves the RenderBlock with m_posChildNeedsLayout set but with no layout actually scheduled to occur.  When elements beneath this RenderBlock are subsequently marked as needing layout, markContainingBlocksForLayout() notices that m_posChildNeedsLayout is already set and returns without scheduling another layout pass.

I'm not entirely sure whether the re-rooting logic is at fault here or of it's improper to mark elements outside of a subtree as needing layout during a subtree layout.  The RenderBlock is marked as m_posChildNeedsLayout through frames 5-13.  The RenderPath queries for the viewPort attribute on the SVGSVGElement which triggers an update of the style attribute that in turn calls attributeChanged which is overridden by SVGElement to mark the element's renderer (the RenderSVGRoot) to get marked as needing layout.  This pathway seems a bit odd.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list