[Webkit-unassigned] [Bug 40366] REGRESSION (r59263): Google Docs Drawing is broken, and probably other SVG-based sites

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Jun 22 13:47:34 PDT 2010 

https://bugs.webkit.org/show_bug.cgi?id=40366


mitz at webkit.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |hyatt at apple.com




--- Comment #6 from mitz at webkit.org  2010-06-22 13:47:34 PST ---
Thanks for carrying on the investigation!

(In reply to comment #5)
> (gdb) bt
> #8  0x00000001016e718f in WebCore::Element::setAttribute (this=0x119f76b50, name=@0x103180b60, value=@0x7fff5fbfad50) at /usr/local/home/jamesr/WebKit/WebCore/dom/Element.cpp:180
[…]
> #12 0x00000001016e5f3d in WebCore::Element::hasAttribute (this=0x119f76b50, name=@0x1031816a8) at /usr/local/home/jamesr/WebKit/WebCore/dom/Element.cpp:212
> #13 0x0000000101ec20f3 in WebCore::SVGLength::PercentageOfViewport (value=1, context=0x119ef3ac0, mode=WebCore::LengthModeHeight) at /usr/local/home/jamesr/WebKit/WebCore/svg/SVGLength.cpp:294
> #14 0x0000000101ec1d6f in WebCore::SVGLength::value (this=0x7fff5fbfb000, context=0x119ef3ac0) at /usr/local/home/jamesr/WebKit/WebCore/svg/SVGLength.cpp:136
> #15 0x0000000101eeb6e7 in WebCore::SVGRectElement::toPathData (this=0x119ef3ac0) at /usr/local/home/jamesr/WebKit/WebCore/svg/SVGRectElement.cpp:148
> #16 0x0000000101d26aca in WebCore::RenderPath::layout (this=0x119fc6f78) at /usr/local/home/jamesr/WebKit/WebCore/rendering/RenderPath.cpp:112
[…]
> #20 0x00000001017666a8 in WebCore::FrameView::layout (this=0x11799f130, allowSubtree=true) at /usr/local/home/jamesr/WebKit/WebCore/page/FrameView.cpp:764

That Element::setAttribute() ends up being invoked beneath layout is insane. I don’t know if the problem is that hasAttibute() can call setAttribute() or, more likely, that PercentageOfViewport() calls a function (hasAttribute()) that has a known side effect of setting an attribute. But this is just asking for trouble. I think the path to resolving this bug is preventing DOM mutation during layout (other than shadow DOM, of course).

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list