[Webkit-unassigned] [Bug 47498] Crash while processing ill-formed SVG with cycles.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Oct 15 02:25:37 PDT 2010
https://bugs.webkit.org/show_bug.cgi?id=47498
--- Comment #10 from Nikolas Zimmermann <zimmermann at kde.org> 2010-10-15 02:25:37 PST ---
The ASSERTION that you see, with RenderInline, is easy to reproduce:
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<textPath/>
</svg>
It's _only_ textPath related.
Your patch should fix the assertion for:
<filter id="foo">
<rect fill="url(#foo)"/>
</filter>
This testcase already works as expected
<filter id="foo">
<rect mask="url(#foo)"/>
</filter>
Same for clip, etc.
The RenderInline assertion also happens for <svg><tspan/></svg>, and <tref>. All renderers that inherit from RenderSVGInline are affected. These are all elements that aren't allowed to appear without a <text> parent.
It's embarassing we still have bugs like this!
It needs to be fixed in the DOM, I'm just looking at it.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list