[Webkit-unassigned] [Bug 47759] New: Crash while processing ill-formed <textPath> ouside of <text>
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Oct 15 17:53:36 PDT 2010
https://bugs.webkit.org/show_bug.cgi?id=47759
Summary: Crash while processing ill-formed <textPath> ouside of
<text>
Product: WebKit
Version: 528+ (Nightly build)
Platform: PC
OS/Version: Mac OS X 10.5
Status: UNCONFIRMED
Severity: Normal
Priority: P2
Component: SVG
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: ctruta at chromium.org
CC: zimmermann at kde.org, mdelaney at apple.com
Although <textPath> is required to exist inside <text>, the SVG processor shouldn't crash when encountering ill-formed test cases like the following:
<svg xmlns="http://www.w3.org/2000/svg">
<textPath/>
</svg>
This is a continuation of the work on bug 47498. The text below is Nikolas Zimmermann's analysis.
"The RenderInline assertion also happens for <svg><tspan/></svg>, and <tref>. All renderers that inherit from RenderSVGInline are affected. These are all elements that aren't allowed to appear without a <text> parent.
It's embarassing we still have bugs like this!
It needs to be fixed in the DOM, I'm just looking at it.
[...]
Okay, it's quite easy to fix:
Let's check the specs content model (only showing relevant text elements now):
<text> may contain: 'a', ‘altGlyph’, ‘textPath’, ‘tref’, ‘tspan’
<tspan> may contain: 'a', 'altGlyph', 'tref', 'tspan'
<tref> may contain: nothing
<textPath> may contain: 'a', 'tref', 'tspan'
<altGlyph> may contain: any element or character data
"SVGTextElement::childShouldCreateRenderer(Node* node) const" has to be added, which checks
wheter the passed in node tagName is 'a', 'altGlyph', 'textPath', 'tref', 'tspan'. These are the only children which are supposed to create renderers within a <text> subtree. The same should be added for SVGTSpanElement, checking for 'a', 'altGlyph', 'tref' and 'tspan', and SVGTextPathElement, checking for 'a', 'tref' and 'tspan'.
This way we assure only the right elements create renderers within a <text> subtree.
The second step to solve the problem is to add "bool rendererIsNeeded(RenderStyle*)" methods to SVGTSpanElement, SVGTRefElement and SVGTextPathElement, that check wheter the _parentNode()_ has the right tag name. (see SVGGElement::rendererIsNeeded as example).
SVGTSpanElement needs to check wheter its parent is 'textPath' or 'text' or 'tspan' or 'altGlyph'.
SVGTRefElement needs to check wheter its parent is 'textPath' or 'text' or 'tspan' or 'altGlyph'.
SVGTextPathElement needs to check wheter its parent is 'text'.
This will get rid of the assertion that you see. Combined with your attached test, this will solve the problem completly.
Good luck! :-)"
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list