[Webkit-unassigned] [Bug 63365] ASSERTs in RenderInline::layout()

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Jun 24 23:35:46 PDT 2011 

https://bugs.webkit.org/show_bug.cgi?id=63365





--- Comment #2 from Nikolas Zimmermann <zimmermann at kde.org>  2011-06-24 23:35:46 PST ---
(In reply to comment #0)
> Steps to repro:
> 
> 1. Open the attached SVG in a debug build of a WebKit browser.
> 
> Expected result: Nothing is drawn.
> Actual result: Crash due to an assertion.
> 
> <rdar://problem/7403871>
> 
> Diagnosis:
> 
> There are a variety of text elements which are laid out by their (expected) parents. If their parent is something else instead, they fall back on RenderInline, which isn't too happy about this.
> 
> What's the right fix? Technically this is invalid.

Good catch. We had a similar problem before:
<text> <circle> .... Arbitary children as <text> elements caused crashes. We've fixed that by only allowing a specific subset of rendererers to be children of <text>.
bool SVGTextElement::childShouldCreateRenderer(Node* child) const
{
    if (child->isTextNode()
        || child->hasTagName(SVGNames::aTag)
#if ENABLE(SVG_FONTS)
        || child->hasTagName(SVGNames::altGlyphTag)
#endif
        || child->hasTagName(SVGNames::textPathTag)
        || child->hasTagName(SVGNames::trefTag)
        || child->hasTagName(SVGNames::tspanTag))
        return true;

    return false;
}

This function handles the aformentioned "only-allow-specific-children-for-<text>".
We need a similar method, to avoid creating renderers for <textPath>/<tref>/... when it's parent is not <text>: that's done by reimplementing rendererIsNeeded():

Looking closer through the SVGTSpan/TRef/TextPath/.. elements we already did that:

bool SVGTSpanElement::rendererIsNeeded(const NodeRenderingContext& context)
{
    if (parentNode()
        && (parentNode()->hasTagName(SVGNames::aTag)
#if ENABLE(SVG_FONTS)
            || parentNode()->hasTagName(SVGNames::altGlyphTag)
#endif
            || parentNode()->hasTagName(SVGNames::textTag)
            || parentNode()->hasTagName(SVGNames::textPathTag)
            || parentNode()->hasTagName(SVGNames::tspanTag)))
        return StyledElement::rendererIsNeeded(context);

    return false;
}

See SVGTextPathElement:
bool SVGTextPathElement::rendererIsNeeded(const NodeRenderingContext& context)
{
    if (parentNode()
        && (parentNode()->hasTagName(SVGNames::aTag)
            || parentNode()->hasTagName(SVGNames::textTag)))
        return StyledElement::rendererIsNeeded(context);

    return false;
}

We explicitely allow <a> to be a parent of <textPath>. Is this not correct? Is this supposed to work? What does Opera say?

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list