Bug 68938

Summary: REGRESSION(r95573): Crash when loading SVG documents in a flattened frame or any SVG document in Chromium/Mac.
Product: WebKit Reporter: Dimitri Glazkov (Google) <dglazkov>
Component: New BugsAssignee: Dimitri Glazkov (Google) <dglazkov>
Status: RESOLVED FIXED    
Severity: Normal CC: hyatt, thorton
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 68480    
Attachments:
Description Flags
Patch
none
Patch
none
Patch hyatt: review+

Description Dimitri Glazkov (Google) 2011-09-27 14:35:46 PDT 
[Chromium/Mac] REGRESSION(r95573): All SVG documents crash on loading.
Comment 1 Dimitri Glazkov (Google) 2011-09-27 14:39:55 PDT 
Created attachment 108901 [details]
Patch
Comment 2 Dimitri Glazkov (Google) 2011-09-27 15:55:54 PDT 
Comment on attachment 108901 [details]
Patch

needs more testing.
Comment 3 Dimitri Glazkov (Google) 2011-09-28 09:30:41 PDT 
Created attachment 109028 [details]
Patch
Comment 4 Dave Hyatt 2011-09-28 09:34:43 PDT 
Comment on attachment 109028 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=109028&action=review

Really does seem odd that Chromium is calling this on the RenderView... how do you even get the answer you want? I'm not convinced this is even doing what you think it's doing.

> Source/WebCore/rendering/RenderBlock.cpp:4897
> -    LayoutUnit cw = containingBlock()->contentLogicalWidth();
> +    LayoutUnit cw = containingBlockOrSelf(this)->contentLogicalWidth();

I wouldn't do it this way, since it doesn't really make any sense. This value really shouldn't even be used by anything since the RenderView can't have percentage heights/widths specified on it, so null checking should be better.

RenderBlock* cb = containingBlock();
LayoutUnit cw = cb ? cb->contentLogicalWidth() : 0;

I'd prefer that.
Comment 5 Dimitri Glazkov (Google) 2011-09-28 13:27:02 PDT 
Created attachment 109062 [details]
Patch
Comment 6 Dimitri Glazkov (Google) 2011-09-28 13:29:46 PDT 
(In reply to comment #4)
> (From update of attachment 109028 [details])
> View in context: https://bugs.webkit.org/attachment.cgi?id=109028&action=review
> 
> Really does seem odd that Chromium is calling this on the RenderView... how do you even get the answer you want? I'm not convinced this is even doing what you think it's doing.

Added test for flattened frames which also causes the same crash.

> 
> > Source/WebCore/rendering/RenderBlock.cpp:4897
> > -    LayoutUnit cw = containingBlock()->contentLogicalWidth();
> > +    LayoutUnit cw = containingBlockOrSelf(this)->contentLogicalWidth();
> 
> I wouldn't do it this way, since it doesn't really make any sense. This value really shouldn't even be used by anything since the RenderView can't have percentage heights/widths specified on it, so null checking should be better.
> 
> RenderBlock* cb = containingBlock();
> LayoutUnit cw = cb ? cb->contentLogicalWidth() : 0;
> 
> I'd prefer that.

Done!
Comment 7 Dave Hyatt 2011-09-28 13:31:39 PDT 
Comment on attachment 109062 [details]
Patch

r=me
Comment 8 Dimitri Glazkov (Google) 2011-09-28 13:54:52 PDT 
Committed r96258: <http://trac.webkit.org/changeset/96258>