Bug 85797

Summary: REGRESSION (Safari 5.1.5 - ToT): Crash in RenderSVGRoot::computeReplacedLogicalWidth
Product: WebKit Reporter: Philip Rogers <pdr>
Component: SVGAssignee: Florin Malita <fmalita>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, eric, fmalita, krit, thorton, webkit.review.bot, zimmermann
Priority: P1 Keywords: Regression
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Minimized crasher
none
Patch none

Philip Rogers
Reported 2012-05-07 06:18:42 PDT
The following will cause a crash: <figcaption style="width:1px;"> <svg style="width:intrinsic;"/> In debug builds, the following assert is hit: ASSERTION FAILED: isEmbeddedThroughFrameContainingSVGDocument() ../../third_party/WebKit/Source/WebCore/rendering/svg/RenderSVGRoot.cpp(177) : virtual WebCore::LayoutUnit WebCore::RenderSVGRoot::computeReplacedLogicalWidth(bool) const Original bug: http://crbug.com/126416
Attachments
Minimized crasher (71 bytes, text/html)
2012-06-20 13:42 PDT, Florin Malita 		no flags
Details
Patch (5.11 KB, patch)
2012-06-22 10:09 PDT, Florin Malita 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2012-05-07 10:13:22 PDT
Crashes ToT, but not Safari 5.1.5 for me. Release build stack trace: Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x000000010c31ee38 WebCore::RenderSVGRoot::computeReplacedLogicalWidth(bool) const + 344 1 com.apple.WebCore 0x000000010cb53295 WebCore::RenderBox::computeLogicalWidthInRegion(WebCore::RenderRegion*, WebCore::FractionalLayoutUnit) + 485 2 com.apple.WebCore 0x000000010c1b2c0a WebCore::RenderBox::computeLogicalWidth() + 26 3 com.apple.WebCore 0x000000010c31eb09 WebCore::RenderSVGRoot::layout() + 169 4 com.apple.WebCore 0x000000010cb4c461 WebCore::RenderBlock::layoutInlineChildren(bool, WebCore::FractionalLayoutUnit&, WebCore::FractionalLayoutUnit&) + 913 ...
Florin Malita
Comment 2 2012-06-20 12:27:22 PDT
The assert at the end of RenderSVGRoot::computeReplacedLogicalWidth() is wrong: we can also reach that point for inline SVGs when the width attribute doesn't establish the viewport (see SVGSVGElement::widthAttributeEstablishesViewport). The release crash happens in return document()->frame()->ownerRenderer()->availableLogicalWidth() because ownerRenderer() is NULL for the case of inline SVG. This also seems to affect RenderSVGRoot::computeReplacedLogicalHeight(). I guess the question is what to do when a) widthAttributeEstablishesViewport() == false and b) the SVG element is not embedded via object/iframe Fall back to RenderReplace:::computeReplacedLogicalWidth?
Florin Malita
Comment 3 2012-06-20 13:42:52 PDT
Created attachment 148647 [details] Minimized crasher
Florin Malita
Comment 4 2012-06-22 10:09:04 PDT
Created attachment 149049 [details] Patch
WebKit Review Bot
Comment 5 2012-06-22 11:19:50 PDT
Comment on attachment 149049 [details] Patch Clearing flags on attachment: 149049 Committed r121041: <http://trac.webkit.org/changeset/121041>
WebKit Review Bot
Comment 6 2012-06-22 11:20:00 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.