Bug 85797 - REGRESSION (Safari 5.1.5 - ToT): Crash in RenderSVGRoot::computeReplacedLogicalWidth
Summary: REGRESSION (Safari 5.1.5 - ToT): Crash in RenderSVGRoot::computeReplacedLogic...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: SVG (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P1 Normal
Assignee: Florin Malita
URL:
Keywords: Regression
Depends on:
Blocks:
 
Reported: 2012-05-07 06:18 PDT by Philip Rogers
Modified: 2012-06-22 11:20 PDT (History)
7 users (show)

See Also:

Attachments
Minimized crasher (71 bytes, text/html)
2012-06-20 13:42 PDT, Florin Malita 		no flags Details
Patch (5.11 KB, patch)
2012-06-22 10:09 PDT, Florin Malita 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Philip Rogers 2012-05-07 06:18:42 PDT 
The following will cause a crash:

<figcaption style="width:1px;">
<svg style="width:intrinsic;"/>

In debug builds, the following assert is hit:
ASSERTION FAILED: isEmbeddedThroughFrameContainingSVGDocument()
../../third_party/WebKit/Source/WebCore/rendering/svg/RenderSVGRoot.cpp(177) : virtual WebCore::LayoutUnit WebCore::RenderSVGRoot::computeReplacedLogicalWidth(bool) const

Original bug: http://crbug.com/126416
Comment 1 Alexey Proskuryakov 2012-05-07 10:13:22 PDT 
Crashes ToT, but not Safari 5.1.5 for me. Release build stack trace:

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x000000010c31ee38 WebCore::RenderSVGRoot::computeReplacedLogicalWidth(bool) const + 344
1   com.apple.WebCore             	0x000000010cb53295 WebCore::RenderBox::computeLogicalWidthInRegion(WebCore::RenderRegion*, WebCore::FractionalLayoutUnit) + 485
2   com.apple.WebCore             	0x000000010c1b2c0a WebCore::RenderBox::computeLogicalWidth() + 26
3   com.apple.WebCore             	0x000000010c31eb09 WebCore::RenderSVGRoot::layout() + 169
4   com.apple.WebCore             	0x000000010cb4c461 WebCore::RenderBlock::layoutInlineChildren(bool, WebCore::FractionalLayoutUnit&, WebCore::FractionalLayoutUnit&) + 913
...
Comment 2 Florin Malita 2012-06-20 12:27:22 PDT 
The assert at the end of RenderSVGRoot::computeReplacedLogicalWidth() is wrong: we can also reach that point for inline SVGs when the width attribute doesn't establish the viewport (see SVGSVGElement::widthAttributeEstablishesViewport).

The release crash happens in

  return document()->frame()->ownerRenderer()->availableLogicalWidth()

because ownerRenderer() is NULL for the case of inline SVG.

This also seems to affect RenderSVGRoot::computeReplacedLogicalHeight().

I guess the question is what to do when

a) widthAttributeEstablishesViewport() == false
and
b) the SVG element is not embedded via object/iframe


Fall back to RenderReplace:::computeReplacedLogicalWidth?
Comment 3 Florin Malita 2012-06-20 13:42:52 PDT 
Created attachment 148647 [details]
Minimized crasher
Comment 4 Florin Malita 2012-06-22 10:09:04 PDT 
Created attachment 149049 [details]
Patch
Comment 5 WebKit Review Bot 2012-06-22 11:19:50 PDT 
Comment on attachment 149049 [details]
Patch

Clearing flags on attachment: 149049

Committed r121041: <http://trac.webkit.org/changeset/121041>
Comment 6 WebKit Review Bot 2012-06-22 11:20:00 PDT 
All reviewed patches have been landed.  Closing bug.