Bug 1539318 - Prevent getComputedTextLength() from working on non-display SVG text elements. r=jwatt
☠☠ backed out by 6f280783594b ☠ ☠
authorCameron McCormack <cam@mcc.id.au>
Wed, 01 May 2019 22:41:50 +0000
changeset 472210 e9ea26dd5b6860369222508e8510888db71c1de4
parent 472209 81f1c693b2dd58da05c719269dfbde369ed127db
child 472211 dae4370a4b010a27c6ab3528935a2b389d6f388b
push id84517
push usercmccormack@mozilla.com
push dateWed, 01 May 2019 22:43:02 +0000
treeherderautoland@e9ea26dd5b68 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjwatt
bugs1539318, 1402109
milestone68.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1539318 - Prevent getComputedTextLength() from working on non-display SVG text elements. r=jwatt This adds the same bailing out behavior that was added in bug 1402109 to a number of other functions implementing SVG DOM text methods. Differential Revision: https://phabricator.services.mozilla.com/D25550
layout/svg/SVGTextFrame.cpp
layout/svg/crashtests/1539318-1.svg
layout/svg/crashtests/crashtests.list
--- a/layout/svg/SVGTextFrame.cpp
+++ b/layout/svg/SVGTextFrame.cpp
@@ -3661,16 +3661,26 @@ uint32_t SVGTextFrame::GetNumberOfChars(
   return n;
 }
 
 /**
  * Implements the SVG DOM GetComputedTextLength method for the specified
  * text child element.
  */
 float SVGTextFrame::GetComputedTextLength(nsIContent* aContent) {
+  nsIFrame* kid = PrincipalChildList().FirstChild();
+  if (NS_SUBTREE_DIRTY(kid)) {
+    // We're never reflowed if we're under a non-SVG element that is
+    // never reflowed (such as the HTML 'caption' element).
+    //
+    // If we ever decide that we need to return accurate values here,
+    // we could do similar work to GetSubStringLength.
+    return 0;
+  }
+
   UpdateGlyphPositioning();
 
   float cssPxPerDevPx = nsPresContext::AppUnitsToFloatCSSPixels(
       PresContext()->AppUnitsPerDevPixel());
 
   nscoord length = 0;
   TextRenderedRunIterator it(this, TextRenderedRunIterator::eAllFrames,
                              aContent);
new file mode 100644
--- /dev/null
+++ b/layout/svg/crashtests/1539318-1.svg
@@ -0,0 +1,10 @@
+<script>
+window.onload = function() {
+  a.getComputedTextLength()
+}
+</script>
+<body>
+<svg>
+<switch>
+<hatch>
+<text id="a">A</text>
--- a/layout/svg/crashtests/crashtests.list
+++ b/layout/svg/crashtests/crashtests.list
@@ -221,9 +221,9 @@ load 1480224.html
 load 1502936.html
 load 1504918.svg
 load perspective-invalidation.html
 load invalid_url.html
 load 1535517-1.svg
 load 1504072.html
 load 1072758.html
 load 1536892.html
-
+load 1539318-1.html