Bug 1539318 - Prevent getComputedTextLength() from working on non-display SVG text elements. r=jwatt
authorCameron McCormack <cam@mcc.id.au>
Thu, 02 May 2019 01:08:39 +0000
changeset 472208 f446fb2da3fb1b6e30f6de6b0f6ed1b5cfcda071
parent 472207 6f280783594b75caee682ed71c8155934a9d59d9
child 472209 10a025aed3d426ac976d8dbd98cffc15a33cfb5f
push id35950
push usercbrindusan@mozilla.com
push dateThu, 02 May 2019 09:52:27 +0000
treeherdermozilla-central@38a326f813f6 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjwatt
bugs1539318, 1402109
milestone68.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1539318 - Prevent getComputedTextLength() from working on non-display SVG text elements. r=jwatt This adds the same bailing out behavior that was added in bug 1402109 to a number of other functions implementing SVG DOM text methods. Differential Revision: https://phabricator.services.mozilla.com/D25550
layout/svg/SVGTextFrame.cpp
layout/svg/crashtests/1539318-1.svg
layout/svg/crashtests/crashtests.list
--- a/layout/svg/SVGTextFrame.cpp
+++ b/layout/svg/SVGTextFrame.cpp
@@ -3661,16 +3661,26 @@ uint32_t SVGTextFrame::GetNumberOfChars(
   return n;
 }
 
 /**
  * Implements the SVG DOM GetComputedTextLength method for the specified
  * text child element.
  */
 float SVGTextFrame::GetComputedTextLength(nsIContent* aContent) {
+  nsIFrame* kid = PrincipalChildList().FirstChild();
+  if (NS_SUBTREE_DIRTY(kid)) {
+    // We're never reflowed if we're under a non-SVG element that is
+    // never reflowed (such as the HTML 'caption' element).
+    //
+    // If we ever decide that we need to return accurate values here,
+    // we could do similar work to GetSubStringLength.
+    return 0;
+  }
+
   UpdateGlyphPositioning();
 
   float cssPxPerDevPx = nsPresContext::AppUnitsToFloatCSSPixels(
       PresContext()->AppUnitsPerDevPixel());
 
   nscoord length = 0;
   TextRenderedRunIterator it(this, TextRenderedRunIterator::eAllFrames,
                              aContent);
new file mode 100644
--- /dev/null
+++ b/layout/svg/crashtests/1539318-1.svg
@@ -0,0 +1,10 @@
+<script>
+window.onload = function() {
+  a.getComputedTextLength()
+}
+</script>
+<body>
+<svg>
+<switch>
+<hatch>
+<text id="a">A</text>
--- a/layout/svg/crashtests/crashtests.list
+++ b/layout/svg/crashtests/crashtests.list
@@ -221,9 +221,9 @@ load 1480224.html
 load 1502936.html
 load 1504918.svg
 load perspective-invalidation.html
 load invalid_url.html
 load 1535517-1.svg
 load 1504072.html
 load 1072758.html
 load 1536892.html
-
+load 1539318-1.svg