Bug 1693032 - SVG text reflow can flow through multiple outer svg elements try: -b d -p linux64 -u reftest,crashtest,mochitests,web-platform-tests -t none draft bug1693032
authorlongsonr <longsonr@gmail.com>
Tue, 16 Feb 2021 19:54:23 +0000
changeset 3545293 0c182ea7924882a085c06a4d581b0fa716e82fb3
parent 3540144 de2452d764b9b813d15b0913de65b5cfa6b94956
child 3693216 c09c3551a7448f1801bdd30069cddf4322c20094
push id656177
push userlongsonr@gmail.com
push dateWed, 17 Feb 2021 13:25:41 +0000
treeherdertry@0c182ea79248 [default view] [failures only]
bugs1693032
milestone87.0a1
Bug 1693032 - SVG text reflow can flow through multiple outer svg elements try: -b d -p linux64 -u reftest,crashtest,mochitests,web-platform-tests -t none
layout/svg/SVGContainerFrame.cpp
layout/svg/SVGObserverUtils.cpp
layout/svg/SVGTextFrame.cpp
layout/svg/crashtests/1693032.html
layout/svg/crashtests/crashtests.list
--- a/layout/svg/SVGContainerFrame.cpp
+++ b/layout/svg/SVGContainerFrame.cpp
@@ -276,18 +276,18 @@ nsIFrame* SVGDisplayContainerFrame::GetF
   NS_ASSERTION(!NS_SVGDisplayListHitTestingEnabled() ||
                    (mState & NS_FRAME_IS_NONDISPLAY),
                "If display lists are enabled, only hit-testing of a "
                "clipPath's contents should take this code path");
   return SVGUtils::HitTestChildren(this, aPoint);
 }
 
 void SVGDisplayContainerFrame::ReflowSVG() {
-  NS_ASSERTION(SVGUtils::OuterSVGIsCallingReflowSVG(this),
-               "This call is probably a wasteful mistake");
+  MOZ_ASSERT(SVGUtils::AnyOuterSVGIsCallingReflowSVG(this),
+             "This call is probably a wasteful mistake");
 
   MOZ_ASSERT(!HasAnyStateBits(NS_FRAME_IS_NONDISPLAY),
              "ReflowSVG mechanism not designed for this");
 
   MOZ_ASSERT(!IsSVGOuterSVGFrame(), "Do not call on outer-<svg>");
 
   if (!SVGUtils::NeedsReflowSVG(this)) {
     return;
--- a/layout/svg/SVGObserverUtils.cpp
+++ b/layout/svg/SVGObserverUtils.cpp
@@ -485,17 +485,17 @@ void SVGTextPathObserver::OnRenderingCha
 
   auto* text = static_cast<SVGTextFrame*>(
       nsLayoutUtils::GetClosestFrameOfType(frame, LayoutFrameType::SVGText));
   MOZ_ASSERT(text, "expected to find an ancestor SVGTextFrame");
   if (text) {
     text->AddStateBits(NS_STATE_SVG_TEXT_CORRESPONDENCE_DIRTY |
                        NS_STATE_SVG_POSITIONING_DIRTY);
 
-    if (SVGUtils::OuterSVGIsCallingReflowSVG(text)) {
+    if (SVGUtils::AnyOuterSVGIsCallingReflowSVG(text)) {
       text->AddStateBits(NS_FRAME_IS_DIRTY | NS_FRAME_HAS_DIRTY_CHILDREN);
       if (text->HasAnyStateBits(NS_FRAME_IS_NONDISPLAY)) {
         text->ReflowSVGNonDisplayText();
       } else {
         text->ReflowSVG();
       }
     } else {
       text->ScheduleReflowSVG();
--- a/layout/svg/SVGTextFrame.cpp
+++ b/layout/svg/SVGTextFrame.cpp
@@ -3289,17 +3289,17 @@ nsIFrame* SVGTextFrame::GetFrameForPoint
     if (Inside(frameRect, pointInRunUserSpace)) {
       hit = run.mFrame;
     }
   }
   return hit;
 }
 
 void SVGTextFrame::ReflowSVG() {
-  MOZ_ASSERT(SVGUtils::OuterSVGIsCallingReflowSVG(this),
+  MOZ_ASSERT(SVGUtils::AnyOuterSVGIsCallingReflowSVG(this),
              "This call is probaby a wasteful mistake");
 
   MOZ_ASSERT(!HasAnyStateBits(NS_FRAME_IS_NONDISPLAY),
              "ReflowSVG mechanism not designed for this");
 
   if (!SVGUtils::NeedsReflowSVG(this)) {
     MOZ_ASSERT(!HasAnyStateBits(NS_STATE_SVG_TEXT_CORRESPONDENCE_DIRTY |
                                 NS_STATE_SVG_POSITIONING_DIRTY),
new file mode 100644
--- /dev/null
+++ b/layout/svg/crashtests/1693032.html
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script>
+      document.addEventListener('DOMContentLoaded', () => {
+        const svg_1 = document.createElementNS('http://www.w3.org/2000/svg', 'svg')
+        const svg_2 = document.createElementNS('http://www.w3.org/2000/svg', 'svg')
+        const switch_1 = document.createElementNS('http://www.w3.org/2000/svg', 'switch')
+        const metadata_1 = document.createElementNS('http://www.w3.org/2000/svg', 'metadata')
+        const foreign_1 = document.createElementNS('http://www.w3.org/2000/svg', 'foreignObject')
+        const text_1 = document.createElementNS('http://www.w3.org/2000/svg', 'text')
+        switch_1.appendChild(metadata_1)
+        svg_2.appendChild(text_1)
+        foreign_1.appendChild(svg_2)
+        switch_1.appendChild(foreign_1)
+        svg_1.appendChild(switch_1)
+        document.documentElement.appendChild(svg_1)
+      })
+    </script>
+</head>
+</html>
--- a/layout/svg/crashtests/crashtests.list
+++ b/layout/svg/crashtests/crashtests.list
@@ -232,8 +232,9 @@ load 1555851.html
 load invalidation-of-opacity-0.html
 load 1563779.html
 load 1600855.html
 load 1601824.html
 load 1605223-1.html
 load 1609663.html
 load 1671950.html
 load 1678947.html
+load 1693032.html