Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore: cherry-pick 9bab573a37 from chromium (#30100)
* chore: cherry-pick 9bab573a37 from chromium Refs https://chromium-review.googlesource.com/c/chromium/src/+/3010140 * chore: update patches Co-authored-by: deepak1556 <hop2deep@gmail.com> Co-authored-by: PatchUp <73610968+patchup[bot]@users.noreply.github.com>
- Loading branch information
3 people
committed
Jul 13, 2021
1 parent
d09e7f8
commit 299fa3a
Showing
2 changed files
with
49 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
48 changes: 48 additions & 0 deletions
48
patches/chromium/set_svgimage_page_after_document_install.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,48 @@ | ||
| From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 | ||
| From: =?UTF-8?q?Fredrik=20S=C3=B6derqvist?= <fs@opera.com> | ||
| Date: Fri, 9 Jul 2021 08:44:55 +0000 | ||
| Subject: Set SVGImage::page_ after document install | ||
| MIME-Version: 1.0 | ||
| Content-Type: text/plain; charset=UTF-8 | ||
| Content-Transfer-Encoding: 8bit | ||
|
|
||
| We can end up having the associated ImageResource call | ||
| SVGImage::ResetAnimation() before the Document has been associated with | ||
| the SVGImage's LocalFrame, but after the link to the initial Document | ||
| was severed, if a GC is triggered within that window and ends up | ||
| collecting the last observer of the ImageResource. | ||
|
|
||
| By assigning |SVGImage::page_| after the installing the document, we | ||
| close this hole since SVGImage::RootElement() (called by | ||
| SVGImage::ResetAnimation()) will now observe a null Page and return null | ||
| without attempting to dereference the document. | ||
|
|
||
| Bug: 1216190 | ||
| Change-Id: I26e08848e5b9bd52e3377841eee35e4acc03d320 | ||
| Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3010140 | ||
| Reviewed-by: Stephen Chenney <schenney@chromium.org> | ||
| Commit-Queue: Fredrik Söderquist <fs@opera.com> | ||
| Cr-Commit-Position: refs/heads/master@{#899922} | ||
|
|
||
| diff --git a/third_party/blink/renderer/core/svg/graphics/svg_image.cc b/third_party/blink/renderer/core/svg/graphics/svg_image.cc | ||
| index 0742d1e2e78b6bb0cd2582afd2133bb5eaf56387..96768e7fed1ba36ef5bba48d540f76e8ce50a608 100644 | ||
| --- a/third_party/blink/renderer/core/svg/graphics/svg_image.cc | ||
| +++ b/third_party/blink/renderer/core/svg/graphics/svg_image.cc | ||
| @@ -853,12 +853,15 @@ Image::SizeAvailability SVGImage::DataChanged(bool all_data_received) { | ||
| // SVG Images are transparent. | ||
| frame->View()->SetBaseBackgroundColor(Color::kTransparent); | ||
|
|
||
| - page_ = page; | ||
| - | ||
| TRACE_EVENT0("blink", "SVGImage::dataChanged::load"); | ||
|
|
||
| frame->ForceSynchronousDocumentInstall("image/svg+xml", Data()); | ||
|
|
||
| + // Set up our Page reference after installing our document. This avoids | ||
| + // tripping on a non-existing (null) Document if a GC is triggered during the | ||
| + // set up and ends up collecting the last owner/observer of this image. | ||
| + page_ = page; | ||
| + | ||
| // Intrinsic sizing relies on computed style (e.g. font-size and | ||
| // writing-mode). | ||
| frame->GetDocument()->UpdateStyleAndLayoutTree(); |