Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore: cherry-pick 9bab573a37 from chromium (#30101)
* chore: cherry-pick 9bab573a37 from chromium Refs https://chromium-review.googlesource.com/c/chromium/src/+/3010140 * chore: update patches Co-authored-by: deepak1556 <hop2deep@gmail.com> Co-authored-by: PatchUp <73610968+patchup[bot]@users.noreply.github.com>
- Loading branch information
1 parent
38ecb5d
commit 2ae1c82
Showing
2 changed files
with
49 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
48 changes: 48 additions & 0 deletions
48
patches/chromium/set_svgimage_page_after_document_install.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 | ||
From: =?UTF-8?q?Fredrik=20S=C3=B6derqvist?= <fs@opera.com> | ||
Date: Fri, 9 Jul 2021 08:44:55 +0000 | ||
Subject: Set SVGImage::page_ after document install | ||
MIME-Version: 1.0 | ||
Content-Type: text/plain; charset=UTF-8 | ||
Content-Transfer-Encoding: 8bit | ||
|
||
We can end up having the associated ImageResource call | ||
SVGImage::ResetAnimation() before the Document has been associated with | ||
the SVGImage's LocalFrame, but after the link to the initial Document | ||
was severed, if a GC is triggered within that window and ends up | ||
collecting the last observer of the ImageResource. | ||
|
||
By assigning |SVGImage::page_| after the installing the document, we | ||
close this hole since SVGImage::RootElement() (called by | ||
SVGImage::ResetAnimation()) will now observe a null Page and return null | ||
without attempting to dereference the document. | ||
|
||
Bug: 1216190 | ||
Change-Id: I26e08848e5b9bd52e3377841eee35e4acc03d320 | ||
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3010140 | ||
Reviewed-by: Stephen Chenney <schenney@chromium.org> | ||
Commit-Queue: Fredrik Söderquist <fs@opera.com> | ||
Cr-Commit-Position: refs/heads/master@{#899922} | ||
|
||
diff --git a/third_party/blink/renderer/core/svg/graphics/svg_image.cc b/third_party/blink/renderer/core/svg/graphics/svg_image.cc | ||
index b23ad2192bec4d1cac9d704074d12c9e00d4d2f5..ff2bf69be27f0afcb6a9909e716495e8d4a127ef 100644 | ||
--- a/third_party/blink/renderer/core/svg/graphics/svg_image.cc | ||
+++ b/third_party/blink/renderer/core/svg/graphics/svg_image.cc | ||
@@ -851,12 +851,15 @@ Image::SizeAvailability SVGImage::DataChanged(bool all_data_received) { | ||
// SVG Images are transparent. | ||
frame->View()->SetBaseBackgroundColor(Color::kTransparent); | ||
|
||
- page_ = page; | ||
- | ||
TRACE_EVENT0("blink", "SVGImage::dataChanged::load"); | ||
|
||
frame->ForceSynchronousDocumentInstall("image/svg+xml", Data()); | ||
|
||
+ // Set up our Page reference after installing our document. This avoids | ||
+ // tripping on a non-existing (null) Document if a GC is triggered during the | ||
+ // set up and ends up collecting the last owner/observer of this image. | ||
+ page_ = page; | ||
+ | ||
// Intrinsic sizing relies on computed style (e.g. font-size and | ||
// writing-mode). | ||
frame->GetDocument()->UpdateStyleAndLayoutTree(); |