Merge r166420 - Clear SVGInlineTextBox fragments when the text changes.

https://bugs.webkit.org/show_bug.cgi?id=130879

Reviewed by Darin Adler.

Ported from Blink: https://src.chromium.org/viewvc/blink?revision=150456&view=revision

Source/WebCore:

This patch modifies SVGInlineTextBox::dirtyLineBoxes to clear all
following text boxes when invoked. Typically this method is called
when the underlying text string changes, and that change needs to
be propagated to all the boxes that use the text beyond the point
where the text is first modified.

Also cleans up final function keywords for SVGRootInlineBox.

Test: svg/custom/unicode-in-tspan-multi-svg-crash.html

* rendering/InlineTextBox.h: Added (non-recursive) dirtyOwnLineBoxes() function
(WebCore::InlineTextBox::dirtyOwnLineBoxes): Calls dirtyLineBoxes()
* rendering/svg/SVGInlineTextBox.h: Added (non-recursive) dirtyOwnLineBoxes() function
(WebCore::SVGInlineTextBox::dirtyOwnLineBoxes):
* rendering/svg/SVGInlineTextBox.cpp:
(WebCore::SVGInlineTextBox::dirtyOwnLineBoxes): Non-recursive part of dirtyLineBoxes()
(WebCore::SVGInlineTextBox::dirtyLineBoxes): Calls dirtyOwnLineBoxes() in a loop
* rendering/svg/SVGRootInlineBox.h:

LayoutTests:

When failing, this test will render garbage characters or crash.

* svg/custom/unicode-in-tspan-multi-svg-crash-expected.txt: Added.
* svg/custom/unicode-in-tspan-multi-svg-crash.html: Added.

LayoutTests/ChangeLog

@@ -1,3 +1,17 @@
+2014-03-28  Myles C. Maxfield  <mmaxfield@apple.com>
+
+        Clear SVGInlineTextBox fragments when the text changes.
+        https://bugs.webkit.org/show_bug.cgi?id=130879
+
+        Reviewed by Darin Adler.
+
+        Ported from Blink: https://src.chromium.org/viewvc/blink?revision=150456&view=revision
+
+        When failing, this test will render garbage characters or crash.
+
+        * svg/custom/unicode-in-tspan-multi-svg-crash-expected.txt: Added.
+        * svg/custom/unicode-in-tspan-multi-svg-crash.html: Added.
+
 2014-03-01  David Kilzer  <ddkilzer@apple.com>
 
         Fix lifetime handling of SVGPropertyTearOffs

LayoutTests/svg/custom/unicode-in-tspan-multi-svg-crash-expected.txt

@@ -0,0 +1 @@
+Test Passes if there is no crash in Debug or Asan builds. There should be no characters preceding "Test".

LayoutTests/svg/custom/unicode-in-tspan-multi-svg-crash.html

@@ -0,0 +1,38 @@
+<!DOCTYPE html>
+<html>
+  <script>
+    if (window.testRunner)
+      testRunner.dumpAsText(false);
+
+    onload = function() {
+      tSpanElement = document.getElementById('tSpanInFirstRoot');
+      tSpanElement.appendChild(document.createTextNode(unescape('%ufe9e%ue28f%ue47e')));
+
+      document.body.offsetTop;
+      document.body.style.zoom=0.9;
+
+      document.designMode='on';
+      filterInFirstRoot = document.getElementById('filterInFirstRoot');
+      useElement = document.getElementById('useElement');
+      window.getSelection().setBaseAndExtent(filterInFirstRoot, useElement, 5);
+      document.execCommand('ForwardDelete');
+      document.designMode='off';
+    }
+  </script>
+  <body>
+    <svg xmlns="http://www.w3.org/2000/svg">
+      <text>
+        <filter id="filterInFirstRoot"/>
+        <tspan id="tSpanInFirstRoot"/>
+      </text>
+      <path filter="url(#filterInSecondRoot)"/>
+    </svg>
+
+    <svg xmlns="http://www.w3.org/2000/svg">
+      <use id="useElement"/>
+      <filter id="filterInSecondRoot"/>
+    </svg>
+
+    <p>Test Passes if there is no crash in Debug or Asan builds. There should be no characters preceding "Test".</p>
+  </body>
+</html>

Source/WebCore/ChangeLog

@@ -1,3 +1,31 @@
+2014-03-28  Myles C. Maxfield  <mmaxfield@apple.com>
+
+        Clear SVGInlineTextBox fragments when the text changes.
+        https://bugs.webkit.org/show_bug.cgi?id=130879
+
+        Reviewed by Darin Adler.
+
+        Ported from Blink: https://src.chromium.org/viewvc/blink?revision=150456&view=revision
+
+        This patch modifies SVGInlineTextBox::dirtyLineBoxes to clear all
+        following text boxes when invoked. Typically this method is called
+        when the underlying text string changes, and that change needs to
+        be propagated to all the boxes that use the text beyond the point
+        where the text is first modified.
+
+        Also cleans up final function keywords for SVGRootInlineBox.
+
+        Test: svg/custom/unicode-in-tspan-multi-svg-crash.html
+
+        * rendering/InlineTextBox.h: Added (non-recursive) dirtyOwnLineBoxes() function
+        (WebCore::InlineTextBox::dirtyOwnLineBoxes): Calls dirtyLineBoxes()
+        * rendering/svg/SVGInlineTextBox.h: Added (non-recursive) dirtyOwnLineBoxes() function
+        (WebCore::SVGInlineTextBox::dirtyOwnLineBoxes):
+        * rendering/svg/SVGInlineTextBox.cpp:
+        (WebCore::SVGInlineTextBox::dirtyOwnLineBoxes): Non-recursive part of dirtyLineBoxes()
+        (WebCore::SVGInlineTextBox::dirtyLineBoxes): Calls dirtyOwnLineBoxes() in a loop
+        * rendering/svg/SVGRootInlineBox.h:
+
 2014-02-02  Andreas Kling  <akling@apple.com>
 
         Minor SVGRootInlineBox cleanup.

Source/WebCore/rendering/InlineTextBox.h

@@ -98,6 +98,8 @@ class InlineTextBox : public InlineBox {
     LayoutUnit logicalLeftVisualOverflow() const { return logicalOverflowRect().x(); }
     LayoutUnit logicalRightVisualOverflow() const { return logicalOverflowRect().maxX(); }
 
+    virtual void dirtyOwnLineBoxes() { dirtyLineBoxes(); }
+
 #ifndef NDEBUG
     virtual void showBox(int = 0) const;
     virtual const char* boxName() const;

Source/WebCore/rendering/svg/SVGInlineTextBox.cpp

@@ -58,14 +58,24 @@ SVGInlineTextBox::SVGInlineTextBox(RenderSVGInlineText& renderer)
 {
 }
 
-void SVGInlineTextBox::dirtyLineBoxes()
+void SVGInlineTextBox::dirtyOwnLineBoxes()
 {
     InlineTextBox::dirtyLineBoxes();
 
     // Clear the now stale text fragments
     clearTextFragments();
 }
 
+void SVGInlineTextBox::dirtyLineBoxes()
+{
+    dirtyOwnLineBoxes();
+
+    // And clear any following text fragments as the text on which they
+    // depend may now no longer exist, or glyph positions may be wrong
+    for (InlineTextBox* nextBox = nextTextBox(); nextBox; nextBox = nextBox->nextTextBox())
+        nextBox->dirtyOwnLineBoxes();
+}
+
 int SVGInlineTextBox::offsetForPosition(float, bool) const
 {
     // SVG doesn't use the standard offset <-> position selection system, as it's not suitable for SVGs complex needs.

Source/WebCore/rendering/svg/SVGInlineTextBox.h

@@ -58,7 +58,8 @@ class SVGInlineTextBox final : public InlineTextBox {
     Vector<SVGTextFragment>& textFragments() { return m_textFragments; }
     const Vector<SVGTextFragment>& textFragments() const { return m_textFragments; }
 
-    virtual void dirtyLineBoxes() override;
+    virtual void dirtyOwnLineBoxes() override final;
+    virtual void dirtyLineBoxes() override final;
 
     bool startsNewTextChunk() const { return m_startsNewTextChunk; }
     void setStartsNewTextChunk(bool newTextChunk) { m_startsNewTextChunk = newTextChunk; }

Source/WebCore/rendering/svg/SVGRootInlineBox.h

@@ -39,17 +39,17 @@ class SVGRootInlineBox final : public RootInlineBox {
 
     RenderSVGText& renderSVGText();
 
-    virtual float virtualLogicalHeight() const override { return m_logicalHeight; }
+    virtual float virtualLogicalHeight() const override final { return m_logicalHeight; }
     void setLogicalHeight(float height) { m_logicalHeight = height; }
 
-    virtual void paint(PaintInfo&, const LayoutPoint&, LayoutUnit lineTop, LayoutUnit lineBottom) override;
+    virtual void paint(PaintInfo&, const LayoutPoint&, LayoutUnit lineTop, LayoutUnit lineBottom) override final;
 
     void computePerCharacterLayoutInformation();
 
     InlineBox* closestLeafChildForPosition(const LayoutPoint&);
 
 private:
-    virtual bool isSVGRootInlineBox() const override { return true; }
+    virtual bool isSVGRootInlineBox() const override final { return true; }
     void reorderValueLists(Vector<SVGTextLayoutAttributes*>&);
     void layoutCharactersInTextBoxes(InlineFlowBox*, SVGTextLayoutEngine&);
     void layoutChildBoxes(InlineFlowBox*, FloatRect* = 0);