Skip to site navigation (Press enter)

[webkit-changes] [225808] trunk

mmaxfield Tue, 12 Dec 2017 14:51:42 -0800

Title: [225808] trunk

Revision: 225808
Author: [email protected]
Date: 2017-12-12 14:51:02 -0800 (Tue, 12 Dec 2017)

Log Message

REGRESSION (Safari 11): custom <font-face> tag crashes a page
https://bugs.webkit.org/show_bug.cgi?id=177848


Reviewed by Darin Adler.

Source/WebCore:

We currently use the CSS property parsers to parse SVG's <font-face> element attributes. Instead,
we should be using the CSS descriptor parsers to parse these attributes. However, this is a
fairly involved task, so until I can finish that, this patch fixes the crash. The crash is simple;
the descriptors shouldn't accept the universal keywords ("initial", "inherit", etc.) and our
font-face machinery assumes this. So the fix is just detect these keywords and explicitly disallow
them.

Test: svg/text/font-style-keyword.html

* svg/SVGFontFaceElement.cpp:
(WebCore::SVGFontFaceElement::parseAttribute):

LayoutTests:

* svg/text/font-style-keyword-expected.txt: Added.
* svg/text/font-style-keyword.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/css/CSSValue.h
trunk/Source/WebCore/svg/SVGFontFaceElement.cpp

Added Paths

trunk/LayoutTests/svg/text/font-style-keyword-expected.txt
trunk/LayoutTests/svg/text/font-style-keyword.html

Diff

Modified: trunk/LayoutTests/ChangeLog (225807 => 225808)


--- trunk/LayoutTests/ChangeLog	2017-12-12 22:24:37 UTC (rev 225807)
+++ trunk/LayoutTests/ChangeLog	2017-12-12 22:51:02 UTC (rev 225808)
@@ -1,3 +1,13 @@
+2017-12-12  Myles C. Maxfield  <[email protected]>
+
+        REGRESSION (Safari 11): custom <font-face> tag crashes a page
+        https://bugs.webkit.org/show_bug.cgi?id=177848
+
+        Reviewed by Darin Adler.
+
+        * svg/text/font-style-keyword-expected.txt: Added.
+        * svg/text/font-style-keyword.html: Added.
+
 2017-12-12  Antoine Quint  <[email protected]>
 
         [Web Animations] Implement the playState property on Animation

Added: trunk/LayoutTests/svg/text/font-style-keyword-expected.txt (0 => 225808)


--- trunk/LayoutTests/svg/text/font-style-keyword-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/svg/text/font-style-keyword-expected.txt	2017-12-12 22:51:02 UTC (rev 225808)
@@ -0,0 +1 @@
+
Property changes on: trunk/LayoutTests/svg/text/font-style-keyword-expected.txt
___________________________________________________________________

Added: svn:eol-style

+native \ No newline at end of property

Added: svn:keywords

+Author Date Id Rev URL \ No newline at end of property

Added: trunk/LayoutTests/svg/text/font-style-keyword.html (0 => 225808)


--- trunk/LayoutTests/svg/text/font-style-keyword.html	                        (rev 0)
+++ trunk/LayoutTests/svg/text/font-style-keyword.html	2017-12-12 22:51:02 UTC (rev 225808)
@@ -0,0 +1,34 @@
+<html>
+<head>
+</head>
+<body>
+<!-- This test makes sure there is no crash when specifying "font-style=initial" on a <font-face> element. The test passes if there is no crash. -->
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+</script>
+  <svg>
+    <font-face font-style="initial" font-family="any">
+      <font-face-src>
+        <font-face-name name="any"></font-face-name>
+      </font-face-src>
+    </font-face>
+    <font-face font-style="inherit" font-family="any">
+      <font-face-src>
+        <font-face-name name="any"></font-face-name>
+      </font-face-src>
+    </font-face>
+    <font-face font-style="unset" font-family="any">
+      <font-face-src>
+        <font-face-name name="any"></font-face-name>
+      </font-face-src>
+    </font-face>
+    <font-face font-style="revert" font-family="any">
+      <font-face-src>
+        <font-face-name name="any"></font-face-name>
+      </font-face-src>
+    </font-face>
+  </svg>
+</body>
+
+</html>

Modified: trunk/Source/WebCore/ChangeLog (225807 => 225808)


--- trunk/Source/WebCore/ChangeLog	2017-12-12 22:24:37 UTC (rev 225807)
+++ trunk/Source/WebCore/ChangeLog	2017-12-12 22:51:02 UTC (rev 225808)
@@ -1,3 +1,22 @@
+2017-12-12  Myles C. Maxfield  <[email protected]>
+
+        REGRESSION (Safari 11): custom <font-face> tag crashes a page
+        https://bugs.webkit.org/show_bug.cgi?id=177848
+
+        Reviewed by Darin Adler.
+
+        We currently use the CSS property parsers to parse SVG's <font-face> element attributes. Instead,
+        we should be using the CSS descriptor parsers to parse these attributes. However, this is a
+        fairly involved task, so until I can finish that, this patch fixes the crash. The crash is simple;
+        the descriptors shouldn't accept the universal keywords ("initial", "inherit", etc.) and our
+        font-face machinery assumes this. So the fix is just detect these keywords and explicitly disallow
+        them.
+
+        Test: svg/text/font-style-keyword.html
+
+        * svg/SVGFontFaceElement.cpp:
+        (WebCore::SVGFontFaceElement::parseAttribute):
+
 2017-12-12  Antoine Quint  <[email protected]>
 
         [Web Animations] Implement the playState property on Animation

Modified: trunk/Source/WebCore/css/CSSValue.h (225807 => 225808)


--- trunk/Source/WebCore/css/CSSValue.h	2017-12-12 22:24:37 UTC (rev 225807)
+++ trunk/Source/WebCore/css/CSSValue.h	2017-12-12 22:51:02 UTC (rev 225808)
@@ -91,6 +91,7 @@
     bool isInitialValue() const { return m_classType == InitialClass; }
     bool isUnsetValue() const { return m_classType == UnsetClass; }
     bool isRevertValue() const { return m_classType == RevertClass; }
+    bool isGlobalKeyword() const { return isInheritedValue() || isInitialValue() || isUnsetValue() || isRevertValue(); }
     bool treatAsInitialValue(CSSPropertyID) const;
     bool treatAsInheritedValue(CSSPropertyID) const;
     bool isLinearGradientValue() const { return m_classType == LinearGradientClass; }

Modified: trunk/Source/WebCore/svg/SVGFontFaceElement.cpp (225807 => 225808)


--- trunk/Source/WebCore/svg/SVGFontFaceElement.cpp	2017-12-12 22:24:37 UTC (rev 225807)
+++ trunk/Source/WebCore/svg/SVGFontFaceElement.cpp	2017-12-12 22:51:02 UTC (rev 225808)
@@ -63,10 +63,22 @@
 
 void SVGFontFaceElement::parseAttribute(const QualifiedName& name, const AtomicString& value)
 {    
-    CSSPropertyID propId = cssPropertyIdForSVGAttributeName(name);
-    if (propId > 0) {
+    CSSPropertyID propertyId = cssPropertyIdForSVGAttributeName(name);
+    if (propertyId > 0) {
         // FIXME: Parse using the @font-face descriptor grammars, not the property grammars.
-        m_fontFaceRule->mutableProperties().setProperty(propId, value, false);
+        auto& properties = m_fontFaceRule->mutableProperties();
+        bool valueChanged = properties.setProperty(propertyId, value);
+
+        if (valueChanged) {
+            // The above parser is designed for the font-face properties, not descriptors, and the properties accept the global keywords, but descriptors don't.
+            // Rather than invasively modifying the parser for the properties to have a special mode, we can simply detect the error condition after-the-fact and
+            // avoid it explicitly.
+            if (auto parsedValue = properties.getPropertyCSSValue(propertyId)) {
+                if (parsedValue->isGlobalKeyword())
+                    properties.removeProperty(propertyId);
+            }
+        }
+
         rebuildFontFace();
         return;
     }

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes