Title: [233366] trunk
- Revision
- 233366
- Author
- s...@apple.com
- Date
- 2018-06-29 12:24:45 -0700 (Fri, 29 Jun 2018)
Log Message
Infinite loop if a <use> element references its ancestor and the DOMNodeInserted event handler of one its ancestor's descents updates the document style
https://bugs.webkit.org/show_bug.cgi?id=186925
Reviewed by Antti Koivisto.
Source/WebCore:
This patches fixes two issues:
-- SVGTRefTargetEventListener should not assume it has to be attached to
target when its handleEvent() is called.
Because SVGTRefTargetEventListener::handleEvent() references the target
element, we just return if the listener is detached.
-- The <use> element should not clone its shadow tree if it references one
of its ancestors. The DOMNodeInserted of any node in the target element
tree may issue a document command. This document command will cause the
shadow tree to be re-cloned so this will cause infinite loop to happen.
Test: svg/dom/svg-use-infinite-loop-cloning.html
* svg/SVGTRefElement.cpp:
(WebCore::SVGTRefTargetEventListener::handleEvent):
* svg/SVGUseElement.cpp:
(WebCore::SVGUseElement::updateShadowTree):
LayoutTests:
* svg/dom/svg-use-infinite-loop-cloning-expected.txt: Added.
* svg/dom/svg-use-infinite-loop-cloning.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (233365 => 233366)
--- trunk/LayoutTests/ChangeLog 2018-06-29 18:54:41 UTC (rev 233365)
+++ trunk/LayoutTests/ChangeLog 2018-06-29 19:24:45 UTC (rev 233366)
@@ -1,3 +1,13 @@
+2018-06-25 Said Abou-Hallawa <sabouhall...@apple.com>
+
+ Infinite loop if a <use> element references its ancestor and the DOMNodeInserted event handler of one its ancestor's descents updates the document style
+ https://bugs.webkit.org/show_bug.cgi?id=186925
+
+ Reviewed by Antti Koivisto.
+
+ * svg/dom/svg-use-infinite-loop-cloning-expected.txt: Added.
+ * svg/dom/svg-use-infinite-loop-cloning.html: Added.
+
2018-06-29 Manuel Rego Casasnovas <r...@igalia.com>
[WPE] Three CSS Grid Layout tests crash due to valueless std::optional access
Added: trunk/LayoutTests/svg/dom/svg-use-infinite-loop-cloning-expected.txt (0 => 233366)
--- trunk/LayoutTests/svg/dom/svg-use-infinite-loop-cloning-expected.txt (rev 0)
+++ trunk/LayoutTests/svg/dom/svg-use-infinite-loop-cloning-expected.txt 2018-06-29 19:24:45 UTC (rev 233366)
@@ -0,0 +1,3 @@
+This test passes if it doesn't crash.
+
+
Added: trunk/LayoutTests/svg/dom/svg-use-infinite-loop-cloning.html (0 => 233366)
--- trunk/LayoutTests/svg/dom/svg-use-infinite-loop-cloning.html (rev 0)
+++ trunk/LayoutTests/svg/dom/svg-use-infinite-loop-cloning.html 2018-06-29 19:24:45 UTC (rev 233366)
@@ -0,0 +1,36 @@
+<script>
+ if (window.testRunner)
+ testRunner.dumpAsText();
+
+ function gc() {
+ if (window.GCController)
+ return GCController.collect();
+
+ // Force garbage collection.
+ for(var i=0;i<100;i++)
+ a = new Uint8Array(1024*1024);
+ }
+
+ function onNodeInsertedTspan() {
+ switchElement.setAttribute("y", "0 1 100");
+ document.execCommand("justifyCenter", false);
+ gc();
+ }
+
+ function onLoadUseElement() {
+ tspanElement.addEventListener("DOMNodeInserted", onNodeInsertedTspan);
+ document.execCommand("hiliteColor", false, "red");
+ }
+</script>
+<body>
+ <p>This test passes if it doesn't crash.</p>
+ <svg id="svgElement">
+ <switch id="switchElement">
+ <tref id="terfElement_1" xlink:href="" />
+ <tref id="terfElement_2">
+ <tspan id="tspanElement" />
+ </tref>
+ <use id="useElement_1" xlink:href="" _onload_="onLoadUseElement()" />
+ </switch>
+ </svg>
+</body>
Modified: trunk/Source/WebCore/ChangeLog (233365 => 233366)
--- trunk/Source/WebCore/ChangeLog 2018-06-29 18:54:41 UTC (rev 233365)
+++ trunk/Source/WebCore/ChangeLog 2018-06-29 19:24:45 UTC (rev 233366)
@@ -1,3 +1,28 @@
+2018-06-25 Said Abou-Hallawa <sabouhall...@apple.com>
+
+ Infinite loop if a <use> element references its ancestor and the DOMNodeInserted event handler of one its ancestor's descents updates the document style
+ https://bugs.webkit.org/show_bug.cgi?id=186925
+
+ Reviewed by Antti Koivisto.
+
+ This patches fixes two issues:
+ -- SVGTRefTargetEventListener should not assume it has to be attached to
+ target when its handleEvent() is called.
+ Because SVGTRefTargetEventListener::handleEvent() references the target
+ element, we just return if the listener is detached.
+
+ -- The <use> element should not clone its shadow tree if it references one
+ of its ancestors. The DOMNodeInserted of any node in the target element
+ tree may issue a document command. This document command will cause the
+ shadow tree to be re-cloned so this will cause infinite loop to happen.
+
+ Test: svg/dom/svg-use-infinite-loop-cloning.html
+
+ * svg/SVGTRefElement.cpp:
+ (WebCore::SVGTRefTargetEventListener::handleEvent):
+ * svg/SVGUseElement.cpp:
+ (WebCore::SVGUseElement::updateShadowTree):
+
2018-06-29 Manuel Rego Casasnovas <r...@igalia.com>
[WPE] Three CSS Grid Layout tests crash due to valueless std::optional access
Modified: trunk/Source/WebCore/svg/SVGTRefElement.cpp (233365 => 233366)
--- trunk/Source/WebCore/svg/SVGTRefElement.cpp 2018-06-29 18:54:41 UTC (rev 233365)
+++ trunk/Source/WebCore/svg/SVGTRefElement.cpp 2018-06-29 19:24:45 UTC (rev 233366)
@@ -120,7 +120,8 @@
void SVGTRefTargetEventListener::handleEvent(ScriptExecutionContext&, Event& event)
{
- ASSERT(isAttached());
+ if (!isAttached())
+ return;
if (event.type() == eventNames().DOMSubtreeModifiedEvent && &m_trefElement != event.target())
m_trefElement.updateReferencedText(m_target.get());
Modified: trunk/Source/WebCore/svg/SVGUseElement.cpp (233365 => 233366)
--- trunk/Source/WebCore/svg/SVGUseElement.cpp 2018-06-29 18:54:41 UTC (rev 233365)
+++ trunk/Source/WebCore/svg/SVGUseElement.cpp 2018-06-29 19:24:45 UTC (rev 233366)
@@ -260,6 +260,9 @@
return;
}
+ if (isDescendantOf(target))
+ return;
+
{
auto& shadowRoot = ensureUserAgentShadowRoot();
cloneTarget(shadowRoot, *target);
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
