Title: [239402] trunk/Source/WebCore
- Revision
- 239402
- Author
- [email protected]
- Date
- 2018-12-19 15:51:03 -0800 (Wed, 19 Dec 2018)
Log Message
SVGUseElement::findTarget should return nullptr when there is a cycle
https://bugs.webkit.org/show_bug.cgi?id=192840
Reviewed by Tim Horton.
r233366 added an early return to updateShadowTree() when there is a cycle between an use element and its target.
Consolidate this cycle detection code with the one in SVGUseElement::findTarget which detected cycles when
the SVG use element itself had a corresponding element.
No new tests since there should be no behavioral change.
* svg/SVGUseElement.cpp:
(WebCore::SVGUseElement::updateShadowTree):
(WebCore::SVGUseElement::findTarget const):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (239401 => 239402)
--- trunk/Source/WebCore/ChangeLog 2018-12-19 23:44:48 UTC (rev 239401)
+++ trunk/Source/WebCore/ChangeLog 2018-12-19 23:51:03 UTC (rev 239402)
@@ -1,3 +1,20 @@
+2018-12-18 Ryosuke Niwa <[email protected]>
+
+ SVGUseElement::findTarget should return nullptr when there is a cycle
+ https://bugs.webkit.org/show_bug.cgi?id=192840
+
+ Reviewed by Tim Horton.
+
+ r233366 added an early return to updateShadowTree() when there is a cycle between an use element and its target.
+ Consolidate this cycle detection code with the one in SVGUseElement::findTarget which detected cycles when
+ the SVG use element itself had a corresponding element.
+
+ No new tests since there should be no behavioral change.
+
+ * svg/SVGUseElement.cpp:
+ (WebCore::SVGUseElement::updateShadowTree):
+ (WebCore::SVGUseElement::findTarget const):
+
2018-12-19 Myles C. Maxfield <[email protected]>
[WHLSL] Add a handwritten lexer
Modified: trunk/Source/WebCore/svg/SVGUseElement.cpp (239401 => 239402)
--- trunk/Source/WebCore/svg/SVGUseElement.cpp 2018-12-19 23:44:48 UTC (rev 239401)
+++ trunk/Source/WebCore/svg/SVGUseElement.cpp 2018-12-19 23:51:03 UTC (rev 239402)
@@ -244,9 +244,7 @@
return;
}
- if (isDescendantOf(target))
- return;
-
+ RELEASE_ASSERT(!isDescendantOf(target));
{
auto& shadowRoot = ensureUserAgentShadowRoot();
cloneTarget(shadowRoot, *target);
@@ -423,13 +421,16 @@
if (!target.isConnected() || isDisallowedElement(target))
return nullptr;
- // Reject any target that has already been cloned to create one of the ancestors of this element,
- // already in the shadow tree. This is sufficient to prevent cycles.
if (correspondingElement) {
for (auto& ancestor : lineageOfType<SVGElement>(*this)) {
if (ancestor.correspondingElement() == &target)
return nullptr;
}
+ } else {
+ if (target.contains(this))
+ return nullptr;
+ // Target should only refer to a node in the same tree or a node in another document.
+ ASSERT(!isDescendantOrShadowDescendantOf(&target));
}
return ⌖
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
