[webkit-changes] [244276] trunk

Mon, 15 Apr 2019 11:55:40 -0700

Title: [244276] trunk
Revision
244276
Author
s...@apple.com
Date
2019-04-15 11:54:21 -0700 (Mon, 15 Apr 2019)

Log Message

ASSERT fires when removing a disallowed clone from the shadow tree without reseting its corresponding element
https://bugs.webkit.org/show_bug.cgi?id=196895

Reviewed by Darin Adler.

Source/WebCore:

When cloning elements to the shadow tree of an SVGUseElement, the
corresponding element links are set from the clones to the originals.
Later some of the elements may be disallowed to exist in the shadow tree.
For example the SVGPatternElement is disallowed and has to be removed
even after cloning. The problem is the corresponding elements are not
reset to null. Usually this is not a problem because the removed elements
will be deleted and the destructor of SVGElement will reset the corresponding
element links. However in some cases, the cloned element is referenced
from another SVGElement, for example the target of a SVGTRefElement. In
this case the clone won't be deleted but it will be linked to the original
and the event listeners won't be copied from the original. When the
original is deleted, its event listeners have to be removed. The event
listeners of the clones also ave to be removed. But because the event
listeners of the original were not copied when cloning, the assertion in
SVGElement::removeEventListener() fires.

Test: svg/custom/use-disallowed-element-clear-corresponding-element.html

* svg/SVGUseElement.cpp:
(WebCore::disassociateAndRemoveClones):

LayoutTests:

* svg/custom/use-disallowed-element-clear-corresponding-element-expected.txt: Added.
* svg/custom/use-disallowed-element-clear-corresponding-element.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (244275 => 244276)


--- trunk/LayoutTests/ChangeLog	2019-04-15 18:47:38 UTC (rev 244275)
+++ trunk/LayoutTests/ChangeLog	2019-04-15 18:54:21 UTC (rev 244276)
@@ -1,3 +1,13 @@
+2019-04-15  Said Abou-Hallawa  <s...@apple.com>
+
+        ASSERT fires when removing a disallowed clone from the shadow tree without reseting its corresponding element
+        https://bugs.webkit.org/show_bug.cgi?id=196895
+
+        Reviewed by Darin Adler.
+
+        * svg/custom/use-disallowed-element-clear-corresponding-element-expected.txt: Added.
+        * svg/custom/use-disallowed-element-clear-corresponding-element.html: Added.
+
 2019-04-15  Devin Rousso  <drou...@apple.com>
 
         Web Inspector: DOMDebugger: "Attribute Modified" breakpoints pause after the modification occurs for the style attribute

Added: trunk/LayoutTests/svg/custom/use-disallowed-element-clear-corresponding-element-expected.txt (0 => 244276)


--- trunk/LayoutTests/svg/custom/use-disallowed-element-clear-corresponding-element-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/svg/custom/use-disallowed-element-clear-corresponding-element-expected.txt	2019-04-15 18:54:21 UTC (rev 244276)
@@ -0,0 +1,3 @@
+Test passes if it does not assert in debug builds.
+
+

Added: trunk/LayoutTests/svg/custom/use-disallowed-element-clear-corresponding-element.html (0 => 244276)


--- trunk/LayoutTests/svg/custom/use-disallowed-element-clear-corresponding-element.html	                        (rev 0)
+++ trunk/LayoutTests/svg/custom/use-disallowed-element-clear-corresponding-element.html	2019-04-15 18:54:21 UTC (rev 244276)
@@ -0,0 +1,25 @@
+<body>
+    <p>Test passes if it does not assert in debug builds.</p>
+    <svg id="svg">
+        <pattern id="svg-pattern-1">
+            <use id="svg-use" href=""
+        </pattern>
+        <pattern id="svg-pattern-2" href=""
+        </pattern>
+    </svg>
+    <shadow id="shadow">
+        <svg>
+            <tref href=""
+            <use href=""
+        </svg>
+    </shadow>
+    <script>
+        if (window.testRunner)
+            testRunner.dumpAsText();
+        window.addEventListener('load', function() {
+            var svgPattern2 = document.getElementById("svg-pattern-2");
+            var shadow = document.getElementById("shadow");
+            svgPattern2.after(shadow);
+        }, false);
+    </script>
+</body>

Modified: trunk/Source/WebCore/ChangeLog (244275 => 244276)


--- trunk/Source/WebCore/ChangeLog	2019-04-15 18:47:38 UTC (rev 244275)
+++ trunk/Source/WebCore/ChangeLog	2019-04-15 18:54:21 UTC (rev 244276)
@@ -1,3 +1,31 @@
+2019-04-15  Said Abou-Hallawa  <s...@apple.com>
+
+        ASSERT fires when removing a disallowed clone from the shadow tree without reseting its corresponding element
+        https://bugs.webkit.org/show_bug.cgi?id=196895
+
+        Reviewed by Darin Adler.
+
+        When cloning elements to the shadow tree of an SVGUseElement, the
+        corresponding element links are set from the clones to the originals.
+        Later some of the elements may be disallowed to exist in the shadow tree.
+        For example the SVGPatternElement is disallowed and has to be removed 
+        even after cloning. The problem is the corresponding elements are not
+        reset to null. Usually this is not a problem because the removed elements
+        will be deleted and the destructor of SVGElement will reset the corresponding
+        element links. However in some cases, the cloned element is referenced
+        from another SVGElement, for example the target of a SVGTRefElement. In
+        this case the clone won't be deleted but it will be linked to the original
+        and the event listeners won't be copied from the original. When the
+        original is deleted, its event listeners have to be removed. The event
+        listeners of the clones also ave to be removed. But because the event
+        listeners of the original were not copied when cloning, the assertion in
+        SVGElement::removeEventListener() fires.
+
+        Test: svg/custom/use-disallowed-element-clear-corresponding-element.html
+
+        * svg/SVGUseElement.cpp:
+        (WebCore::disassociateAndRemoveClones):
+
 2019-04-15  Devin Rousso  <drou...@apple.com>
 
         Web Inspector: DOMDebugger: "Attribute Modified" breakpoints pause after the modification occurs for the style attribute

Modified: trunk/Source/WebCore/svg/SVGUseElement.cpp (244275 => 244276)


--- trunk/Source/WebCore/svg/SVGUseElement.cpp	2019-04-15 18:47:38 UTC (rev 244275)
+++ trunk/Source/WebCore/svg/SVGUseElement.cpp	2019-04-15 18:54:21 UTC (rev 244276)
@@ -321,6 +321,8 @@
     for (auto& clone : clones) {
         for (auto& descendant : descendantsOfType<SVGElement>(*clone))
             descendant.setCorrespondingElement(nullptr);
+        if (is<SVGElement>(clone))
+            downcast<SVGElement>(*clone).setCorrespondingElement(nullptr);
         clone->parentNode()->removeChild(*clone);
     }
 }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to