[webkit-changes] [254458] trunk

[commit-queue]

Title: [254458] trunk

Revision

254458

Author

commit-qu...@webkit.org

Date

2020-01-13 15:06:30 -0800 (Mon, 13 Jan 2020)

Log Message

Fix computeFloatVisibleRectInContainer to handle non-SVG object parent
https://bugs.webkit.org/show_bug.cgi?id=205282
Source/WebCore:

<rdar://problem/57975185>

Patch by Sunny He <sunny...@apple.com> on 2020-01-13
Reviewed by Darin Adler.

Test: svg/dom/replaceChild-document-crash.html

* rendering/svg/SVGRenderSupport.cpp:
(WebCore::SVGRenderSupport::computeFloatVisibleRectInContainer):

LayoutTests:

Patch by Sunny He <sunny...@apple.com> on 2020-01-13
Reviewed by Darin Adler.

* svg/dom/replaceChild-document-crash-expected.txt: Added.
* svg/dom/replaceChild-document-crash.html: Added.

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/rendering/svg/SVGRenderSupport.cpp

Added Paths

• trunk/LayoutTests/svg/dom/replaceChild-document-crash-expected.txt
• trunk/LayoutTests/svg/dom/replaceChild-document-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (254457 => 254458)

--- trunk/LayoutTests/ChangeLog	2020-01-13 23:02:51 UTC (rev 254457)
+++ trunk/LayoutTests/ChangeLog	2020-01-13 23:06:30 UTC (rev 254458)
@@ -1,3 +1,13 @@
+2020-01-13  Sunny He  <sunny...@apple.com>
+
+        Fix computeFloatVisibleRectInContainer to handle non-SVG object parent
+        https://bugs.webkit.org/show_bug.cgi?id=205282
+
+        Reviewed by Darin Adler.
+
+        * svg/dom/replaceChild-document-crash-expected.txt: Added.
+        * svg/dom/replaceChild-document-crash.html: Added.
+
 2020-01-13  Eric Carlson  <eric.carl...@apple.com>
 
         Expose audio tracks for media files in the GPUProcess

Added: trunk/LayoutTests/svg/dom/replaceChild-document-crash-expected.txt (0 => 254458)

--- trunk/LayoutTests/svg/dom/replaceChild-document-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/svg/dom/replaceChild-document-crash-expected.txt	2020-01-13 23:06:30 UTC (rev 254458)
@@ -0,0 +1,3 @@
+Confirm that svg element with document as parent is handled without crashing
+
+PASS

Added: trunk/LayoutTests/svg/dom/replaceChild-document-crash.html (0 => 254458)

--- trunk/LayoutTests/svg/dom/replaceChild-document-crash.html	                        (rev 0)
+++ trunk/LayoutTests/svg/dom/replaceChild-document-crash.html	2020-01-13 23:06:30 UTC (rev 254458)
@@ -0,0 +1,28 @@
+<html>
+<body>
+<script>
+    if (window.testRunner) {
+        testRunner.dumpAsText()
+        testRunner.waitUntilDone()
+    }
+
+    function run() {
+        var svgvar = document.getElementById('svgvar');
+        svgvar.style.setProperty("transform", "rotatez(0)");
+        document.replaceChild(svgvar, document.childNodes[0]);
+
+        setTimeout(function() { 
+            document.open();
+            document.write('<html><p>Confirm that svg element with document as parent is handled without crashing</p>PASS</html>');
+            document.close();
+
+            if (window.testRunner)
+                testRunner.notifyDone()
+        }, 0);
+    }
+</script>
+<svg _onload_="run()">
+    <text id="svgvar"></text>
+</svg>
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (254457 => 254458)

--- trunk/Source/WebCore/ChangeLog	2020-01-13 23:02:51 UTC (rev 254457)
+++ trunk/Source/WebCore/ChangeLog	2020-01-13 23:06:30 UTC (rev 254458)
@@ -1,3 +1,16 @@
+2020-01-13  Sunny He  <sunny...@apple.com>
+
+        Fix computeFloatVisibleRectInContainer to handle non-SVG object parent
+        https://bugs.webkit.org/show_bug.cgi?id=205282
+        <rdar://problem/57975185>
+
+        Reviewed by Darin Adler.
+
+        Test: svg/dom/replaceChild-document-crash.html
+
+        * rendering/svg/SVGRenderSupport.cpp:
+        (WebCore::SVGRenderSupport::computeFloatVisibleRectInContainer):
+
 2020-01-13  Eric Carlson  <eric.carl...@apple.com>
 
         Expose audio tracks for media files in the GPUProcess

Modified: trunk/Source/WebCore/rendering/svg/SVGRenderSupport.cpp (254457 => 254458)

--- trunk/Source/WebCore/rendering/svg/SVGRenderSupport.cpp	2020-01-13 23:02:51 UTC (rev 254457)
+++ trunk/Source/WebCore/rendering/svg/SVGRenderSupport.cpp	2020-01-13 23:06:30 UTC (rev 254458)
@@ -64,6 +64,12 @@
 
 Optional<FloatRect> SVGRenderSupport::computeFloatVisibleRectInContainer(const RenderElement& renderer, const FloatRect& rect, const RenderLayerModelObject* container, RenderObject::VisibleRectContext context)
 {
+    // Ensure our parent is an SVG object.
+    ASSERT(renderer.parent());
+    auto& parent = *renderer.parent();
+    if (!is<SVGElement>(parent.element()))
+        return FloatRect();
+
     FloatRect adjustedRect = rect;
     const SVGRenderStyle& svgStyle = renderer.style().svgStyle();
     if (const ShadowData* shadow = svgStyle.shadow())
@@ -72,7 +78,8 @@
 
     // Translate to coords in our parent renderer, and then call computeFloatVisibleRectInContainer() on our parent.
     adjustedRect = renderer.localToParentTransform().mapRect(adjustedRect);
-    return renderer.parent()->computeFloatVisibleRectInContainer(adjustedRect, container, context);
+
+    return parent.computeFloatVisibleRectInContainer(adjustedRect, container, context);
 }
 
 const RenderElement& SVGRenderSupport::localToParentTransform(const RenderElement& renderer, AffineTransform &transform)

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes