Title: [257979] releases/WebKitGTK/webkit-2.28
- Revision
- 257979
- Author
- [email protected]
- Date
- 2020-03-06 06:27:51 -0800 (Fri, 06 Mar 2020)
Log Message
Merge r257616 - Hit test with clipPath referencing parent element causes infinite recursion
https://bugs.webkit.org/show_bug.cgi?id=208279
Patch by Doug Kelly <[email protected]> on 2020-02-27
Reviewed by Ryosuke Niwa.
Source/WebCore:
Add an early return for SVG hit tests which have a child element referencing a parent clipPath.
This change breaks the cycle, although it unfortunately runs on every hit test, for each node which
is a child of the clipPath element.
Test: svg/hittest/svg-clip-path-child-element.html
* rendering/svg/RenderSVGResourceClipper.cpp:
(WebCore::RenderSVGResourceClipper::hitTestClipContent):
LayoutTests:
* svg/hittest/svg-clip-path-child-element-expected.txt: Added.
* svg/hittest/svg-clip-path-child-element.html: Added.
Modified Paths
Added Paths
Diff
Modified: releases/WebKitGTK/webkit-2.28/LayoutTests/ChangeLog (257978 => 257979)
--- releases/WebKitGTK/webkit-2.28/LayoutTests/ChangeLog 2020-03-06 14:22:08 UTC (rev 257978)
+++ releases/WebKitGTK/webkit-2.28/LayoutTests/ChangeLog 2020-03-06 14:27:51 UTC (rev 257979)
@@ -1,3 +1,13 @@
+2020-02-27 Doug Kelly <[email protected]>
+
+ Hit test with clipPath referencing parent element causes infinite recursion
+ https://bugs.webkit.org/show_bug.cgi?id=208279
+
+ Reviewed by Ryosuke Niwa.
+
+ * svg/hittest/svg-clip-path-child-element-expected.txt: Added.
+ * svg/hittest/svg-clip-path-child-element.html: Added.
+
2020-02-26 Jack Lee <[email protected]>
Nullptr crash in WebCore::canHaveChildrenForEditing via CompositeEditCommand::insertNode
Added: releases/WebKitGTK/webkit-2.28/LayoutTests/svg/hittest/svg-clip-path-child-element-expected.txt (0 => 257979)
--- releases/WebKitGTK/webkit-2.28/LayoutTests/svg/hittest/svg-clip-path-child-element-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.28/LayoutTests/svg/hittest/svg-clip-path-child-element-expected.txt 2020-03-06 14:27:51 UTC (rev 257979)
@@ -0,0 +1 @@
+Tests SVG hit test with a recursive clipPath. Test passes if WebKit does not crash. PASS
Added: releases/WebKitGTK/webkit-2.28/LayoutTests/svg/hittest/svg-clip-path-child-element.html (0 => 257979)
--- releases/WebKitGTK/webkit-2.28/LayoutTests/svg/hittest/svg-clip-path-child-element.html (rev 0)
+++ releases/WebKitGTK/webkit-2.28/LayoutTests/svg/hittest/svg-clip-path-child-element.html 2020-03-06 14:27:51 UTC (rev 257979)
@@ -0,0 +1,17 @@
+<style>
+.path { -webkit-clip-path: url(#clippath); }
+</style>
+<script>
+function loadevent() {
+ document.caretRangeFromPoint(37, 70);
+ if (window.testRunner) {
+ document.body.innerText = "Tests SVG hit test with a recursive clipPath. Test passes if WebKit does not crash. PASS";
+ testRunner.dumpAsText();
+ }
+}
+</script>
+<body _onload_=loadevent()>
+<svg contentScriptType="text/ecmascript">
+<path d="M16 8 L32 56" class="path" />
+<clipPath id="clippath" clipPathUnits="objectBoundingBox">
+<text clip-path="url(#clippath)" to="currentColor">Text</text>
\ No newline at end of file
Modified: releases/WebKitGTK/webkit-2.28/Source/WebCore/ChangeLog (257978 => 257979)
--- releases/WebKitGTK/webkit-2.28/Source/WebCore/ChangeLog 2020-03-06 14:22:08 UTC (rev 257978)
+++ releases/WebKitGTK/webkit-2.28/Source/WebCore/ChangeLog 2020-03-06 14:27:51 UTC (rev 257979)
@@ -1,3 +1,19 @@
+2020-02-27 Doug Kelly <[email protected]>
+
+ Hit test with clipPath referencing parent element causes infinite recursion
+ https://bugs.webkit.org/show_bug.cgi?id=208279
+
+ Reviewed by Ryosuke Niwa.
+
+ Add an early return for SVG hit tests which have a child element referencing a parent clipPath.
+ This change breaks the cycle, although it unfortunately runs on every hit test, for each node which
+ is a child of the clipPath element.
+
+ Test: svg/hittest/svg-clip-path-child-element.html
+
+ * rendering/svg/RenderSVGResourceClipper.cpp:
+ (WebCore::RenderSVGResourceClipper::hitTestClipContent):
+
2020-02-15 Adrian Perez de Castro <[email protected]>
[GStreamer] Build failure with Clang/libc++ due to missing WallTime→float for std::isnan()
Modified: releases/WebKitGTK/webkit-2.28/Source/WebCore/rendering/svg/RenderSVGResourceClipper.cpp (257978 => 257979)
--- releases/WebKitGTK/webkit-2.28/Source/WebCore/rendering/svg/RenderSVGResourceClipper.cpp 2020-03-06 14:22:08 UTC (rev 257978)
+++ releases/WebKitGTK/webkit-2.28/Source/WebCore/rendering/svg/RenderSVGResourceClipper.cpp 2020-03-06 14:27:51 UTC (rev 257979)
@@ -279,6 +279,16 @@
continue;
if (!renderer->isSVGShape() && !renderer->isSVGText() && !childNode->hasTagName(SVGNames::useTag))
continue;
+
+ const RenderStyle& style = renderer->style();
+ if (is<ReferenceClipPathOperation>(style.clipPath())) {
+ auto& clipPath = downcast<ReferenceClipPathOperation>(*style.clipPath());
+ AtomString id(clipPath.fragment());
+ RenderSVGResourceClipper* clipper = getRenderSVGResourceById<RenderSVGResourceClipper>(document(), id);
+ if (clipper == this)
+ continue;
+ }
+
IntPoint hitPoint;
HitTestResult result(hitPoint);
if (renderer->nodeAtFloatPoint(HitTestRequest(HitTestRequest::SVGClipContent | HitTestRequest::DisallowUserAgentShadowContent), result, point, HitTestForeground))
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
