Title: [274999] branches/safari-611.1.21.2-branch/Source/WebCore
- Revision
- 274999
- Author
- [email protected]
- Date
- 2021-03-24 19:08:56 -0700 (Wed, 24 Mar 2021)
Log Message
Cherry-pick r273868. rdar://problem/75764823
Crash in removeSymbolElementsFromSubtree()
https://bugs.webkit.org/show_bug.cgi?id=222397
Patch by Julian Gonzalez <[email protected]> on 2021-03-03
Reviewed by Ryosuke Niwa.
Skip children in removeSymbolElementsFromSubtree(), so that
we don't see nodes that have been removed in disassociateAndRemoveClones.
Thanks to Darin Adler for the initial version of this patch
and Ryosuke Niwa for refinements.
* svg/SVGUseElement.cpp:
(WebCore::removeSymbolElementsFromSubtree):
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@273868 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Diff
Modified: branches/safari-611.1.21.2-branch/Source/WebCore/ChangeLog (274998 => 274999)
--- branches/safari-611.1.21.2-branch/Source/WebCore/ChangeLog 2021-03-25 02:07:33 UTC (rev 274998)
+++ branches/safari-611.1.21.2-branch/Source/WebCore/ChangeLog 2021-03-25 02:08:56 UTC (rev 274999)
@@ -1,3 +1,40 @@
+2021-03-24 Russell Epstein <[email protected]>
+
+ Cherry-pick r273868. rdar://problem/75764823
+
+ Crash in removeSymbolElementsFromSubtree()
+ https://bugs.webkit.org/show_bug.cgi?id=222397
+
+ Patch by Julian Gonzalez <[email protected]> on 2021-03-03
+ Reviewed by Ryosuke Niwa.
+
+ Skip children in removeSymbolElementsFromSubtree(), so that
+ we don't see nodes that have been removed in disassociateAndRemoveClones.
+
+ Thanks to Darin Adler for the initial version of this patch
+ and Ryosuke Niwa for refinements.
+
+ * svg/SVGUseElement.cpp:
+ (WebCore::removeSymbolElementsFromSubtree):
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@273868 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2021-03-03 Julian Gonzalez <[email protected]>
+
+ Crash in removeSymbolElementsFromSubtree()
+ https://bugs.webkit.org/show_bug.cgi?id=222397
+
+ Reviewed by Ryosuke Niwa.
+
+ Skip children in removeSymbolElementsFromSubtree(), so that
+ we don't see nodes that have been removed in disassociateAndRemoveClones.
+
+ Thanks to Darin Adler for the initial version of this patch
+ and Ryosuke Niwa for refinements.
+
+ * svg/SVGUseElement.cpp:
+ (WebCore::removeSymbolElementsFromSubtree):
+
2021-03-22 Russell Epstein <[email protected]>
Cherry-pick r274846. rdar://problem/75706515
Modified: branches/safari-611.1.21.2-branch/Source/WebCore/svg/SVGUseElement.cpp (274998 => 274999)
--- branches/safari-611.1.21.2-branch/Source/WebCore/svg/SVGUseElement.cpp 2021-03-25 02:07:33 UTC (rev 274998)
+++ branches/safari-611.1.21.2-branch/Source/WebCore/svg/SVGUseElement.cpp 2021-03-25 02:08:56 UTC (rev 274999)
@@ -350,8 +350,14 @@
// into <svg> elements, which is correct for symbol elements directly referenced by use elements,
// but incorrect for ones that just happen to be in a subtree.
Vector<Element*> symbolElements;
- for (auto& descendant : descendantsOfType<SVGSymbolElement>(subtree))
- symbolElements.append(&descendant);
+ for (auto it = descendantsOfType<Element>(subtree).begin(); it; ) {
+ if (is<SVGSymbolElement>(*it)) {
+ symbolElements.append(&*it);
+ it.traverseNextSkippingChildren();
+ continue;
+ }
+ ++it;
+ }
disassociateAndRemoveClones(symbolElements);
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
