Title: [110314] trunk/Source/WebCore
- Revision
- 110314
- Author
- [email protected]
- Date
- 2012-03-09 12:07:11 -0800 (Fri, 09 Mar 2012)
Log Message
Crash in WebCore::SVGUseElement::instanceForShadowTreeElement
https://bugs.webkit.org/show_bug.cgi?id=80406
Reviewed by Nikolas Zimmermann.
Code assumes that an object that is an SVG Element and in a shadow
tree must be in an SVG use shadow tree, and casts the shadow host with
a static_cast. It may be that an SVG element appears in a non-use
shadow tree, in which case bad things happen. While it appears that
the current code prevents such a situation from arising (checks are
made within the shadow tree code to prevent it) there are also
indications that the situation may change.
No new tests. I believe that the problem here cannot currently be
reproduced. That is, other code prevents SVG elements from appearing
in non-svg shadow trees.
* dom/EventDispatcher.cpp:
(WebCore::eventTargetRespectingSVGTargetRules):
* svg/SVGStyledElement.cpp:
(WebCore::SVGStyledElement::title):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (110313 => 110314)
--- trunk/Source/WebCore/ChangeLog 2012-03-09 20:06:05 UTC (rev 110313)
+++ trunk/Source/WebCore/ChangeLog 2012-03-09 20:07:11 UTC (rev 110314)
@@ -1,3 +1,27 @@
+2012-03-09 Stephen Chenney <[email protected]>
+
+ Crash in WebCore::SVGUseElement::instanceForShadowTreeElement
+ https://bugs.webkit.org/show_bug.cgi?id=80406
+
+ Reviewed by Nikolas Zimmermann.
+
+ Code assumes that an object that is an SVG Element and in a shadow
+ tree must be in an SVG use shadow tree, and casts the shadow host with
+ a static_cast. It may be that an SVG element appears in a non-use
+ shadow tree, in which case bad things happen. While it appears that
+ the current code prevents such a situation from arising (checks are
+ made within the shadow tree code to prevent it) there are also
+ indications that the situation may change.
+
+ No new tests. I believe that the problem here cannot currently be
+ reproduced. That is, other code prevents SVG elements from appearing
+ in non-svg shadow trees.
+
+ * dom/EventDispatcher.cpp:
+ (WebCore::eventTargetRespectingSVGTargetRules):
+ * svg/SVGStyledElement.cpp:
+ (WebCore::SVGStyledElement::title):
+
2012-03-09 Jon Lee <[email protected]>
Add support for ENABLE(LEGACY_NOTIFICATIONS)
Modified: trunk/Source/WebCore/dom/EventDispatcher.cpp (110313 => 110314)
--- trunk/Source/WebCore/dom/EventDispatcher.cpp 2012-03-09 20:06:05 UTC (rev 110313)
+++ trunk/Source/WebCore/dom/EventDispatcher.cpp 2012-03-09 20:07:11 UTC (rev 110314)
@@ -65,11 +65,17 @@
// Spec: The event handling for the non-exposed tree works as if the referenced element had been textually included
// as a deeply cloned child of the 'use' element, except that events are dispatched to the SVGElementInstance objects
- SVGUseElement* useElement = static_cast<SVGUseElement*>(referenceNode->treeScope()->rootNode()->shadowHost());
- ASSERT(useElement);
+ Element* shadowHostElement = referenceNode->treeScope()->rootNode()->shadowHost();
+ // At this time, SVG nodes are not allowed in non-<use> shadow trees, so any shadow root we do
+ // have should be a use. The assert and following test is here to catch future shadow DOM changes
+ // that do enable SVG in a shadow tree.
+ ASSERT(!shadowHostElement || shadowHostElement->hasTagName(SVGNames::useTag));
+ if (shadowHostElement && shadowHostElement->hasTagName(SVGNames::useTag)) {
+ SVGUseElement* useElement = static_cast<SVGUseElement*>(shadowHostElement);
- if (SVGElementInstance* instance = useElement->instanceForShadowTreeElement(referenceNode))
- return instance;
+ if (SVGElementInstance* instance = useElement->instanceForShadowTreeElement(referenceNode))
+ return instance;
+ }
#endif
return referenceNode;
Modified: trunk/Source/WebCore/svg/SVGStyledElement.cpp (110313 => 110314)
--- trunk/Source/WebCore/svg/SVGStyledElement.cpp 2012-03-09 20:06:05 UTC (rev 110313)
+++ trunk/Source/WebCore/svg/SVGStyledElement.cpp 2012-03-09 20:07:11 UTC (rev 110314)
@@ -90,13 +90,19 @@
// Walk up the tree, to find out whether we're inside a <use> shadow tree, to find the right title.
if (isInShadowTree()) {
- SVGUseElement* useElement = static_cast<SVGUseElement*>(treeScope()->rootNode()->shadowHost());
- ASSERT(useElement);
-
- // If the <use> title is not empty we found the title to use.
- String useTitle(useElement->title());
- if (!useTitle.isEmpty())
- return useTitle;
+ Element* shadowHostElement = treeScope()->rootNode()->shadowHost();
+ // At this time, SVG nodes are not allowed in non-<use> shadow trees, so any shadow root we do
+ // have should be a use. The assert and following test is here to catch future shadow DOM changes
+ // that do enable SVG in a shadow tree.
+ ASSERT(!shadowHostElement || shadowHostElement->hasTagName(SVGNames::useTag));
+ if (shadowHostElement && shadowHostElement->hasTagName(SVGNames::useTag)) {
+ SVGUseElement* useElement = static_cast<SVGUseElement*>(shadowHostElement);
+
+ // If the <use> title is not empty we found the title to use.
+ String useTitle(useElement->title());
+ if (!useTitle.isEmpty())
+ return useTitle;
+ }
}
// If we aren't an instance in a <use> or the <use> title was not found, then find the first
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
