[webkit-changes] [117161] trunk

Tue, 15 May 2012 14:28:28 -0700

Title: [117161] trunk
Revision
117161
Author
[email protected]
Date
2012-05-15 14:29:19 -0700 (Tue, 15 May 2012)

Log Message

Source/WebCore: Crash due shadow tree parent confusion in SVG.
https://bugs.webkit.org/show_bug.cgi?id=84248

Reviewed by Nikolas Zimmermann.

Test: svg/foreignObject/viewport-foreignobject-crash.html

When we try to make a decision on whether we need an outer
SVGRoot container, we detect if we are in shadow tree or not.
We also need to make sure that our parentOrHostElement is also
an svg element.

* svg/SVGElement.cpp:
(WebCore::SVGElement::isOutermostSVGSVGElement):

LayoutTests: Crash due shadow tree parent confusion in SVG.
https://bugs.webkit.org/show_bug.cgi?id=84248

Reviewed by Nikolas Zimmermann.

* svg/foreignObject/viewport-foreignobject-crash-expected.html: Added.
* svg/foreignObject/viewport-foreignobject-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (117160 => 117161)


--- trunk/LayoutTests/ChangeLog	2012-05-15 21:27:39 UTC (rev 117160)
+++ trunk/LayoutTests/ChangeLog	2012-05-15 21:29:19 UTC (rev 117161)
@@ -1,3 +1,13 @@
+2012-05-15  Abhishek Arya  <[email protected]>
+
+        Crash due shadow tree parent confusion in SVG.
+        https://bugs.webkit.org/show_bug.cgi?id=84248
+ 
+        Reviewed by Nikolas Zimmermann.
+
+        * svg/foreignObject/viewport-foreignobject-crash-expected.html: Added.
+        * svg/foreignObject/viewport-foreignobject-crash.html: Added.
+
 2012-05-15  Lauro Neto  <[email protected]>
 
         [File API] URL methods handling null arguments

Added: trunk/LayoutTests/svg/foreignObject/viewport-foreignobject-crash-expected.html (0 => 117161)


--- trunk/LayoutTests/svg/foreignObject/viewport-foreignobject-crash-expected.html	                        (rev 0)
+++ trunk/LayoutTests/svg/foreignObject/viewport-foreignobject-crash-expected.html	2012-05-15 21:29:19 UTC (rev 117161)
@@ -0,0 +1 @@
+PASS
Property changes on: trunk/LayoutTests/svg/foreignObject/viewport-foreignobject-crash-expected.html
___________________________________________________________________

Added: svn:executable

Added: trunk/LayoutTests/svg/foreignObject/viewport-foreignobject-crash.html (0 => 117161)


--- trunk/LayoutTests/svg/foreignObject/viewport-foreignobject-crash.html	                        (rev 0)
+++ trunk/LayoutTests/svg/foreignObject/viewport-foreignobject-crash.html	2012-05-15 21:29:19 UTC (rev 117161)
@@ -0,0 +1,35 @@
+<html>
+<body>
+<script>
+var script = document.getElementsByTagName("script")[0];
+script.parentNode.removeChild(script);
+
+var count = 0;
+function crash() {
+    var element = event.srcElement;
+    document.adoptNode(element);
+    if (!document.body.innerHTML)
+        return;
+    document.execCommand('InsertHTML', false, document.body.innerHTML);
+    if (count == 1) {
+        document.removeEventListener("DOMNodeInserted", crash, false);
+        document.body.innerHTML = "PASS";
+        return;
+    }
+    document.body.appendChild(element);
+    element.insertAdjacentHTML('beforeend', '<svg><foreignObject>A</foreignObject></svg>');
+    element.focus();
+    count += 1;
+}
+
+document.addEventListener("DOMNodeInserted", crash, false);
+document.addEventListener("DOMContentLoaded", function () {
+    document.execCommand("SelectAll", false, false);
+    var range = window.getSelection().getRangeAt(0);
+    var docFragment = range.extractContents();
+    document.documentElement.firstChild.appendChild(docFragment);
+}, false);
+</script>
+<input/>
+</body>
+</html>
Property changes on: trunk/LayoutTests/svg/foreignObject/viewport-foreignobject-crash.html
___________________________________________________________________

Added: svn:executable

Modified: trunk/Source/WebCore/ChangeLog (117160 => 117161)


--- trunk/Source/WebCore/ChangeLog	2012-05-15 21:27:39 UTC (rev 117160)
+++ trunk/Source/WebCore/ChangeLog	2012-05-15 21:29:19 UTC (rev 117161)
@@ -1,3 +1,20 @@
+2012-05-15  Abhishek Arya  <[email protected]>
+
+        Crash due shadow tree parent confusion in SVG.
+        https://bugs.webkit.org/show_bug.cgi?id=84248
+
+        Reviewed by Nikolas Zimmermann.
+
+        Test: svg/foreignObject/viewport-foreignobject-crash.html
+
+        When we try to make a decision on whether we need an outer
+        SVGRoot container, we detect if we are in shadow tree or not.
+        We also need to make sure that our parentOrHostElement is also
+        an svg element. 
+
+        * svg/SVGElement.cpp:
+        (WebCore::SVGElement::isOutermostSVGSVGElement):
+
 2012-05-15  Lauro Neto  <[email protected]>
 
         [File API] URL methods handling null arguments

Modified: trunk/Source/WebCore/svg/SVGElement.cpp (117160 => 117161)


--- trunk/Source/WebCore/svg/SVGElement.cpp	2012-05-15 21:27:39 UTC (rev 117160)
+++ trunk/Source/WebCore/svg/SVGElement.cpp	2012-05-15 21:29:19 UTC (rev 117161)
@@ -120,7 +120,7 @@
     // If we're living in a shadow tree, we're a <svg> element that got created as replacement
     // for a <symbol> element or a cloned <svg> element in the referenced tree. In that case
     // we're always an inner <svg> element.
-    if (isInShadowTree())
+    if (isInShadowTree() && parentOrHostElement() && parentOrHostElement()->isSVGElement())
         return false;
 
     // Element may not be in the document, pretend we're outermost for viewport(), getCTM(), etc.

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to