Crash when printing snapshotted plugins
authormjs@apple.com <mjs@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 4 Feb 2015 07:01:23 +0000 (07:01 +0000)
committermjs@apple.com <mjs@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 4 Feb 2015 07:01:23 +0000 (07:01 +0000)
commit03482dd3f0bbfc1c4cc9a792b0ce2b9bd36f9c75
tree2c0d24b1ea969270aa009b09bcb1d52d14054abd
parent33d290af8a73b437fe4e5babc784dc21041af75a
Crash when printing snapshotted plugins
https://bugs.webkit.org/show_bug.cgi?id=141212

Reviewed by Simon Fraser.

Source/WebCore:

Test: plugins/snapshotting/print-snapshotted-plugin.html

* html/HTMLPlugInImageElement.cpp:
(WebCore::HTMLPlugInImageElement::childShouldCreateRenderer): New
method. If the current renderer is a snapshotted plugin, only
allow children to create renderers if they are part of the
snapshot shadow dom. Otherwise RenderEmbeddedObject invariants
will be violated. This DOM class can have many other renderers, but they
can just follow their own rules.
(WebCore::HTMLPlugInImageElement::partOfSnapshotOverlay): Make this
const-correct, and don't create UA shadow DOM as a side effect if it doesn't
already exist.
* html/HTMLPlugInImageElement.h:

LayoutTests:

This test would crash without the fix due to a bad cast to RenderBox. <object>
is not prepared to have rendered inline children when rendering a plugin.

* plugins/snapshotting/print-snapshotted-plugin-expected.txt: Added.
* plugins/snapshotting/print-snapshotted-plugin.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@179597 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/plugins/snapshotting/print-snapshotted-plugin-expected.txt [new file with mode: 0644]
LayoutTests/plugins/snapshotting/print-snapshotted-plugin.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/html/HTMLPlugInImageElement.cpp
Source/WebCore/html/HTMLPlugInImageElement.h