Document should not be mutated under SMILTimeContainer::updateAnimations()
authorsaid@apple.com <said@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 18 Jun 2018 19:28:33 +0000 (19:28 +0000)
committersaid@apple.com <said@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 18 Jun 2018 19:28:33 +0000 (19:28 +0000)
commit3bd0cf9472ec1fe3fd3b615732aa40d49c7f508d
treefe2d74f64776e75aee557688fab5d172d26c4da3
parent56889e7ed7bc1b1428a5e85267c7dab46b397bf8
Document should not be mutated under SMILTimeContainer::updateAnimations()
https://bugs.webkit.org/show_bug.cgi?id=186658

Reviewed by Simon Fraser.

Source/WebCore:

To update the animation of an SVG <animate> element, we call
SVGAnimateElementBase::resetAnimatedType(). It ensures the pointer m_animator
is valid. If it animates a css property, it calls computeCSSPropertyValue()
which calls resolveStyle() via other calls. resolveStyle() may call delayed
callbacks through the destructor of PostResolutionCallbackDisabler. These
callbacks may fire events. These events may execute JS event handlers.
If one of these event handlers deletes the same SVG <animate> we animate,
we will end up calling SVGAnimateElementBase::resetAnimatedPropertyType()
of the same <animate> element. This function  will delete the same m_animator
which resetAnimatedType() still holds and will use later. This code
re-entrance is unexpected and unwanted.

The fix is to disable mutating the DOM while updating the SVG animations.

Test: svg/dom/css-animate-input-foucs-crash.html

* svg/animation/SMILTimeContainer.cpp:
(WebCore::SMILTimeContainer::updateAnimations):

LayoutTests:

* svg/dom/css-animate-input-foucs-crash-expected.txt: Added.
* svg/dom/css-animate-input-foucs-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@232941 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/svg/dom/css-animate-input-foucs-crash-expected.txt [new file with mode: 0644]
LayoutTests/svg/dom/css-animate-input-foucs-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/svg/animation/SMILTimeContainer.cpp