REGRESSION (r190430): WTFCrashWithSecurityImplication in:void SVGRootInlineBox::layou...
authorsaid@apple.com <said@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 16 Feb 2016 23:59:25 +0000 (23:59 +0000)
committersaid@apple.com <said@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 16 Feb 2016 23:59:25 +0000 (23:59 +0000)
commit7a6bd6d45ded95bf02ff27ee2bf953a6481c6f04
tree46dea4b6e24efe55b2ed6040dafef6b6f46df06c
parent1c8048840574a8f7a788db6cb3388e6c78d6be47
REGRESSION (r190430): WTFCrashWithSecurityImplication in:void SVGRootInlineBox::layoutCharactersInTextBoxes()
https://bugs.webkit.org/show_bug.cgi?id=154185

Reviewed by Ryosuke Niwa.
Source/WebCore:

This is a regression caused by adding support for HTMLSlotElement. The
crash happens when adding an HTMLSlotElement to anther element which should
not have it as a child like SVGTextElement for example. In this case, we
were creating a RenderText which should not be happen inside an SVG document.
The RenderText::createTextBox() was creating InlineTextBox for the slot's
text and attach it to the SVGRootInlineBox. In layoutCharactersInTextBoxes(),
the assumption is the inline box is either SVGInlineTextBox or SVGInlineFlowBox.
But since we have an InlineTextBox instead, the crash happens when casting
the InlineTextBox to SVGInlineFlowBox.

The fix is for createRenderTreeForSlotAssignees() to not create a renderer
when the parent element should not have a renderer for the this element.
This is the same thing we do for createRenderer() which handles the non
HTMLSlotElement case and which is called also from createRenderTreeRecursively().

Test: fast/shadow-dom/text-slot-child-crash.svg

* style/StyleTreeResolver.cpp:
(WebCore::Style::moveToFlowThreadIfNeeded):
(WebCore::Style::TreeResolver::createRenderer): Delete the check for
shouldCreateRenderer() and handling the case when resolvedStyle is null
since these are handled by the caller createRenderTreeRecursively().

(WebCore::Style::TreeResolver::createRenderTreeForSlotAssignees):
Assert shouldCreateRenderer() is true for this element.

(WebCore::Style::TreeResolver::createRenderTreeRecursively): Don't create
the renderer if shouldCreateRenderer() returns false. Also handle the case
when resolvedStyle is null and pass the new style to createRenderer().

* style/StyleTreeResolver.h:

LayoutTests:

Ensure that adding an HTMLSlotElement with text to an SVGTextElement will
not create a renderer and we won't crash.

* fast/shadow-dom/text-slot-child-crash-expected.txt: Added.
* fast/shadow-dom/text-slot-child-crash.svg: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@196669 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/fast/shadow-dom/text-slot-child-crash-expected.txt [new file with mode: 0644]
LayoutTests/fast/shadow-dom/text-slot-child-crash.svg [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/style/StyleTreeResolver.cpp
Source/WebCore/style/StyleTreeResolver.h