Crash happens when calling removeEventListener for an SVG element which has an instan...
authorsaid@apple.com <said@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 28 Jul 2015 20:10:03 +0000 (20:10 +0000)
committersaid@apple.com <said@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 28 Jul 2015 20:10:03 +0000 (20:10 +0000)
commit7e6b53fff9dc4bd25bfa00201640a5337ccfa97d
treebc53975bb09c29f0333fc1b6e9372d692839beb6
parent49a32d96705eb9d88411517f8e2ee8242a0373fe
Crash happens when calling removeEventListener for an SVG element which has an instance inside a <defs> element of shadow tree
https://bugs.webkit.org/show_bug.cgi?id=147290

Reviewed by Daniel Bates.

Source/WebCore:

When the shadow tree is built for a <use> element, all the SVG elements
are allowed to be cloned in the shadow tree but later some of the elements
are disallowed and removed. Make sure, when disallowing an element in the
shadow tree, to reset the correspondingElement relationship between all
the disallowed descendant SVG elements and all their original elements.

Test: svg/custom/remove-event-listener-shadow-disallowed-element.svg

*svg/SVGElement.cpp:
(WebCore::SVGElement::setCorrespondingElement)
* svg/SVGUseElement.cpp:
(WebCore::removeDisallowedElementsFromSubtree):

LayoutTests:

Make sure we do not crash when when calling removeEventListener() for an
element which is cloned under a disallowed parent inside the shadow tree
of another <use> element.

* svg/custom/remove-event-listener-shadow-disallowed-element-expected.txt: Added.
* svg/custom/remove-event-listener-shadow-disallowed-element.svg: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@187504 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/svg/custom/remove-event-listener-shadow-disallowed-element-expected.txt [new file with mode: 0644]
LayoutTests/svg/custom/remove-event-listener-shadow-disallowed-element.svg [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/svg/SVGElement.cpp
Source/WebCore/svg/SVGUseElement.cpp