SVG element may reference arbitrary DOM element before running its insertion logic
authordbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 15 May 2014 23:28:20 +0000 (23:28 +0000)
committerdbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 15 May 2014 23:28:20 +0000 (23:28 +0000)
commitfcb8b8c72dc44940af9227421f28069d2157209f
tree6e13b0dc381637ba5a4a62216193bbd71af78450
parentd4e73f3b9b6b074a87f6e0fc94a5f49cb6290a84
SVG element may reference arbitrary DOM element before running its insertion logic
https://bugs.webkit.org/show_bug.cgi?id=132757
<rdar://problem/15703817>

Reviewed by Ryosuke Niwa.

Source/WebCore:
Fixes an issue where an SVG element may reference an arbitrary DOM element e before e finished being
inserted in the tree.

Currently when an SVG element A is inserted into a document we use document.getElementById() to find the
element B it references (if any). If A is inserted before B and B has the same id as a later element in
the document then A can find B before B is notified that its been inserted into the document (i.e. before
Element::insertedFrom() is called on B). Instead, A should call document.getElementById() only after
cessation of the insertion operation that inserted it to ensure that all inserted nodes (including B)
processed their insertion-specific logic.

Tests: svg/custom/reparent-animate-element.html
       svg/custom/reparent-feimage-element.html
       svg/custom/reparent-mpath-element.html
       svg/custom/reparent-textpath-element.html
       svg/custom/reparent-tref-element.html
       svg/custom/reparent-use-element.html

* svg/SVGFEImageElement.cpp:
(WebCore::SVGFEImageElement::insertedInto): Return InsertionShouldCallDidNotifySubtreeInsertions so that
we are called back to resolve our target element (i.e. call SVGFEImageElement::buildPendingResources())
after the subtree we're in is inserted.
(WebCore::SVGFEImageElement::didNotifySubtreeInsertions): Added; turns around and calls SVGFEImageElement::buildPendingResources().
* svg/SVGFEImageElement.h:
* svg/SVGMPathElement.cpp:
(WebCore::SVGMPathElement::insertedInto): Return InsertionShouldCallDidNotifySubtreeInsertions so that
we are called back to resolve our target element (i.e. call SVGMPathElement::buildPendingResources())
after the subtree we're in is inserted.
(WebCore::SVGMPathElement::didNotifySubtreeInsertions): Added; turns around and calls SVGMPathElement::buildPendingResources().
* svg/SVGMPathElement.h:
* svg/SVGTRefElement.cpp:
(WebCore::SVGTRefElement::insertedInto): Return InsertionShouldCallDidNotifySubtreeInsertions so that
we are called back to resolve our target element (i.e. call SVGTRefElement::buildPendingResources())
after the subtree we're in is inserted.
(WebCore::SVGTRefElement::didNotifySubtreeInsertions): Added; turns around and calls SVGTRefElement::buildPendingResources().
* svg/SVGTRefElement.h:
* svg/SVGTextPathElement.cpp:
(WebCore::SVGTextPathElement::insertedInto): Return InsertionShouldCallDidNotifySubtreeInsertions so that
we are called back to resolve our target element (i.e. call SVGTextPathElement::buildPendingResources())
after the subtree we're in is inserted.
(WebCore::SVGTextPathElement::didNotifySubtreeInsertions): Added; turns around and calls SVGTextPathElement::buildPendingResources().
* svg/SVGTextPathElement.h:
* svg/SVGUseElement.cpp:
(WebCore::SVGUseElement::insertedInto): Return InsertionShouldCallDidNotifySubtreeInsertions so that
we are called back to resolve our target element (i.e. call SVGUseElement::buildPendingResources()) after its subtree is
inserted.
(WebCore::SVGUseElement::didNotifySubtreeInsertions): Added; turns around and calls SVGUseElement::buildPendingResources().
* svg/SVGUseElement.h:
* svg/animation/SVGSMILElement.cpp:
(WebCore::SVGSMILElement::insertedInto): Return InsertionShouldCallDidNotifySubtreeInsertions so that
we are called back to resolve our target element (i.e. call SVGSMILElement::buildPendingResources())
after the subtree we're in is inserted.
(WebCore::SVGSMILElement::didNotifySubtreeInsertions): Added; turns around and calls SVGSMILElement::buildPendingResources().
* svg/animation/SVGSMILElement.h:

LayoutTests:
Add tests to ensure that we don't cause an assertion failure when re-parenting an SVG subtree that
contains an element with a duplicate id.

* svg/custom/reparent-animate-element-expected.txt: Added.
* svg/custom/reparent-animate-element.html: Added.
* svg/custom/reparent-feimage-element-expected.txt: Added.
* svg/custom/reparent-feimage-element.html: Added.
* svg/custom/reparent-mpath-element-expected.txt: Added.
* svg/custom/reparent-mpath-element.html: Added.
* svg/custom/reparent-textpath-element-expected.txt: Added.
* svg/custom/reparent-textpath-element.html: Added.
* svg/custom/reparent-tref-element-expected.txt: Added.
* svg/custom/reparent-tref-element.html: Added.
* svg/custom/reparent-use-element-expected.txt: Added.
* svg/custom/reparent-use-element.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@168915 268f45cc-cd09-0410-ab3c-d52691b4dbfc
26 files changed:
LayoutTests/ChangeLog
LayoutTests/svg/custom/reparent-animate-element-expected.txt [new file with mode: 0644]
LayoutTests/svg/custom/reparent-animate-element.html [new file with mode: 0644]
LayoutTests/svg/custom/reparent-feimage-element-expected.txt [new file with mode: 0644]
LayoutTests/svg/custom/reparent-feimage-element.html [new file with mode: 0644]
LayoutTests/svg/custom/reparent-mpath-element-expected.txt [new file with mode: 0644]
LayoutTests/svg/custom/reparent-mpath-element.html [new file with mode: 0644]
LayoutTests/svg/custom/reparent-textpath-element-expected.txt [new file with mode: 0644]
LayoutTests/svg/custom/reparent-textpath-element.html [new file with mode: 0644]
LayoutTests/svg/custom/reparent-tref-element-expected.txt [new file with mode: 0644]
LayoutTests/svg/custom/reparent-tref-element.html [new file with mode: 0644]
LayoutTests/svg/custom/reparent-use-element-expected.txt [new file with mode: 0644]
LayoutTests/svg/custom/reparent-use-element.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/svg/SVGFEImageElement.cpp
Source/WebCore/svg/SVGFEImageElement.h
Source/WebCore/svg/SVGMPathElement.cpp
Source/WebCore/svg/SVGMPathElement.h
Source/WebCore/svg/SVGTRefElement.cpp
Source/WebCore/svg/SVGTRefElement.h
Source/WebCore/svg/SVGTextPathElement.cpp
Source/WebCore/svg/SVGTextPathElement.h
Source/WebCore/svg/SVGUseElement.cpp
Source/WebCore/svg/SVGUseElement.h
Source/WebCore/svg/animation/SVGSMILElement.cpp
Source/WebCore/svg/animation/SVGSMILElement.h