Fix computeFloatVisibleRectInContainer to handle non-SVG object parent
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 13 Jan 2020 23:06:30 +0000 (23:06 +0000)
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 13 Jan 2020 23:06:30 +0000 (23:06 +0000)
https://bugs.webkit.org/show_bug.cgi?id=205282
Source/WebCore:

<rdar://problem/57975185>

Patch by Sunny He <sunny_he@apple.com> on 2020-01-13
Reviewed by Darin Adler.

Test: svg/dom/replaceChild-document-crash.html

* rendering/svg/SVGRenderSupport.cpp:
(WebCore::SVGRenderSupport::computeFloatVisibleRectInContainer):

LayoutTests:

Patch by Sunny He <sunny_he@apple.com> on 2020-01-13
Reviewed by Darin Adler.

* svg/dom/replaceChild-document-crash-expected.txt: Added.
* svg/dom/replaceChild-document-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@254458 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/svg/dom/replaceChild-document-crash-expected.txt [new file with mode: 0644]
LayoutTests/svg/dom/replaceChild-document-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/rendering/svg/SVGRenderSupport.cpp

index 721ad5f..307ce35 100644 (file)
@@ -1,3 +1,13 @@
+2020-01-13  Sunny He  <sunny_he@apple.com>
+
+        Fix computeFloatVisibleRectInContainer to handle non-SVG object parent
+        https://bugs.webkit.org/show_bug.cgi?id=205282
+
+        Reviewed by Darin Adler.
+
+        * svg/dom/replaceChild-document-crash-expected.txt: Added.
+        * svg/dom/replaceChild-document-crash.html: Added.
+
 2020-01-13  Eric Carlson  <eric.carlson@apple.com>
 
         Expose audio tracks for media files in the GPUProcess
diff --git a/LayoutTests/svg/dom/replaceChild-document-crash-expected.txt b/LayoutTests/svg/dom/replaceChild-document-crash-expected.txt
new file mode 100644 (file)
index 0000000..003513e
--- /dev/null
@@ -0,0 +1,3 @@
+Confirm that svg element with document as parent is handled without crashing
+
+PASS
diff --git a/LayoutTests/svg/dom/replaceChild-document-crash.html b/LayoutTests/svg/dom/replaceChild-document-crash.html
new file mode 100644 (file)
index 0000000..7879322
--- /dev/null
@@ -0,0 +1,28 @@
+<html>
+<body>
+<script>
+    if (window.testRunner) {
+        testRunner.dumpAsText()
+        testRunner.waitUntilDone()
+    }
+
+    function run() {
+        var svgvar = document.getElementById('svgvar');
+        svgvar.style.setProperty("transform", "rotatez(0)");
+        document.replaceChild(svgvar, document.childNodes[0]);
+
+        setTimeout(function() { 
+            document.open();
+            document.write('<html><p>Confirm that svg element with document as parent is handled without crashing</p>PASS</html>');
+            document.close();
+
+            if (window.testRunner)
+                testRunner.notifyDone()
+        }, 0);
+    }
+</script>
+<svg onload="run()">
+    <text id="svgvar"></text>
+</svg>
+</body>
+</html>
index 78aab58..a049dae 100644 (file)
@@ -1,3 +1,16 @@
+2020-01-13  Sunny He  <sunny_he@apple.com>
+
+        Fix computeFloatVisibleRectInContainer to handle non-SVG object parent
+        https://bugs.webkit.org/show_bug.cgi?id=205282
+        <rdar://problem/57975185>
+
+        Reviewed by Darin Adler.
+
+        Test: svg/dom/replaceChild-document-crash.html
+
+        * rendering/svg/SVGRenderSupport.cpp:
+        (WebCore::SVGRenderSupport::computeFloatVisibleRectInContainer):
+
 2020-01-13  Eric Carlson  <eric.carlson@apple.com>
 
         Expose audio tracks for media files in the GPUProcess
index ef46a5a..76a5a7e 100644 (file)
@@ -64,6 +64,12 @@ LayoutRect SVGRenderSupport::clippedOverflowRectForRepaint(const RenderElement&
 
 Optional<FloatRect> SVGRenderSupport::computeFloatVisibleRectInContainer(const RenderElement& renderer, const FloatRect& rect, const RenderLayerModelObject* container, RenderObject::VisibleRectContext context)
 {
+    // Ensure our parent is an SVG object.
+    ASSERT(renderer.parent());
+    auto& parent = *renderer.parent();
+    if (!is<SVGElement>(parent.element()))
+        return FloatRect();
+
     FloatRect adjustedRect = rect;
     const SVGRenderStyle& svgStyle = renderer.style().svgStyle();
     if (const ShadowData* shadow = svgStyle.shadow())
@@ -72,7 +78,8 @@ Optional<FloatRect> SVGRenderSupport::computeFloatVisibleRectInContainer(const R
 
     // Translate to coords in our parent renderer, and then call computeFloatVisibleRectInContainer() on our parent.
     adjustedRect = renderer.localToParentTransform().mapRect(adjustedRect);
-    return renderer.parent()->computeFloatVisibleRectInContainer(adjustedRect, container, context);
+
+    return parent.computeFloatVisibleRectInContainer(adjustedRect, container, context);
 }
 
 const RenderElement& SVGRenderSupport::localToParentTransform(const RenderElement& renderer, AffineTransform &transform)