<rdar://problem/6302405> Crash (null-deref) when using :before pseudoselector with...
authoroliver@apple.com <oliver@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 11 Dec 2008 22:33:51 +0000 (22:33 +0000)
committeroliver@apple.com <oliver@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 11 Dec 2008 22:33:51 +0000 (22:33 +0000)
<https://bugs.webkit.org/show_bug.cgi?id=22804>

Reviewed by Adele Peterson.

This issue was caused by css generated content resulting in non-svg flowboxes
being injected into SVG content.  As SVG spec does not describe behaviour in
this case, and neither Opera nor Firefox displays such generated content, so
now we make svg text layout and rendering just ignore any such content.

Test: svg/css/crash-css-generated-content.xhtml

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@39218 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/svg/css/crash-css-generated-content-expected.txt [new file with mode: 0644]
LayoutTests/svg/css/crash-css-generated-content.xhtml [new file with mode: 0644]
WebCore/ChangeLog
WebCore/rendering/SVGRootInlineBox.cpp

index 3874e2f..7db88d6 100644 (file)
@@ -1,3 +1,16 @@
+2008-12-10  Oliver Hunt  <oliver@apple.com>
+
+        Reviewed by Adele Peterson.
+
+        Crash (null-deref) when using :before pseudoselector with content CSS rule in SVG
+        <rdar://problem/6302405>
+        <https://bugs.webkit.org/show_bug.cgi?id=22804>
+
+        Test to make sure we don't crash, and don't display generated content.
+
+        * svg/css/crash-css-generated-content-expected.txt: Added.
+        * svg/css/crash-css-generated-content.xhtml: Added.
+
 2008-12-11  Anders Carlsson  <andersca@apple.com>
 
         Reviewed by Cameron Zwarich.
diff --git a/LayoutTests/svg/css/crash-css-generated-content-expected.txt b/LayoutTests/svg/css/crash-css-generated-content-expected.txt
new file mode 100644 (file)
index 0000000..7cad17a
--- /dev/null
@@ -0,0 +1,2 @@
+This test ensures that we do not crash when css generated content attempts to attach to svg text
+
diff --git a/LayoutTests/svg/css/crash-css-generated-content.xhtml b/LayoutTests/svg/css/crash-css-generated-content.xhtml
new file mode 100644 (file)
index 0000000..b905b3a
--- /dev/null
@@ -0,0 +1,27 @@
+<!DOCTYPE html
+  PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
+  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
+    <style>
+        svg text:before {
+            content: 'FAIL';
+        }
+        svg text:after {
+            content: 'FAIL';
+        }
+    </style>
+    <head>
+        <title>Test case for rdar://6302405</title>
+    </head>
+    <body>
+        <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+            <text x="50" y="50">This test ensures that we do not crash when css generated content attempts to attach to svg text</text>
+        </svg>
+        <script>
+        <![CDATA[
+            if (window.layoutTestController)
+                layoutTestController.dumpAsText();
+        ]]>
+        </script>
+    </body>
+</html>
\ No newline at end of file
index 62bfd82..6678724 100644 (file)
@@ -1,3 +1,22 @@
+2008-12-10  Oliver Hunt  <oliver@apple.com>
+
+        Reviewed by Adele Peterson.
+
+        <rdar://problem/6302405> Crash (null-deref) when using :before pseudoselector with content CSS rule in SVG
+        <https://bugs.webkit.org/show_bug.cgi?id=22804>
+
+        This issue was caused by css generated content resulting in non-svg flowboxes
+        being injected into SVG content.  As SVG spec does not describe behaviour in
+        this case, and neither Opera nor Firefox displays such generated content, so
+        now we make svg text layout and rendering just ignore any such content.
+
+        Test: svg/css/crash-css-generated-content.xhtml
+
+        * rendering/SVGRootInlineBox.cpp:
+        (WebCore::SVGRootInlineBox::buildLayoutInformation):
+        (WebCore::SVGRootInlineBox::layoutInlineBoxes):
+        (WebCore::SVGRootInlineBox::buildTextChunks):
+
 2008-12-11  Cameron Zwarich  <zwarich@apple.com>
 
         Reviewed by Dave Hyatt.
index e5f9fdf..dec884f 100644 (file)
@@ -915,6 +915,9 @@ void SVGRootInlineBox::buildLayoutInformation(InlineFlowBox* start, SVGCharacter
             ASSERT(curr->isInlineFlowBox());
             InlineFlowBox* flowBox = static_cast<InlineFlowBox*>(curr);
 
+            if (!flowBox->object()->element())
+                continue; // Skip generated content.
+
             bool isAnchor = flowBox->object()->element()->hasTagName(SVGNames::aTag);
             bool isTextPath = flowBox->object()->element()->hasTagName(SVGNames::textPathTag);
 
@@ -1062,6 +1065,10 @@ void SVGRootInlineBox::layoutInlineBoxes(InlineFlowBox* start, Vector<SVGChar>::
             int maxY = INT_MIN;
 
             InlineFlowBox* flowBox = static_cast<InlineFlowBox*>(curr);
+            
+            if (!flowBox->object()->element())
+                continue; // Skip generated content.
+    
             layoutInlineBoxes(flowBox, it, minX, maxX, minY, maxY);
 
             curr->setXPos(minX - object()->xPos());
@@ -1517,6 +1524,9 @@ void SVGRootInlineBox::buildTextChunks(Vector<SVGChar>& svgChars, InlineFlowBox*
             ASSERT(curr->isInlineFlowBox());
             InlineFlowBox* flowBox = static_cast<InlineFlowBox*>(curr);
 
+            if (!flowBox->object()->element())
+                continue; // Skip generated content.
+
             bool isTextPath = flowBox->object()->element()->hasTagName(SVGNames::textPathTag);
 
 #if DEBUG_CHUNK_BUILDING > 1