Commit 240c13fa authored by mihnea@adobe.com's avatar mihnea@adobe.com

[CSSRegions]Crash while collecting svg elements in render flow thread.

https://bugs.webkit.org/show_bug.cgi?id=73735

Reviewed by David Hyatt.

Source/WebCore:

Tests: fast/regions/svg-doc-fragment-not-collected-expected.html
       fast/regions/svg-doc-fragment-not-collected.html
       fast/regions/svg-element-not-collected-expected.html
       fast/regions/svg-element-not-collected.html
       fast/regions/svg-root-element-collected.html

By allowing only svg root elements to be collected in a render flow thread,
the svg render tree is properly constructed, thus prevented a possible further crash.

* dom/NodeRenderingContext.cpp:
(WebCore::NodeRenderingContext::moveToFlowThreadIfNeeded):

LayoutTests:

* fast/regions/resources/region-style.css:
* fast/regions/svg-doc-fragment-not-collected-expected.html: Added.
* fast/regions/svg-doc-fragment-not-collected.html: Added.
* fast/regions/svg-element-not-collected-expected.html: Added.
* fast/regions/svg-element-not-collected.html: Added.
* fast/regions/svg-root-element-collected-expected.txt: Added.
* fast/regions/svg-root-element-collected.html: Added.


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@104328 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent ffedf376
2012-01-06 Mihnea Ovidenie <mihnea@adobe.com>
[CSSRegions]Crash while collecting svg elements in render flow thread.
https://bugs.webkit.org/show_bug.cgi?id=73735
Reviewed by David Hyatt.
* fast/regions/resources/region-style.css:
* fast/regions/svg-doc-fragment-not-collected-expected.html: Added.
* fast/regions/svg-doc-fragment-not-collected.html: Added.
* fast/regions/svg-element-not-collected-expected.html: Added.
* fast/regions/svg-element-not-collected.html: Added.
* fast/regions/svg-root-element-collected-expected.txt: Added.
* fast/regions/svg-root-element-collected.html: Added.
2012-01-06 Eric Carlson <eric.carlson@apple.com>
Make TextTrackCue more mutable
.redBox {
width: 50px;
height: 50px;
background-color: red;
}
.greenBox {
width: 50px;
height: 50px;
......
<!doctype html>
<html>
<body>
<p>Bug <a href="https://bugs.webkit.org/show_bug.cgi?id=73735">73735</a>: Collect SVG nodes in render flow thread</p>
<p>It should NOT be possible to collect a "svg" node that is not root into a render flow thread.</p>
<p>On success, you should see a green box below.</p>
<div style="width:50px; height:50px; background-color: green;"></div>
</body>
</html>
<!doctype html>
<html>
<head>
<link rel="stylesheet" href="resources/region-style.css">
</head>
<body>
<p>Bug <a href="https://bugs.webkit.org/show_bug.cgi?id=73735">73735</a>: Collect SVG nodes in render flow thread</p>
<p>It should NOT be possible to collect a "svg" node that is not root into a render flow thread.</p>
<p>On success, you should see a green box below.</p>
<div class="redBox"></div>
<svg xmlns="http://www.w3.org/2000/svg" style="position: relative; top: -50px; height: 100px;">
<svg style="-webkit-flow-into:thread">
<rect width="50" height="50" fill="green"></rect>
</svg>
</svg>
</body>
</html>
<!doctype html>
<html>
<head>
<link rel="stylesheet" href="resources/region-style.css">
</head>
<body>
<p>Bug <a href="https://bugs.webkit.org/show_bug.cgi?id=73735">73735</a>: Collect SVG nodes in render flow thread</p>
<p>It should NOT be possible to collect a svg element (other than svg root element) into a render flow thread.</p>
<p>On success, you should see a green box below.</p>
<div style="width:50px; height:50px; background-color: green;"></div>
</body>
</html>
<!doctype html>
<html>
<head>
<link rel="stylesheet" href="resources/region-style.css">
</head>
<body>
<p>Bug <a href="https://bugs.webkit.org/show_bug.cgi?id=73735">73735</a>: Collect SVG nodes in render flow thread</p>
<p>It should NOT be possible to collect a svg element (other than svg root element) into a render flow thread.</p>
<p>On success, you should see a green box below.</p>
<div class="redBox"></div>
<svg xmlns="http://www.w3.org/2000/svg" style="position: relative; top: -50px; height:100px;">
<g style="-webkit-flow-into:thread">
<rect width="50" height="50" fill="green"></rect>
</g>
</svg>
</body>
</html>
Bug 73735: Collect SVG nodes in render flow thread
It should be possible to collect a root "svg" node into a render flow thread.
On success, you should see PASS below.
SVG text
PASS
<!doctype html>
<html>
<head>
<style>
#region {
-webkit-flow-from: thread;
width: 100px;
height: 100px;
}
</style>
</head>
<body>
<p>Bug <a href="https://bugs.webkit.org/show_bug.cgi?id=73735">73735</a>: Collect SVG nodes in render flow thread</p>
<p>It should be possible to collect a root "svg" node into a render flow thread.</p>
<p>On success, you should see PASS below.</p>
<svg xmlns="http://www.w3.org/2000/svg" style="-webkit-flow-into:thread">
<text x="0" y="15">SVG text</text>
</svg>
<div id="region"></div>
<script>
if (window.layoutTestController)
window.layoutTestController.dumpAsText();
var regionElement = document.getElementById("region");
var pass = regionElement.innerText.length != 0;
regionElement.style.display = "none";
document.write("<p>" + pass ? "PASS" : "FAIL" + "</p>");
</script>
</body>
</html>
2012-01-06 Mihnea Ovidenie <mihnea@adobe.com>
[CSSRegions]Crash while collecting svg elements in render flow thread.
https://bugs.webkit.org/show_bug.cgi?id=73735
Reviewed by David Hyatt.
Tests: fast/regions/svg-doc-fragment-not-collected-expected.html
fast/regions/svg-doc-fragment-not-collected.html
fast/regions/svg-element-not-collected-expected.html
fast/regions/svg-element-not-collected.html
fast/regions/svg-root-element-collected.html
By allowing only svg root elements to be collected in a render flow thread,
the svg render tree is properly constructed, thus prevented a possible further crash.
* dom/NodeRenderingContext.cpp:
(WebCore::NodeRenderingContext::moveToFlowThreadIfNeeded):
2012-01-06 Eric Carlson <eric.carlson@apple.com>
Make TextTrackCue more mutable
......@@ -36,6 +36,10 @@
#include "ShadowInclusionSelector.h"
#include "ShadowRoot.h"
#if ENABLE(SVG)
#include "SVGNames.h"
#endif
namespace WebCore {
NodeRenderingContext::NodeRenderingContext(Node* node)
......@@ -277,6 +281,13 @@ void NodeRenderingContext::moveToFlowThreadIfNeeded()
if (!m_node->isElementNode() || !m_style || m_style->flowThread().isEmpty())
return;
#if ENABLE(SVG)
// Allow only svg root elements to be directly collected by a render flow thread.
if (m_node->isSVGElement()
&& (!(m_node->hasTagName(SVGNames::svgTag) && m_node->parentNode() && !m_node->parentNode()->isSVGElement())))
return;
#endif
m_flowThread = m_style->flowThread();
ASSERT(m_node->document()->renderView());
m_parentFlowRenderer = m_node->document()->renderView()->ensureRenderFlowThreadWithName(m_flowThread);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment