Changeset 140049 in webkit

Timestamp:

Jan 17, 2013, 2:51:03 PM (13 years ago)

Author:

schenney@chromium.org

Message:

SVGViewSpec fails when corresponding element has been removed
​https://bugs.webkit.org/show_bug.cgi?id=106957

Reviewed by Dirk Schulze.

Source/WebCore:

When JS holds an SVGViewSpec object while deleting the object that
defines the spec (an SVGSVGElement, or one of a few others) the
pointer to the target is cleared in the SVGViewSpec but the methods
that serve JS queries do not check and try to access the now null
target. This atch fixes the prooblem, throwing JS exceptions where
possible and returning null where necessary.

Test: svg/dom/SVGViewSpec-invalid-ref-crash.html

• svg/SVGViewSpec.cpp:

(WebCore):
(WebCore::SVGViewSpec::viewTarget): Check for null target and throw an exception.
(WebCore::SVGViewSpec::transform): Check for null target and return
null. It is not possible to throw an exception here because it leads
to an invalid cast in the code generated from IDLs.
(WebCore::SVGViewSpec::viewBoxAnimated): Check for null target and throw an exception.
(WebCore::SVGViewSpec::preserveAspectRatioAnimated): Check for null target and throw an exception.
(WebCore::SVGViewSpec::lookupOrCreateViewBoxWrapper): ASSERT non-null target
(WebCore::SVGViewSpec::lookupOrCreatePreserveAspectRatioWrapper): ASSERT non-null target
(WebCore::SVGViewSpec::lookupOrCreateTransformWrapper): ASSERT non-null target

• svg/SVGViewSpec.h:

(SVGViewSpec): Add Exception arguments to getter methods.

• svg/SVGViewSpec.idl: Mark attributes as throwing exceptions.

LayoutTests:

Test for the situation in which the target of an SVGViewSpec is
removed while the view spec lives on in JS.

• svg/dom/SVGViewSpec-invalid-ref-crash-expected.txt: Added.
• svg/dom/SVGViewSpec-invalid-ref-crash.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/svg/dom/SVGViewSpec-invalid-ref-crash-expected.txt (added)
• LayoutTests/svg/dom/SVGViewSpec-invalid-ref-crash.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/svg/SVGViewSpec.cpp (modified) (4 diffs)
• Source/WebCore/svg/SVGViewSpec.h (modified) (3 diffs)
• Source/WebCore/svg/SVGViewSpec.idl (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2013-01-17  Stephen Chenney  <schenney@chromium.org>
+
+        SVGViewSpec fails when corresponding element has been removed
+        https://bugs.webkit.org/show_bug.cgi?id=106957
+
+        Reviewed by Dirk Schulze.
+
+        Test for the situation in which the target of an SVGViewSpec is
+        removed while the view spec lives on in JS.
+
+        * svg/dom/SVGViewSpec-invalid-ref-crash-expected.txt: Added.
+        * svg/dom/SVGViewSpec-invalid-ref-crash.html: Added.
+
 2013-01-17  Julien Chaffraix  <jchaffraix@webkit.org>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2013-01-17  Stephen Chenney  <schenney@chromium.org>
+
+        SVGViewSpec fails when corresponding element has been removed
+        https://bugs.webkit.org/show_bug.cgi?id=106957
+
+        Reviewed by Dirk Schulze.
+
+        When JS holds an SVGViewSpec object while deleting the object that
+        defines the spec (an SVGSVGElement, or one of a few others) the
+        pointer to the target is cleared in the SVGViewSpec but the methods
+        that serve JS queries do not check and try to access the now null
+        target. This atch fixes the prooblem, throwing JS exceptions where
+        possible and returning null where necessary.
+
+        Test: svg/dom/SVGViewSpec-invalid-ref-crash.html
+
+        * svg/SVGViewSpec.cpp:
+        (WebCore):
+        (WebCore::SVGViewSpec::viewTarget): Check for null target and throw an exception.
+        (WebCore::SVGViewSpec::transform): Check for null target and return
+        null. It is not possible to throw an exception here because it leads
+        to an invalid cast in the code generated from IDLs.
+        (WebCore::SVGViewSpec::viewBoxAnimated): Check for null target and throw an exception.
+        (WebCore::SVGViewSpec::preserveAspectRatioAnimated): Check for null target and throw an exception.
+        (WebCore::SVGViewSpec::lookupOrCreateViewBoxWrapper): ASSERT non-null target
+        (WebCore::SVGViewSpec::lookupOrCreatePreserveAspectRatioWrapper): ASSERT non-null target
+        (WebCore::SVGViewSpec::lookupOrCreateTransformWrapper): ASSERT non-null target
+        * svg/SVGViewSpec.h:
+        (SVGViewSpec): Add Exception arguments to getter methods.
+        * svg/SVGViewSpec.idl: Mark attributes as throwing exceptions.
+
 2013-01-17  Alec Flett  <alecflett@chromium.org>
 

trunk/Source/WebCore/svg/SVGViewSpec.cpp

@@ -134 +134 @@
 }
 
-void SVGViewSpec::setPreserveAspectRatioString(const String& preserve)
-{
-    SVGPreserveAspectRatio preserveAspectRatio;
-    preserveAspectRatio.parse(preserve);
-    setPreserveAspectRatioBaseValue(preserveAspectRatio);
-}
-
 String SVGViewSpec::preserveAspectRatioString() const
 {
@@ -146 +139 @@
 }
 
-SVGElement* SVGViewSpec::viewTarget() const
+SVGElement* SVGViewSpec::viewTarget(ExceptionCode& ec) const
+{
+    if (!m_contextElement) {
+        ec = INVALID_STATE_ERR;
+        return 0;
+    }
+    return static_cast<SVGElement*>(m_contextElement->treeScope()->getElementById(m_viewTargetString));
+}
+
+SVGTransformListPropertyTearOff* SVGViewSpec::transform()
 {
     if (!m_contextElement)
         return 0;
-    return static_cast<SVGElement*>(m_contextElement->treeScope()->getElementById(m_viewTargetString));
-}
-
-SVGTransformListPropertyTearOff* SVGViewSpec::transform()
-{
     // Return the animVal here, as its readonly by default - which is exactly what we want here.
     return static_cast<SVGTransformListPropertyTearOff*>(static_pointer_cast<SVGAnimatedTransformList>(lookupOrCreateTransformWrapper(this))->animVal());
 }
 
+PassRefPtr<SVGAnimatedRect> SVGViewSpec::viewBoxAnimated(ExceptionCode& ec)
+{
+    if (!m_contextElement) {
+        ec = INVALID_STATE_ERR;
+        return 0;
+    }
+    return static_pointer_cast<SVGAnimatedRect>(lookupOrCreateViewBoxWrapper(this));
+}
+
+PassRefPtr<SVGAnimatedPreserveAspectRatio> SVGViewSpec::preserveAspectRatioAnimated(ExceptionCode& ec)
+{
+    if (!m_contextElement) {
+        ec = INVALID_STATE_ERR;
+        return 0;
+    }
+    return static_pointer_cast<SVGAnimatedPreserveAspectRatio>(lookupOrCreatePreserveAspectRatioWrapper(this));
+}
+
 PassRefPtr<SVGAnimatedProperty> SVGViewSpec::lookupOrCreateViewBoxWrapper(void* maskedOwnerType)
 {
     ASSERT(maskedOwnerType);
     SVGViewSpec* ownerType = static_cast<SVGViewSpec*>(maskedOwnerType);
+    ASSERT(ownerType->contextElement());
     return SVGAnimatedProperty::lookupOrCreateWrapper<SVGElement, SVGAnimatedRect, FloatRect>(ownerType->contextElement(), viewBoxPropertyInfo(), ownerType->m_viewBox);
 }
@@ -170 +186 @@
     ASSERT(maskedOwnerType);
     SVGViewSpec* ownerType = static_cast<SVGViewSpec*>(maskedOwnerType);
+    ASSERT(ownerType->contextElement());
     return SVGAnimatedProperty::lookupOrCreateWrapper<SVGElement, SVGAnimatedPreserveAspectRatio, SVGPreserveAspectRatio>(ownerType->contextElement(), preserveAspectRatioPropertyInfo(), ownerType->m_preserveAspectRatio);
 }
@@ -177 +194 @@
     ASSERT(maskedOwnerType);
     SVGViewSpec* ownerType = static_cast<SVGViewSpec*>(maskedOwnerType);
+    ASSERT(ownerType->contextElement());
     return SVGAnimatedProperty::lookupOrCreateWrapper<SVGElement, SVGAnimatedTransformList, SVGTransformList>(ownerType->contextElement(), transformPropertyInfo(), ownerType->m_transform);
 }

trunk/Source/WebCore/svg/SVGViewSpec.h

@@ -50 +50 @@
     void reset();
 
-    SVGElement* viewTarget() const;
+    SVGElement* viewTarget(ExceptionCode&) const;
     String viewBoxString() const;
 
-    void setPreserveAspectRatioString(const String&);
     String preserveAspectRatioString() const;
 
@@ -75 +74 @@
 
     // Custom animated 'viewBox' property.
-    PassRefPtr<SVGAnimatedRect> viewBoxAnimated()
-    {
-        return static_pointer_cast<SVGAnimatedRect>(lookupOrCreateViewBoxWrapper(this));
-    }
-
+    PassRefPtr<SVGAnimatedRect> viewBoxAnimated(ExceptionCode&);
     FloatRect& viewBox() { return m_viewBox; }
     FloatRect viewBoxBaseValue() const { return m_viewBox; }
@@ -85 +80 @@
 
     // Custom animated 'preserveAspectRatio' property.
-    PassRefPtr<SVGAnimatedPreserveAspectRatio> preserveAspectRatioAnimated()
-    {
-        return static_pointer_cast<SVGAnimatedPreserveAspectRatio>(lookupOrCreatePreserveAspectRatioWrapper(this));
-    }
-
+    PassRefPtr<SVGAnimatedPreserveAspectRatio> preserveAspectRatioAnimated(ExceptionCode&);
     SVGPreserveAspectRatio& preserveAspectRatio() { return m_preserveAspectRatio; }
     SVGPreserveAspectRatio preserveAspectRatioBaseValue() const { return m_preserveAspectRatio; }

trunk/Source/WebCore/svg/SVGViewSpec.idl

@@ -31 +31 @@
 ] interface SVGViewSpec {
       readonly attribute SVGTransformList transform;
-      readonly attribute SVGElement viewTarget;
+      readonly attribute SVGElement viewTarget
+        getter raises(DOMException);
       readonly attribute DOMString viewBoxString;
       readonly attribute DOMString preserveAspectRatioString;
@@ -42 +43 @@
 
       // SVGFitToViewBox
-      readonly attribute SVGAnimatedRect viewBox;
-      readonly attribute SVGAnimatedPreserveAspectRatio preserveAspectRatio;
+      readonly attribute SVGAnimatedRect viewBox
+        getter raises(DOMException);
+      readonly attribute SVGAnimatedPreserveAspectRatio preserveAspectRatio
+        getter raises(DOMException);
 };