Changeset 179597 in webkit


Ignore:
Timestamp:
Feb 3, 2015 11:01:23 PM (9 years ago)
Author:
mjs@apple.com
Message:

Crash when printing snapshotted plugins
https://bugs.webkit.org/show_bug.cgi?id=141212

Reviewed by Simon Fraser.

Source/WebCore:

Test: plugins/snapshotting/print-snapshotted-plugin.html

  • html/HTMLPlugInImageElement.cpp:

(WebCore::HTMLPlugInImageElement::childShouldCreateRenderer): New
method. If the current renderer is a snapshotted plugin, only
allow children to create renderers if they are part of the
snapshot shadow dom. Otherwise RenderEmbeddedObject invariants
will be violated. This DOM class can have many other renderers, but they
can just follow their own rules.
(WebCore::HTMLPlugInImageElement::partOfSnapshotOverlay): Make this
const-correct, and don't create UA shadow DOM as a side effect if it doesn't
already exist.

  • html/HTMLPlugInImageElement.h:

LayoutTests:

This test would crash without the fix due to a bad cast to RenderBox. <object>
is not prepared to have rendered inline children when rendering a plugin.

  • plugins/snapshotting/print-snapshotted-plugin-expected.txt: Added.
  • plugins/snapshotting/print-snapshotted-plugin.html: Added.
Location:
trunk
Files:
2 added
4 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r179595 r179597  
     12015-02-03  Maciej Stachowiak  <mjs@apple.com>
     2
     3        Crash when printing snapshotted plugins
     4        https://bugs.webkit.org/show_bug.cgi?id=141212
     5
     6        Reviewed by Simon Fraser.
     7
     8        This test would crash without the fix due to a bad cast to RenderBox. <object>
     9        is not prepared to have rendered inline children when rendering a plugin.
     10       
     11        * plugins/snapshotting/print-snapshotted-plugin-expected.txt: Added.
     12        * plugins/snapshotting/print-snapshotted-plugin.html: Added.
     13
    1142015-02-03  Brent Fulgham  <bfulgham@apple.com>
    215
  • trunk/Source/WebCore/ChangeLog

    r179593 r179597  
     12015-02-03  Maciej Stachowiak  <mjs@apple.com>
     2
     3        Crash when printing snapshotted plugins
     4        https://bugs.webkit.org/show_bug.cgi?id=141212
     5
     6        Reviewed by Simon Fraser.
     7
     8        Test: plugins/snapshotting/print-snapshotted-plugin.html
     9
     10        * html/HTMLPlugInImageElement.cpp:
     11        (WebCore::HTMLPlugInImageElement::childShouldCreateRenderer): New
     12        method. If the current renderer is a snapshotted plugin, only
     13        allow children to create renderers if they are part of the
     14        snapshot shadow dom. Otherwise RenderEmbeddedObject invariants
     15        will be violated. This DOM class can have many other renderers, but they
     16        can just follow their own rules.
     17        (WebCore::HTMLPlugInImageElement::partOfSnapshotOverlay): Make this
     18        const-correct, and don't create UA shadow DOM as a side effect if it doesn't
     19        already exist.
     20        * html/HTMLPlugInImageElement.h:
     21
    1222015-02-03  Chris Dumez  <cdumez@apple.com>
    223
  • trunk/Source/WebCore/html/HTMLPlugInImageElement.cpp

    r177733 r179597  
    222222}
    223223
     224bool HTMLPlugInImageElement::childShouldCreateRenderer(const Node& child) const
     225{
     226    if (is<RenderSnapshottedPlugIn>(renderer()) && !partOfSnapshotOverlay(&child))
     227        return false;
     228
     229    return HTMLPlugInElement::childShouldCreateRenderer(child);
     230}
     231
    224232bool HTMLPlugInImageElement::willRecalcStyle(Style::Change change)
    225233{
     
    397405}
    398406
    399 bool HTMLPlugInImageElement::partOfSnapshotOverlay(Node* node)
     407bool HTMLPlugInImageElement::partOfSnapshotOverlay(const Node* node) const
    400408{
    401409    DEPRECATED_DEFINE_STATIC_LOCAL(AtomicString, selector, (".snapshot-overlay", AtomicString::ConstructFromLiteral));
    402     RefPtr<Element> snapshotLabel = ensureUserAgentShadowRoot().querySelector(selector, ASSERT_NO_EXCEPTION);
     410    ShadowRoot* shadow = userAgentShadowRoot();
     411    if (!shadow)
     412        return false;
     413    RefPtr<Element> snapshotLabel = shadow->querySelector(selector, ASSERT_NO_EXCEPTION);
    403414    return node && snapshotLabel && (node == snapshotLabel.get() || node->isDescendantOf(snapshotLabel.get()));
    404415}
  • trunk/Source/WebCore/html/HTMLPlugInImageElement.h

    r177259 r179597  
    7878
    7979    WEBCORE_EXPORT void setIsPrimarySnapshottedPlugIn(bool);
    80     bool partOfSnapshotOverlay(Node*);
     80    bool partOfSnapshotOverlay(const Node*) const;
    8181
    8282    bool needsCheckForSizeChange() const { return m_needsCheckForSizeChange; }
     
    119119
    120120    virtual RenderPtr<RenderElement> createElementRenderer(Ref<RenderStyle>&&) override;
     121    virtual bool childShouldCreateRenderer(const Node&) const override;
    121122    virtual bool willRecalcStyle(Style::Change) override final;
    122123    virtual void didAttachRenderers() override final;
Note: See TracChangeset for help on using the changeset viewer.