Context Navigation

← Previous Changeset
Next Changeset →

Changeset 244276 in webkit

Timestamp:

Apr 15, 2019 11:54:21 AM (5 years ago)

Author:

Said Abou-Hallawa

Message:

ASSERT fires when removing a disallowed clone from the shadow tree without reseting its corresponding element
https://bugs.webkit.org/show_bug.cgi?id=196895

Reviewed by Darin Adler.

Source/WebCore:

When cloning elements to the shadow tree of an SVGUseElement, the
corresponding element links are set from the clones to the originals.
Later some of the elements may be disallowed to exist in the shadow tree.
For example the SVGPatternElement is disallowed and has to be removed
even after cloning. The problem is the corresponding elements are not
reset to null. Usually this is not a problem because the removed elements
will be deleted and the destructor of SVGElement will reset the corresponding
element links. However in some cases, the cloned element is referenced
from another SVGElement, for example the target of a SVGTRefElement. In
this case the clone won't be deleted but it will be linked to the original
and the event listeners won't be copied from the original. When the
original is deleted, its event listeners have to be removed. The event
listeners of the clones also ave to be removed. But because the event
listeners of the original were not copied when cloning, the assertion in
SVGElement::removeEventListener() fires.

Test: svg/custom/use-disallowed-element-clear-corresponding-element.html

svg/SVGUseElement.cpp:

(WebCore::disassociateAndRemoveClones):

LayoutTests:

svg/custom/use-disallowed-element-clear-corresponding-element-expected.txt: Added.
svg/custom/use-disallowed-element-clear-corresponding-element.html: Added.

Location:

trunk

Files:

: 2 added
: 3 edited

LayoutTests/ChangeLog (modified) (1 diff)
LayoutTests/svg/custom/use-disallowed-element-clear-corresponding-element-expected.txt (added)
LayoutTests/svg/custom/use-disallowed-element-clear-corresponding-element.html (added)
Source/WebCore/ChangeLog (modified) (1 diff)
Source/WebCore/svg/SVGUseElement.cpp (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/LayoutTests/ChangeLog

-                      r244269
+                      r244276
+-04-15  Said Abou-Hallawa  <said@apple.com>
+        ASSERT fires when removing a disallowed clone from the shadow tree without reseting its corresponding element
+        https://bugs.webkit.org/show_bug.cgi?id=196895
+        Reviewed by Darin Adler.
+        * svg/custom/use-disallowed-element-clear-corresponding-element-expected.txt: Added.
+        * svg/custom/use-disallowed-element-clear-corresponding-element.html: Added.
 -04-15  Devin Rousso  <drousso@apple.com>

trunk/Source/WebCore/ChangeLog

-                      r244269
+                      r244276
+-04-15  Said Abou-Hallawa  <said@apple.com>
+        ASSERT fires when removing a disallowed clone from the shadow tree without reseting its corresponding element
+        https://bugs.webkit.org/show_bug.cgi?id=196895
+        Reviewed by Darin Adler.
+        When cloning elements to the shadow tree of an SVGUseElement, the
+        corresponding element links are set from the clones to the originals.
+        Later some of the elements may be disallowed to exist in the shadow tree.
+        For example the SVGPatternElement is disallowed and has to be removed
+        even after cloning. The problem is the corresponding elements are not
+        reset to null. Usually this is not a problem because the removed elements
+        will be deleted and the destructor of SVGElement will reset the corresponding
+        element links. However in some cases, the cloned element is referenced
+        from another SVGElement, for example the target of a SVGTRefElement. In
+        this case the clone won't be deleted but it will be linked to the original
+        and the event listeners won't be copied from the original. When the
+        original is deleted, its event listeners have to be removed. The event
+        listeners of the clones also ave to be removed. But because the event
+        listeners of the original were not copied when cloning, the assertion in
+        SVGElement::removeEventListener() fires.
+        Test: svg/custom/use-disallowed-element-clear-corresponding-element.html
+        * svg/SVGUseElement.cpp:
+        (WebCore::disassociateAndRemoveClones):
 -04-15  Devin Rousso  <drousso@apple.com>

trunk/Source/WebCore/svg/SVGUseElement.cpp

r243515	r244276
322	322	for (auto& descendant : descendantsOfType<SVGElement>(*clone))
323	323	descendant.setCorrespondingElement(nullptr);
	324	if (is<SVGElement>(clone))
	325	downcast<SVGElement>(*clone).setCorrespondingElement(nullptr);
324	326	clone->parentNode()->removeChild(*clone);
325	327	}

Note: See TracChangeset for help on using the changeset viewer.