RESOLVED FIXED 205217
Nullptr crash if SVG element if element parent becomes document node 
https://bugs.webkit.org/show_bug.cgi?id=205217
Summary Nullptr crash if SVG element if element parent becomes document node
Sunny He
Reported 2019-12-13 13:40:59 PST
Add appropriate null checking to ensure that we don't crash in certain edge cases if an SVG element's parent is set to document. Crash if the element has a transform: rdar://49890457 Crash if the element is an SVG <text> rdar://57075206
Attachments
Patch (4.45 KB, patch)
2019-12-13 13:50 PST, Sunny He 		no flags
DetailsFormatted DiffDiff
Patch (5.17 KB, patch)
2019-12-13 15:02 PST, Sunny He 		no flags
DetailsFormatted DiffDiff
Patch (3.18 KB, patch)
2019-12-13 18:34 PST, Sunny He 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Sunny He
Comment 1 2019-12-13 13:50:39 PST
Created attachment 385640 [details] Patch
Darin Adler
Comment 2 2019-12-13 13:55:03 PST
Comment on attachment 385640 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=385640&action=review > Source/WebCore/rendering/svg/RenderSVGText.cpp:375 > - } else if (m_needsTextMetricsUpdate || SVGRenderSupport::findTreeRootObject(*this)->isLayoutSizeChanged()) { > + } else if (m_needsTextMetricsUpdate || (SVGRenderSupport::findTreeRootObject(*this) && SVGRenderSupport::findTreeRootObject(*this)->isLayoutSizeChanged())) { The word "find" in the function name here is supposed to be a hint that the operation is nontrivial, so I suggest we restructure slightly so we can use a local variable and don’t need to call the function twice. Or rename the function if "find" is a guaranteed-inexpensive operation.
Sunny He
Comment 3 2019-12-13 15:02:57 PST
Created attachment 385646 [details] Patch
Darin Adler
Comment 4 2019-12-13 17:39:21 PST
Comment on attachment 385646 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=385646&action=review > Source/WebCore/rendering/svg/RenderSVGText.cpp:377 > + } else if (m_needsTextMetricsUpdate) { > + RenderSVGRoot* rootObj = SVGRenderSupport::findTreeRootObject(*this); > + if (rootObj && rootObj->isLayoutSizeChanged()) { This implements &&, but in the old code it was ||.
Sunny He
Comment 5 2019-12-13 18:34:16 PST
Created attachment 385667 [details] Patch
Ryosuke Niwa
Comment 6 2019-12-13 21:53:13 PST
Comment on attachment 385667 [details] Patch Looks sane to me.
WebKit Commit Bot
Comment 7 2019-12-13 22:37:39 PST
Comment on attachment 385667 [details] Patch Clearing flags on attachment: 385667 Committed r253521: <https://trac.webkit.org/changeset/253521>
WebKit Commit Bot
Comment 8 2019-12-13 22:37:41 PST
All reviewed patches have been landed. Closing bug.
Said Abou-Hallawa
Comment 9 2019-12-16 09:14:30 PST
Comment on attachment 385667 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=385667&action=review > Source/WebCore/ChangeLog:8 > + Test: svg/dom/replaceChild-document-crash.html Where is this test? I do not see it in this patch. It also did not land in r253521.
Sunny He
Comment 10 2019-12-16 10:25:59 PST
(In reply to Said Abou-Hallawa from comment #9) > Comment on attachment 385667 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=385667&action=review > > > Source/WebCore/ChangeLog:8 > > + Test: svg/dom/replaceChild-document-crash.html > > Where is this test? I do not see it in this patch. It also did not land in > r253521. Strange, my local git commit shows that file, but it's missing from the uploaded patch. Created new bug 205282 to track getting these tests in.
Ryosuke Niwa
Comment 11 2020-02-04 19:55:32 PST
*** Bug 207030 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.