Skip to content

GitLab

T
tangled
Commit 7c23a12a authored by George Steel's avatar George Steel Committed by Commit Bot
Browse files
Options

Fix relative lengths teardown in SVGElement::RemoveFrom. 

Fix of https://chromium-review.googlesource.com/c/chromium/src/+/1986325
due to ClusterFuzz DCHECK failure (flaky).

SVGElement::RemovedFrom was not tearing down
elements_with_relative_lengths_ correctly when those references
crossed a shadow root.

Downgrade the SECURITY_DCHECK on the relative lengths list to a regular
DCHECK as it was preventing dangling pointers to Elements in the
pre-oilpan days and is no longer protecting against any kind of
security issue (the pointers are now WeakMembers).

Bug: 1043184
Change-Id: I0ba614a0217dea4df80a743b0628f7fe94117cd8
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2008624Reviewed-by: default avatarRune Lillesveen <futhark@chromium.org>
Reviewed-by: default avatarFredrik Söderquist <fs@opera.com>
Commit-Queue: George Steel <gtsteel@chromium.org>
Cr-Commit-Position: refs/heads/master@{#734067}
parent 4526ff71
Hide whitespace changes
Inline Side-by-side
Showing with 6 additions and 3 deletions
third_party/blink/renderer/core/svg/svg_element.cc
View file @ 7c23a12a
......@@ -310,13 +310,16 @@ Node::InsertionNotificationRequest SVGElement::InsertedInto(
void SVGElement::RemovedFrom(ContainerNode& root_parent) {
bool was_in_document = root_parent.isConnected();
auto* root_parent_svg_element = DynamicTo<SVGElement>(root_parent);
auto* root_parent_svg_element = DynamicTo<SVGElement>(
root_parent.IsShadowRoot() ? root_parent.ParentOrShadowHostElement()
: &root_parent);
if (was_in_document && HasRelativeLengths()) {
// The root of the subtree being removed should take itself out from its
// parent's relative length set. For the other nodes in the subtree we don't
// need to do anything: they will get their own removedFrom() notification
// and just clear their sets.
if (root_parent_svg_element && !parentNode()) {
if (root_parent_svg_element && !ParentOrShadowHostElement()) {
DCHECK(root_parent_svg_element->elements_with_relative_lengths_.Contains(
this));
root_parent_svg_element->UpdateRelativeLengthsInformation(false, this);
......@@ -325,7 +328,7 @@ void SVGElement::RemovedFrom(ContainerNode& root_parent) {
elements_with_relative_lengths_.clear();
}
SECURITY_DCHECK(
DCHECK(
!root_parent_svg_element ||
!root_parent_svg_element->elements_with_relative_lengths_.Contains(this));
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment