Bug 1611848 - Properly suppress shadow dom / display: contents inside svg text. r=heycam
authorEmilio Cobos Álvarez <emilio@crisal.io>
Thu, 26 Mar 2020 00:06:53 +0000
changeset 520486 02c284defc4d5f8d9ed1c7c8363becdd93f4b291
parent 520485 e3fe601c9f615fadf19f416f84c16f417c07ccb7
child 520487 c6da88c617db64498e4bb6aa2ccd75a14d31b865
push id37252
push usermalexandru@mozilla.com
push dateThu, 26 Mar 2020 15:34:27 +0000
treeherdermozilla-central@31360ced8ff8 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersheycam
bugs1611848
milestone76.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1611848 - Properly suppress shadow dom / display: contents inside svg text. r=heycam Returning null from FindSVGData just means "fall back to whatever display specifies", and that's not great. Differential Revision: https://phabricator.services.mozilla.com/D67706
layout/base/nsCSSFrameConstructor.cpp
testing/web-platform/tests/svg/text/reftests/text-display-contents-crash.html
--- a/layout/base/nsCSSFrameConstructor.cpp
+++ b/layout/base/nsCSSFrameConstructor.cpp
@@ -4977,17 +4977,17 @@ nsCSSFrameConstructor::FindSVGData(const
   if (aIsWithinSVGText) {
     // If aIsWithinSVGText is true, then we know that the "SVG text uses
     // CSS frames" pref was true when this SVG fragment was first constructed.
     //
     // FIXME(bug 1588477) Don't render stuff in display: contents / Shadow DOM
     // subtrees, because TextCorrespondenceRecorder in the SVG text code doesn't
     // really know how to deal with it. This kinda sucks. :(
     if (aParentFrame && aParentFrame->GetContent() != aElement.GetParent()) {
-      return nullptr;
+      return &sSuppressData;
     }
 
     // We don't use ConstructInline because we want different behavior
     // for generated content.
     static const FrameConstructionData sTSpanData = FCDATA_DECL(
         FCDATA_DISALLOW_OUT_OF_FLOW | FCDATA_SKIP_ABSPOS_PUSH |
             FCDATA_DISALLOW_GENERATED_CONTENT | FCDATA_IS_LINE_PARTICIPANT |
             FCDATA_IS_INLINE | FCDATA_USE_CHILD_ITEMS,
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/svg/text/reftests/text-display-contents-crash.html
@@ -0,0 +1,25 @@
+<!doctype html>
+<title>Crash with dynamic creation of absolutely positioned element under display: contents in svg:text.</title>
+<link rel="help" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1611848">
+<style>
+* {
+  position: absolute;
+}
+</style>
+<script>
+  function start () {
+    const text = document.getElementById('text')
+
+    const div = document.createElementNS('http://www.w3.org/1999/xhtml', 'div')
+    div.style.display = "contents";
+
+    const another = document.createElementNS('http://www.w3.org/2000/svg', 'whatevs')
+    text.appendChild(div);
+    document.documentElement.getBoundingClientRect();
+    div.appendChild(another);
+  }
+
+  document.addEventListener('DOMContentLoaded', start)
+</script>
+<svg>
+    <text id='text'>