https://bugs.webkit.org/show_bug.cgi?id=223539
Patch by Frédéric Wang <fwang@igalia.com> on 2021-04-14
Reviewed by Ryosuke Niwa.
Source/WebCore:
For an <svg> element that is a direct child of a <foreignObject>, a RenderSVGRoot is
generally created. However, a RenderSVGViewportContainer is currently created instead if
the element is inside a shadow tree. This is leading to bad state during the layout of
the foreign object, causing a debug assertion and a nullptr crash. This patch fixes this
issue by always treating direct <svg> child of <foreignObject> as an outermost SVG element.
Tests: svg/foreignObject/svg-child-of-foreign-object-in-shadow-tree-crash.html
svg/outermost-svg-root.html
* svg/SVGElement.cpp:
(WebCore::SVGElement::isOutermostSVGSVGElement const): Lower down the priority of the rule
"is in shadow tree".
LayoutTests:
Add regressions tests for the crash and for isOutermostSVGSVGElement().
* svg/foreignObject/svg-child-of-foreign-object-in-shadow-tree-crash-expected.txt: Added.
* svg/foreignObject/svg-child-of-foreign-object-in-shadow-tree-crash.html: Added.
* svg/outermost-svg-root-expected.txt: Added.
* svg/outermost-svg-root.html: Added.
Canonical link: https://commits.webkit.org/236506@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@275944 268f45cc-cd09-0410-ab3c-d52691b4dbfc