Title: [227697] trunk/Source/WebCore
- Revision
- 227697
- Author
- [email protected]
- Date
- 2018-01-26 14:36:39 -0800 (Fri, 26 Jan 2018)
Log Message
REGRESSiON (r226492): Crash under Element::absoluteEventBounds() on a SVGPathElement which has not been laid out yet
https://bugs.webkit.org/show_bug.cgi?id=182185
rdar://problem/36836262
Reviewed by Zalan Bujtas.
Document::absoluteRegionForEventTargets() can fire when layout is dirty, and SVGPathElement's path() can be null if it
hasn't been laid out yet. So protect against a null path in getBBox().
Not easily testable because internals.nonFastScrollableRects() forces layout, and the crash depends on the timing of
absoluteRegionForEventTargets().
* svg/SVGPathElement.cpp:
(WebCore::SVGPathElement::getBBox):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (227696 => 227697)
--- trunk/Source/WebCore/ChangeLog 2018-01-26 22:11:06 UTC (rev 227696)
+++ trunk/Source/WebCore/ChangeLog 2018-01-26 22:36:39 UTC (rev 227697)
@@ -1,3 +1,20 @@
+2018-01-26 Simon Fraser <[email protected]>
+
+ REGRESSiON (r226492): Crash under Element::absoluteEventBounds() on a SVGPathElement which has not been laid out yet
+ https://bugs.webkit.org/show_bug.cgi?id=182185
+ rdar://problem/36836262
+
+ Reviewed by Zalan Bujtas.
+
+ Document::absoluteRegionForEventTargets() can fire when layout is dirty, and SVGPathElement's path() can be null if it
+ hasn't been laid out yet. So protect against a null path in getBBox().
+
+ Not easily testable because internals.nonFastScrollableRects() forces layout, and the crash depends on the timing of
+ absoluteRegionForEventTargets().
+
+ * svg/SVGPathElement.cpp:
+ (WebCore::SVGPathElement::getBBox):
+
2018-01-26 Chris Dumez <[email protected]>
Offlined content does not work for apps on home screen
Modified: trunk/Source/WebCore/svg/SVGPathElement.cpp (227696 => 227697)
--- trunk/Source/WebCore/svg/SVGPathElement.cpp 2018-01-26 22:11:06 UTC (rev 227696)
+++ trunk/Source/WebCore/svg/SVGPathElement.cpp 2018-01-26 22:36:39 UTC (rev 227697)
@@ -420,8 +420,10 @@
RenderSVGPath* renderer = downcast<RenderSVGPath>(this->renderer());
// FIXME: Eventually we should support getBBox for detached elements.
- if (!renderer)
- return FloatRect();
+ // FIXME: If the path is null it means we're calling getBBox() before laying out this element,
+ // which is an error.
+ if (!renderer || !renderer->hasPath())
+ return { };
return renderer->path().boundingRect();
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
