Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: f0569fd3c773e9d49e11e6da35b341beb0871068
https://github.com/WebKit/WebKit/commit/f0569fd3c773e9d49e11e6da35b341beb0871068
Author: Richard Robinson <[email protected]>
Date: 2026-05-04 (Mon, 04 May 2026)
Changed paths:
A
LayoutTests/fast/frames/hit-test-into-iframe-under-transformed-ancestor-expected.txt
A
LayoutTests/fast/frames/hit-test-into-iframe-under-transformed-ancestor.html
M Source/WebCore/rendering/HitTestLocation.cpp
M Source/WebCore/rendering/HitTestLocation.h
M Source/WebCore/rendering/RenderLayer.cpp
M Source/WebCore/testing/Internals.cpp
M Source/WebCore/testing/Internals.h
M Source/WebCore/testing/Internals.idl
Log Message:
-----------
[AppKit Gestures] Occasional debug assertion crash when clicking in a PDF in
an iframe
https://bugs.webkit.org/show_bug.cgi?id=313952
rdar://176157296
Reviewed by Simon Fraser.
296407@main changed the `else` branch of
`RenderLayer::hitTestLayerByApplyingTransform` to construct
the transformed `HitTestLocation` from an inverse-mapped quad via
`HitTestLocation(FloatPoint, FloatQuad)`,
so that a 1x1 screen-space query through a transformed layer is not scaled up
into the local coordinate
space (e.g. `transform: scale(100)` no longer yields a 100x100 effective hit
area).
Unfortunately the only 2-argument constructor that accepts a quad
unconditionally sets
`m_isRectBased = true`. That changed the meaning of the post-transform location
from "same point,
just mapped" to "rect-based hit test", even when the caller never asked for a
rect-based test and
therefore did not pass `HitTestRequest::Type::CollectMultipleElements`. Callers
like
`EventHandler::hitTestResultAtPoint` (used for `nodeRespondingToClickEvents`)
start a point-based
hit test with `AllowVisibleChildFrameContentOnly` (or `AllowChildFrameContent`)
set but *not*
`CollectMultipleElements`. Once the hit test descends through a transformed
ancestor, the `HitTestLocation`
picked up `m_isRectBased = true`; the rect-based flag was then propagated
across the iframe boundary by
`RenderWidget::nodeAtPoint` via the copy-with-offset constructor (which
mirrors `m_isRectBased`
from its source), and the assertion
```
ASSERT(!result.isRectBasedTest() || request.resultIsElementList());
```
in `RenderLayer::hitTestList` (and the matching assert in
`HitTestResult::addNodeToListBasedTestResultCommon`)
fires as soon as the subframe's layer tree has any child layers for
`hitTestList` to iterate over.
This reliably reproduces on a PDF hosted in an iframe that sits under a
transformed ancestor.
Fix by giving `HitTestLocation` a new constructor parameter to allow callers to
explicitly set the rect-basedness,
and use it from the `else` branch of `hitTestLayerByApplyingTransform` so
point-based hit tests remain
point-based through transforms while still using the inverse-mapped quad for
intersection accuracy.
(The `if` branch (caller-initiated rect-based test) is left alone.)
Test: fast/frames/hit-test-into-iframe-under-transformed-ancestor.html
*
LayoutTests/fast/frames/hit-test-into-iframe-under-transformed-ancestor-expected.txt:
Added.
* LayoutTests/fast/frames/hit-test-into-iframe-under-transformed-ancestor.html:
Added.
* Source/WebCore/testing/Internals.cpp:
(WebCore::Internals::nodeFromPointIncludingChildFrames const):
* Source/WebCore/testing/Internals.h:
* Source/WebCore/testing/Internals.idl:
Add a test helper that issues the same point-based, child-frame-descending hit
test (ReadOnly
| Active | DisallowUserAgentShadowContent | AllowChildFrameContent, no
CollectMultipleElements)
used by the reproducible path.
* Source/WebCore/rendering/HitTestLocation.cpp:
(WebCore::HitTestLocation::HitTestLocation):
* Source/WebCore/rendering/HitTestLocation.h:
* Source/WebCore/rendering/RenderLayer.cpp:
(WebCore::RenderLayer::hitTestLayerByApplyingTransform):
Pass `RectBased::No` in the `else` branch so a point-based hit test stays
point-based after
being mapped through an ancestor transform, while still retaining the
inverse-transformed
bounding quad for intersection accuracy.
Canonical link: https://commits.webkit.org/312538@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
