[webkit-changes] [128935] trunk/Source/WebKit2

[andersca]

Title: [128935] trunk/Source/WebKit2

Revision

128935

Author

ander...@apple.com

Date

2012-09-18 15:00:19 -0700 (Tue, 18 Sep 2012)

Log Message

Division by zero crash in BackingStore::scroll
https://bugs.webkit.org/show_bug.cgi?id=97046
<rdar://problem/11722564>

Reviewed by Dan Bernstein.

It appears that DrawingAreaImpl::scroll can be called with an empty scroll rect. Do nothing
if that's the case. Also, assert that the scrolling rect in BackingStoreMac is never empty.

* UIProcess/mac/BackingStoreMac.mm:
(WebKit::BackingStore::scroll):
* WebProcess/WebPage/DrawingAreaImpl.cpp:
(WebKit::DrawingAreaImpl::scroll):

Modified Paths

• trunk/Source/WebKit2/ChangeLog
• trunk/Source/WebKit2/UIProcess/mac/BackingStoreMac.mm
• trunk/Source/WebKit2/WebProcess/WebPage/DrawingAreaImpl.cpp

Diff

Modified: trunk/Source/WebKit2/ChangeLog (128934 => 128935)

--- trunk/Source/WebKit2/ChangeLog	2012-09-18 21:39:04 UTC (rev 128934)
+++ trunk/Source/WebKit2/ChangeLog	2012-09-18 22:00:19 UTC (rev 128935)
@@ -1,3 +1,19 @@
+2012-09-18  Anders Carlsson  <ander...@apple.com>
+
+        Division by zero crash in BackingStore::scroll
+        https://bugs.webkit.org/show_bug.cgi?id=97046
+        <rdar://problem/11722564>
+
+        Reviewed by Dan Bernstein.
+
+        It appears that DrawingAreaImpl::scroll can be called with an empty scroll rect. Do nothing
+        if that's the case. Also, assert that the scrolling rect in BackingStoreMac is never empty.
+
+        * UIProcess/mac/BackingStoreMac.mm:
+        (WebKit::BackingStore::scroll):
+        * WebProcess/WebPage/DrawingAreaImpl.cpp:
+        (WebKit::DrawingAreaImpl::scroll):
+
 2012-09-18  Bo Liu  <bo...@chromium.org>
 
         Revert 128780, 128676, 128645

Modified: trunk/Source/WebKit2/UIProcess/mac/BackingStoreMac.mm (128934 => 128935)

--- trunk/Source/WebKit2/UIProcess/mac/BackingStoreMac.mm	2012-09-18 21:39:04 UTC (rev 128934)
+++ trunk/Source/WebKit2/UIProcess/mac/BackingStoreMac.mm	2012-09-18 22:00:19 UTC (rev 128935)
@@ -214,6 +214,8 @@
     if (scrollOffset.isZero())
         return;
 
+    ASSERT(!scrollRect.isEmpty());
+
     if (!m_scrolledRect.isEmpty() && m_scrolledRect != scrollRect)
         resetScrolledRect();
 

Modified: trunk/Source/WebKit2/WebProcess/WebPage/DrawingAreaImpl.cpp (128934 => 128935)

--- trunk/Source/WebKit2/WebProcess/WebPage/DrawingAreaImpl.cpp	2012-09-18 21:39:04 UTC (rev 128934)
+++ trunk/Source/WebKit2/WebProcess/WebPage/DrawingAreaImpl.cpp	2012-09-18 22:00:19 UTC (rev 128935)
@@ -117,6 +117,9 @@
     if (m_webPage->mainFrameHasCustomRepresentation())
         return;
 
+    if (scrollRect.isEmpty())
+        return;
+
     if (!m_scrollRect.isEmpty() && scrollRect != m_scrollRect) {
         unsigned scrollArea = scrollRect.width() * scrollRect.height();
         unsigned currentScrollArea = m_scrollRect.width() * m_scrollRect.height();

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes