Skip to site navigation (Press enter)

[webkit-changes] [191575] releases/WebKitGTK/webkit-2.10/Source/WebCore

carlosgc Mon, 26 Oct 2015 01:57:07 -0700

Title: [191575] releases/WebKitGTK/webkit-2.10/Source/WebCore

Revision: 191575
Author: [email protected]
Date: 2015-10-26 01:56:21 -0700 (Mon, 26 Oct 2015)

Log Message

Merge r191525 - Avoid SVG-induced layouts inside Element::absoluteEventBounds()
https://bugs.webkit.org/show_bug.cgi?id=150516


Reviewed by Zalan Bujtas.

Speculative fix for a crash under RenderObject::localToContainerQuad() when
computing the wheel event handler region, which uses Element::absoluteEventHandlerBounds().
Element::absoluteEventBounds() was calling SVGElement::getBoundingBox() in a way
that could trigger a layout.

* dom/Element.cpp:
(WebCore::Element::absoluteEventBounds):

Modified Paths

releases/WebKitGTK/webkit-2.10/Source/WebCore/ChangeLog
releases/WebKitGTK/webkit-2.10/Source/WebCore/dom/Element.cpp

Diff

Modified: releases/WebKitGTK/webkit-2.10/Source/WebCore/ChangeLog (191574 => 191575)


--- releases/WebKitGTK/webkit-2.10/Source/WebCore/ChangeLog	2015-10-26 08:54:29 UTC (rev 191574)
+++ releases/WebKitGTK/webkit-2.10/Source/WebCore/ChangeLog	2015-10-26 08:56:21 UTC (rev 191575)
@@ -1,5 +1,20 @@
 2015-10-23  Simon Fraser  <[email protected]>
 
+        Avoid SVG-induced layouts inside Element::absoluteEventBounds()
+        https://bugs.webkit.org/show_bug.cgi?id=150516
+
+        Reviewed by Zalan Bujtas.
+
+        Speculative fix for a crash under RenderObject::localToContainerQuad() when
+        computing the wheel event handler region, which uses Element::absoluteEventHandlerBounds().
+        Element::absoluteEventBounds() was calling SVGElement::getBoundingBox() in a way
+        that could trigger a layout.
+
+        * dom/Element.cpp:
+        (WebCore::Element::absoluteEventBounds):
+
+2015-10-23  Simon Fraser  <[email protected]>
+
         REGRESSION (r187121): Multiple-keyframe animations not honouring ' forwards' fill-mode
         https://bugs.webkit.org/show_bug.cgi?id=150328

Modified: releases/WebKitGTK/webkit-2.10/Source/WebCore/dom/Element.cpp (191574 => 191575)


--- releases/WebKitGTK/webkit-2.10/Source/WebCore/dom/Element.cpp	2015-10-26 08:54:29 UTC (rev 191574)
+++ releases/WebKitGTK/webkit-2.10/Source/WebCore/dom/Element.cpp	2015-10-26 08:56:21 UTC (rev 191575)
@@ -973,7 +973,7 @@
         // Get the bounding rectangle from the SVG model.
         SVGElement& svgElement = downcast<SVGElement>(*this);
         FloatRect localRect;
-        if (svgElement.getBoundingBox(localRect))
+        if (svgElement.getBoundingBox(localRect, SVGLocatable::DisallowStyleUpdate))
             result = LayoutRect(renderer()->localToAbsoluteQuad(localRect, UseTransforms, &includesFixedPositionElements).boundingBox());
     } else {
         if (is<RenderBox>(renderer())) {

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes