Title: [191656] branches/safari-601-branch/Source/WebCore
- Revision
- 191656
- Author
- matthew_han...@apple.com
- Date
- 2015-10-27 22:19:33 -0700 (Tue, 27 Oct 2015)
Log Message
Merge r191525. <rdar://problem/23239748> FaradayDotTwo: CrashTracer: com.apple.WebKit.WebContent at ?re: WebCore::RenderObject::localToContainerQuad const + 132
Modified Paths
Diff
Modified: branches/safari-601-branch/Source/WebCore/ChangeLog (191655 => 191656)
--- branches/safari-601-branch/Source/WebCore/ChangeLog 2015-10-28 05:19:30 UTC (rev 191655)
+++ branches/safari-601-branch/Source/WebCore/ChangeLog 2015-10-28 05:19:33 UTC (rev 191656)
@@ -1,3 +1,22 @@
+2015-10-27 Matthew Hanson <matthew_han...@apple.com>
+
+ Merge r191525. rdar://problem/23239748
+
+ 2015-10-23 Simon Fraser <simon.fra...@apple.com>
+
+ Avoid SVG-induced layouts inside Element::absoluteEventBounds()
+ https://bugs.webkit.org/show_bug.cgi?id=150516
+
+ Reviewed by Zalan Bujtas.
+
+ Speculative fix for a crash under RenderObject::localToContainerQuad() when
+ computing the wheel event handler region, which uses Element::absoluteEventHandlerBounds().
+ Element::absoluteEventBounds() was calling SVGElement::getBoundingBox() in a way
+ that could trigger a layout.
+
+ * dom/Element.cpp:
+ (WebCore::Element::absoluteEventBounds):
+
2015-10-23 Matthew Hanson <matthew_han...@apple.com>
Merge r191484.
Modified: branches/safari-601-branch/Source/WebCore/dom/Element.cpp (191655 => 191656)
--- branches/safari-601-branch/Source/WebCore/dom/Element.cpp 2015-10-28 05:19:30 UTC (rev 191655)
+++ branches/safari-601-branch/Source/WebCore/dom/Element.cpp 2015-10-28 05:19:33 UTC (rev 191656)
@@ -973,7 +973,7 @@
// Get the bounding rectangle from the SVG model.
SVGElement& svgElement = downcast<SVGElement>(*this);
FloatRect localRect;
- if (svgElement.getBoundingBox(localRect))
+ if (svgElement.getBoundingBox(localRect, SVGLocatable::DisallowStyleUpdate))
result = LayoutRect(renderer()->localToAbsoluteQuad(localRect, UseTransforms, &includesFixedPositionElements).boundingBox());
} else {
if (is<RenderBox>(renderer())) {
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes