[webkit-changes] [247089] trunk/Source/WebCore

[simon . fraser]

Title: [247089] trunk/Source/WebCore

Revision

247089

Author

simon.fra...@apple.com

Date

2019-07-02 23:13:25 -0700 (Tue, 02 Jul 2019)

Log Message

REGRESSION (r246723): ScrollingTreeOverflowScrollProxyNode::m_overflowScrollingNodeID is uninitialized sometimes
https://bugs.webkit.org/show_bug.cgi?id=199432

Reviewed by Antti Koivisto.

I noticed while debugging rdar://problem/52291642 that m_overflowScrollingNodeID was uninitialized in
ScrollingTreeOverflowScrollProxyNode. This could lead to the wrong node being found by m_scrollingTree->nodeForID(),
which could result in type confusion bugs.

This can happen with negative z-order layers when we fail to find their related scrolling tree node
on the first pass.

* page/scrolling/cocoa/ScrollingTreeOverflowScrollProxyNode.h:

Modified Paths

• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/page/scrolling/cocoa/ScrollingTreeOverflowScrollProxyNode.h

Diff

Modified: trunk/Source/WebCore/ChangeLog (247088 => 247089)

--- trunk/Source/WebCore/ChangeLog	2019-07-03 06:01:12 UTC (rev 247088)
+++ trunk/Source/WebCore/ChangeLog	2019-07-03 06:13:25 UTC (rev 247089)
@@ -1,3 +1,19 @@
+2019-07-02  Simon Fraser  <simon.fra...@apple.com>
+
+        REGRESSION (r246723): ScrollingTreeOverflowScrollProxyNode::m_overflowScrollingNodeID is uninitialized sometimes
+        https://bugs.webkit.org/show_bug.cgi?id=199432
+
+        Reviewed by Antti Koivisto.
+        
+        I noticed while debugging rdar://problem/52291642 that m_overflowScrollingNodeID was uninitialized in
+        ScrollingTreeOverflowScrollProxyNode. This could lead to the wrong node being found by m_scrollingTree->nodeForID(),
+        which could result in type confusion bugs.
+        
+        This can happen with negative z-order layers when we fail to find their related scrolling tree node
+        on the first pass.
+
+        * page/scrolling/cocoa/ScrollingTreeOverflowScrollProxyNode.h:
+
 2019-07-02  Zan Dobersek  <zdober...@igalia.com>
 
         FetchResponse::BodyLoader should not be movable

Modified: trunk/Source/WebCore/page/scrolling/cocoa/ScrollingTreeOverflowScrollProxyNode.h (247088 => 247089)

--- trunk/Source/WebCore/page/scrolling/cocoa/ScrollingTreeOverflowScrollProxyNode.h	2019-07-03 06:01:12 UTC (rev 247088)
+++ trunk/Source/WebCore/page/scrolling/cocoa/ScrollingTreeOverflowScrollProxyNode.h	2019-07-03 06:13:25 UTC (rev 247089)
@@ -50,7 +50,7 @@
 
     WEBCORE_EXPORT void dumpProperties(TextStream&, ScrollingStateTreeAsTextBehavior) const override;
 
-    ScrollingNodeID m_overflowScrollingNodeID;
+    ScrollingNodeID m_overflowScrollingNodeID { 0 };
     RetainPtr<CALayer> m_layer;
 };
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes