Skip to site navigation (Press enter)

[webkit-changes] [268712] trunk/Source/WebCore

simon . fraser Mon, 19 Oct 2020 20:47:00 -0700

Title: [268712] trunk/Source/WebCore

Revision: 268712
Author: simon.fra...@apple.com
Date: 2020-10-19 20:45:54 -0700 (Mon, 19 Oct 2020)

Log Message

Fix crash in RenderLayerBacking::updateClippingStackLayerGeometry()
https://bugs.webkit.org/show_bug.cgi?id=217940
<rdar://problem/70316952>


Reviewed by Tim Horton.

Crash data suggest that entry.clipData.clippingLayer (which is a WeakRef<RenderLayer>)
can be null, so check it.

* rendering/RenderLayerBacking.cpp:
(WebCore::RenderLayerBacking::updateClippingStackLayerGeometry):

Modified Paths

trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/rendering/RenderLayerBacking.cpp

Diff

Modified: trunk/Source/WebCore/ChangeLog (268711 => 268712)


--- trunk/Source/WebCore/ChangeLog	2020-10-20 02:52:41 UTC (rev 268711)
+++ trunk/Source/WebCore/ChangeLog	2020-10-20 03:45:54 UTC (rev 268712)
@@ -1,3 +1,17 @@
+2020-10-19  Simon Fraser  <simon.fra...@apple.com>
+
+        Fix crash in RenderLayerBacking::updateClippingStackLayerGeometry()
+        https://bugs.webkit.org/show_bug.cgi?id=217940
+        <rdar://problem/70316952>
+
+        Reviewed by Tim Horton.
+
+        Crash data suggest that entry.clipData.clippingLayer (which is a WeakRef<RenderLayer>)
+        can be null, so check it.
+
+        * rendering/RenderLayerBacking.cpp:
+        (WebCore::RenderLayerBacking::updateClippingStackLayerGeometry):
+
 2020-10-19  Alexey Shvayka  <shvaikal...@gmail.com>
 
         [WebIDL] %Interface%.prototype.constructor should be defined on [[Set]] receiver

Modified: trunk/Source/WebCore/rendering/RenderLayerBacking.cpp (268711 => 268712)


--- trunk/Source/WebCore/rendering/RenderLayerBacking.cpp	2020-10-20 02:52:41 UTC (rev 268711)
+++ trunk/Source/WebCore/rendering/RenderLayerBacking.cpp	2020-10-20 03:45:54 UTC (rev 268712)
@@ -1902,7 +1902,7 @@
         entry.clippingLayer->setSize(snappedClippingLayerRect.size());
 
         if (entry.clipData.isOverflowScroll) {
-            ScrollOffset scrollOffset = entry.clipData.clippingLayer->scrollOffset();
+            ScrollOffset scrollOffset = entry.clipData.clippingLayer ? entry.clipData.clippingLayer->scrollOffset() : ScrollOffset();
 
             entry.clippingLayer->setBoundsOrigin(scrollOffset);
             lastClipLayerRect.moveBy(-scrollOffset);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes