Skip to site navigation (Press enter)

[webkit-changes] [191656] branches/safari-601-branch/Source/WebCore

matthew_hanson Tue, 27 Oct 2015 22:20:12 -0700

Title: [191656] branches/safari-601-branch/Source/WebCore

Revision: 191656
Author: matthew_han...@apple.com
Date: 2015-10-27 22:19:33 -0700 (Tue, 27 Oct 2015)

Log Message

Merge r191525. <rdar://problem/23239748> FaradayDotTwo: CrashTracer: com.apple.WebKit.WebContent at ?re: WebCore::RenderObject::localToContainerQuad const + 132


Modified Paths

branches/safari-601-branch/Source/WebCore/ChangeLog
branches/safari-601-branch/Source/WebCore/dom/Element.cpp

Diff

Modified: branches/safari-601-branch/Source/WebCore/ChangeLog (191655 => 191656)


--- branches/safari-601-branch/Source/WebCore/ChangeLog	2015-10-28 05:19:30 UTC (rev 191655)
+++ branches/safari-601-branch/Source/WebCore/ChangeLog	2015-10-28 05:19:33 UTC (rev 191656)
@@ -1,3 +1,22 @@
+2015-10-27  Matthew Hanson  <matthew_han...@apple.com>
+
+        Merge r191525. rdar://problem/23239748
+
+    2015-10-23  Simon Fraser  <simon.fra...@apple.com>
+
+            Avoid SVG-induced layouts inside Element::absoluteEventBounds()
+            https://bugs.webkit.org/show_bug.cgi?id=150516
+
+            Reviewed by Zalan Bujtas.
+
+            Speculative fix for a crash under RenderObject::localToContainerQuad() when
+            computing the wheel event handler region, which uses Element::absoluteEventHandlerBounds().
+            Element::absoluteEventBounds() was calling SVGElement::getBoundingBox() in a way
+            that could trigger a layout.
+
+            * dom/Element.cpp:
+            (WebCore::Element::absoluteEventBounds):
+
 2015-10-23  Matthew Hanson  <matthew_han...@apple.com>
 
         Merge r191484.

Modified: branches/safari-601-branch/Source/WebCore/dom/Element.cpp (191655 => 191656)


--- branches/safari-601-branch/Source/WebCore/dom/Element.cpp	2015-10-28 05:19:30 UTC (rev 191655)
+++ branches/safari-601-branch/Source/WebCore/dom/Element.cpp	2015-10-28 05:19:33 UTC (rev 191656)
@@ -973,7 +973,7 @@
         // Get the bounding rectangle from the SVG model.
         SVGElement& svgElement = downcast<SVGElement>(*this);
         FloatRect localRect;
-        if (svgElement.getBoundingBox(localRect))
+        if (svgElement.getBoundingBox(localRect, SVGLocatable::DisallowStyleUpdate))
             result = LayoutRect(renderer()->localToAbsoluteQuad(localRect, UseTransforms, &includesFixedPositionElements).boundingBox());
     } else {
         if (is<RenderBox>(renderer())) {

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes