+2019-03-20 Dean Jackson <dino@apple.com>
+
+ [iOS] Crash in WebCore::Node::renderRect
+ https://bugs.webkit.org/show_bug.cgi?id=196035
+ <rdar://problem/49076783>
+
+ Reviewed by Antoine Quint.
+
+ When renderRect was called on an HTMLAreaElement, it would
+ ASSERT because it doesn't have a renderer. We hadn't noticed
+ this before because none of our tests were hitting this in
+ debug mode.
+
+ The fix is to ask the corresponding HTMLImageElement for
+ its renderer, and use that for the returned rectangle.
+
+ Covered by these tests that had become flakey:
+ fast/images/imagemap-in-shadow-tree.html
+ http/tests/download/area-download.html
+
+ * dom/Node.cpp:
+ (WebCore::Node::renderRect):
+
2019-03-20 Youenn Fablet <youenn@apple.com>
Have smaller default quotas for third party frames
#include "EventDispatcher.h"
#include "EventHandler.h"
#include "FrameView.h"
+#include "HTMLAreaElement.h"
#include "HTMLBodyElement.h"
#include "HTMLCollection.h"
#include "HTMLElement.h"
LayoutRect Node::renderRect(bool* isReplaced)
{
RenderObject* hitRenderer = this->renderer();
- ASSERT(hitRenderer);
+ if (!hitRenderer && is<HTMLAreaElement>(*this)) {
+ auto& area = downcast<HTMLAreaElement>(*this);
+ if (auto* imageElement = area.imageElement())
+ hitRenderer = imageElement->renderer();
+ }
RenderObject* renderer = hitRenderer;
while (renderer && !renderer->isBody() && !renderer->isDocumentElementRenderer()) {
if (renderer->isRenderBlock() || renderer->isInlineBlockOrInlineTable() || renderer->isReplaced()) {
git://git.webkit.org / WebKit-https.git / commitdiff