Avoid SVG-induced layouts inside Element::absoluteEventBounds()
authorsimon.fraser@apple.com <simon.fraser@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 24 Oct 2015 00:52:41 +0000 (00:52 +0000)
committersimon.fraser@apple.com <simon.fraser@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 24 Oct 2015 00:52:41 +0000 (00:52 +0000)
https://bugs.webkit.org/show_bug.cgi?id=150516

Reviewed by Zalan Bujtas.

Speculative fix for a crash under RenderObject::localToContainerQuad() when
computing the wheel event handler region, which uses Element::absoluteEventHandlerBounds().
Element::absoluteEventBounds() was calling SVGElement::getBoundingBox() in a way
that could trigger a layout.

* dom/Element.cpp:
(WebCore::Element::absoluteEventBounds):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@191525 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebCore/ChangeLog
Source/WebCore/dom/Element.cpp

index d796719..33e6da6 100644 (file)
@@ -1,3 +1,18 @@
+2015-10-23  Simon Fraser  <simon.fraser@apple.com>
+
+        Avoid SVG-induced layouts inside Element::absoluteEventBounds()
+        https://bugs.webkit.org/show_bug.cgi?id=150516
+
+        Reviewed by Zalan Bujtas.
+
+        Speculative fix for a crash under RenderObject::localToContainerQuad() when
+        computing the wheel event handler region, which uses Element::absoluteEventHandlerBounds().
+        Element::absoluteEventBounds() was calling SVGElement::getBoundingBox() in a way
+        that could trigger a layout.
+
+        * dom/Element.cpp:
+        (WebCore::Element::absoluteEventBounds):
+
 2015-10-23  Alex Christensen  <achristensen@webkit.org>
 
         Progress towards CMake on Mac
index 8893dff..8966b87 100644 (file)
@@ -975,7 +975,7 @@ LayoutRect Element::absoluteEventBounds(bool& boundsIncludeAllDescendantElements
         // Get the bounding rectangle from the SVG model.
         SVGElement& svgElement = downcast<SVGElement>(*this);
         FloatRect localRect;
-        if (svgElement.getBoundingBox(localRect))
+        if (svgElement.getBoundingBox(localRect, SVGLocatable::DisallowStyleUpdate))
             result = LayoutRect(renderer()->localToAbsoluteQuad(localRect, UseTransforms, &includesFixedPositionElements).boundingBox());
     } else {
         if (is<RenderBox>(renderer())) {