Changeset 128935 in webkit

Timestamp:

Sep 18, 2012 3:00:19 PM (12 years ago)

Author:

andersca@apple.com

Message:

Division by zero crash in BackingStore::scroll
​https://bugs.webkit.org/show_bug.cgi?id=97046
<rdar://problem/11722564>

Reviewed by Dan Bernstein.

It appears that DrawingAreaImpl::scroll can be called with an empty scroll rect. Do nothing
if that's the case. Also, assert that the scrolling rect in BackingStoreMac is never empty.

• UIProcess/mac/BackingStoreMac.mm:

(WebKit::BackingStore::scroll):

• WebProcess/WebPage/DrawingAreaImpl.cpp:

(WebKit::DrawingAreaImpl::scroll):

Location:

trunk/Source/WebKit2

Files:

• ChangeLog (modified) (1 diff)
• UIProcess/mac/BackingStoreMac.mm (modified) (1 diff)
• WebProcess/WebPage/DrawingAreaImpl.cpp (modified) (1 diff)

trunk/Source/WebKit2/ChangeLog

@@ +1 @@
+2012-09-18  Anders Carlsson  <andersca@apple.com>
+
+        Division by zero crash in BackingStore::scroll
+        https://bugs.webkit.org/show_bug.cgi?id=97046
+        <rdar://problem/11722564>
+
+        Reviewed by Dan Bernstein.
+
+        It appears that DrawingAreaImpl::scroll can be called with an empty scroll rect. Do nothing
+        if that's the case. Also, assert that the scrolling rect in BackingStoreMac is never empty.
+
+        * UIProcess/mac/BackingStoreMac.mm:
+        (WebKit::BackingStore::scroll):
+        * WebProcess/WebPage/DrawingAreaImpl.cpp:
+        (WebKit::DrawingAreaImpl::scroll):
+
 2012-09-18  Bo Liu  <boliu@chromium.org>
 

trunk/Source/WebKit2/UIProcess/mac/BackingStoreMac.mm

@@ -215 +215 @@
         return;
 
+    ASSERT(!scrollRect.isEmpty());
+
     if (!m_scrolledRect.isEmpty() && m_scrolledRect != scrollRect)
         resetScrolledRect();

trunk/Source/WebKit2/WebProcess/WebPage/DrawingAreaImpl.cpp

@@ -118 +118 @@
         return;
 
+    if (scrollRect.isEmpty())
+        return;
+
     if (!m_scrollRect.isEmpty() && scrollRect != m_scrollRect) {
         unsigned scrollArea = scrollRect.width() * scrollRect.height();