Bug 198038

Summary:

hitTest on a SVG zero-width rect with rounded corners crashes WebKit

Product:

WebKit

Reporter:

Alexander Meißner <AlexanderMeissner>

Component:

SVG

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED DUPLICATE

Severity:

Normal

CC:

sabouhallawa, simon.fraser, webkit-bug-importer, zalan, zimmermann

Priority:

Keywords:

InRadar

Version:

Safari 12

Hardware:

Mac

OS:

macOS 10.13

Attachments:

Description	Flags
Code for reproduction and system crash report	none

Alexander Meißner

Reported 2019-05-20 06:27:02 PDT

Created attachment 370250 [details] Code for reproduction and system crash report In the attachment you will find a main.html and the crash report. If you open main.html and slowly drag the column separation bar to the right border WebKit will crash. I think the following 3 conditions are needed to cause the crash: - (MouseMove) Hit test against a - SVG Rect of zero width or zero height - SVG Rect with rounded corners (rx > 0 or ry > 0)

Attachments
Code for reproduction and system crash report (70.27 KB, application/zip) 2019-05-20 06:27 PDT, Alexander Meißner	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2019-05-20 17:22:28 PDT

<rdar://problem/50967723>

Simon Fraser (smfr)

Comment 2 2019-05-20 17:24:40 PDT

Crash in: Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x0000000109436358 WebCore::Path::contains(WebCore::FloatPoint const&, WebCore::WindRule) const + 24 1 com.apple.WebCore 0x000000010a745f44 WebCore::RenderSVGShape::nodeAtFloatPoint(WebCore::HitTestRequest const&, WebCore::HitTestResult&, WebCore::FloatPoint const&, WebCore::HitTestAction) + 516 2 com.apple.WebCore 0x000000010a72f828 WebCore::RenderSVGContainer::nodeAtFloatPoint(WebCore::HitTestRequest const&, WebCore::HitTestResult&, WebCore::FloatPoint const&, WebCore::HitTestAction) + 328 Said, didn't you fix this?

Said Abou-Hallawa

Comment 3 2019-05-20 18:09:37 PDT

Yes I believe this bug was fixed by <https://trac.webkit.org/changeset/243845>. In the scenario of this bug RenderSVGShape::nodeAtFloatPoint() calls RenderSVGShape::fillContains() which calls RenderSVGRect::shapeDependentFillContains(). This last function checks the value of m_usePathFallback. If it is true, it calls Path::contains() via RenderSVGShape::shapeDependentFillContains(). Before r243845, m_usePathFallback could be set to true while m_path is null. After r243845, if m_usePathFallback is true, m_path has to be a valid pointer. The crash log shows that the webkit build is 13607 (13607.2.6.1.2). I think is corresponds to safari-607.2.6.2-branch or very close to it. I checked this branch and it does not have r243845. So I assume this is a duplicate of https://bugs.webkit.org/show_bug.cgi?id=196518. *** This bug has been marked as a duplicate of bug 196518 ***

Note You need to log in before you can comment on or make changes to this bug.