RESOLVED DUPLICATE of bug 196518 198038
hitTest on a SVG zero-width rect with rounded corners crashes WebKit 
https://bugs.webkit.org/show_bug.cgi?id=198038
Summary hitTest on a SVG zero-width rect with rounded corners crashes WebKit
Alexander Meißner
Reported 2019-05-20 06:27:02 PDT
Created attachment 370250 [details] Code for reproduction and system crash report In the attachment you will find a main.html and the crash report. If you open main.html and slowly drag the column separation bar to the right border WebKit will crash. I think the following 3 conditions are needed to cause the crash: - (MouseMove) Hit test against a - SVG Rect of zero width or zero height - SVG Rect with rounded corners (rx > 0 or ry > 0)
Attachments
Code for reproduction and system crash report (70.27 KB, application/zip)
2019-05-20 06:27 PDT, Alexander Meißner 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2019-05-20 17:22:28 PDT
<rdar://problem/50967723>
Simon Fraser (smfr)
Comment 2 2019-05-20 17:24:40 PDT
Crash in: Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x0000000109436358 WebCore::Path::contains(WebCore::FloatPoint const&, WebCore::WindRule) const + 24 1 com.apple.WebCore 0x000000010a745f44 WebCore::RenderSVGShape::nodeAtFloatPoint(WebCore::HitTestRequest const&, WebCore::HitTestResult&, WebCore::FloatPoint const&, WebCore::HitTestAction) + 516 2 com.apple.WebCore 0x000000010a72f828 WebCore::RenderSVGContainer::nodeAtFloatPoint(WebCore::HitTestRequest const&, WebCore::HitTestResult&, WebCore::FloatPoint const&, WebCore::HitTestAction) + 328 Said, didn't you fix this?
Said Abou-Hallawa
Comment 3 2019-05-20 18:09:37 PDT
Yes I believe this bug was fixed by <https://trac.webkit.org/changeset/243845>. In the scenario of this bug RenderSVGShape::nodeAtFloatPoint() calls RenderSVGShape::fillContains() which calls RenderSVGRect::shapeDependentFillContains(). This last function checks the value of m_usePathFallback. If it is true, it calls Path::contains() via RenderSVGShape::shapeDependentFillContains(). Before r243845, m_usePathFallback could be set to true while m_path is null. After r243845, if m_usePathFallback is true, m_path has to be a valid pointer. The crash log shows that the webkit build is 13607 (13607.2.6.1.2). I think is corresponds to safari-607.2.6.2-branch or very close to it. I checked this branch and it does not have r243845. So I assume this is a duplicate of https://bugs.webkit.org/show_bug.cgi?id=196518. *** This bug has been marked as a duplicate of bug 196518 ***
Note You need to log in before you can comment on or make changes to this bug.