[webkit-changes] [WebKit/WebKit] f68717: [Catalyst] Occasional invalid IPC: `WebPageProxy_H...

Wenson Hsieh noreply at github.com
Sun May 7 16:26:31 PDT 2023 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: f68717fc7602f406e9fb0993e81b9d344c016513
      https://github.com/WebKit/WebKit/commit/f68717fc7602f406e9fb0993e81b9d344c016513
  Author: Wenson Hsieh <wenson_hsieh at apple.com>
  Date:   2023-05-07 (Sun, 07 May 2023)

  Changed paths:
    M Source/WebCore/dom/Node.cpp

  Log Message:
  -----------
  [Catalyst] Occasional invalid IPC: `WebPageProxy_HandleSmartMagnificationInformationForPotentialTap`
https://bugs.webkit.org/show_bug.cgi?id=256433
rdar://108517664

Reviewed by Tim Horton.

In Mac Catalyst, we sometimes end up trying to decode an invalid IPC message in the UI process for
`WebPageProxy::HandleSmartMagnificationInformationForPotentialTap`, due to the boolean value for
`fitEntireRect` being a value that isn't 0 or 1. This can happen in the case where the user clicks
on the body or document element, since we always pass the (uninitialized) boolean flag as an
outparam here:

```
void ViewGestureGeometryCollector::computeZoomInformationForNode(…, bool& isReplaced, …)
{
    renderRect = node.renderRect(&isReplaced);
…
```

...but `Node::renderRect` only sets the outparam in the case where we find a block-level renderer
that is neither the body element's nor the document element's renderer:

```
LayoutRect Node::renderRect(bool* isReplaced)
{
…
    while (renderer && !renderer->isBody() && !renderer->isDocumentElementRenderer()) {
        if (renderer->isRenderBlock() || renderer->isInlineBlockOrInlineTable() || renderer->isReplacedOrInlineBlock()) {
            // FIXME: Is this really what callers want for the "isReplaced" flag?
            *isReplaced = renderer->isReplacedOrInlineBlock();
            return renderer->absoluteBoundingBoxRect();
        }
        renderer = renderer->parent();
    }
    return LayoutRect();
}
```

To fix this, we simply ensure that the outparam is initialized to `false` in the case where we never
found a suitable render block in the first place.

* Source/WebCore/dom/Node.cpp:
(WebCore::Node::renderRect):

Canonical link: https://commits.webkit.org/263782@main

More information about the webkit-changes mailing list