Issue metadata
Sign in to add a comment
|
Calling inverse on a DOMMatrix crashes the tab. |
||||||||||||||||||||||||
Issue description
Chrome Version: 62.0.3202.75
OS: All
What steps will reproduce the problem?
Run the following code:
const m = new DOMMatrix();
let p = new DOMPoint();
function zoom(evt) {
const amount = evt.deltaY > 0 ? 1.1 : 0.9;
m.scaleSelf(amount);
p = p.matrixTransform(m.inverse());
}
window.addEventListener('mousewheel', (evt) => zoom(evt));
And then scroll the mousewheel.
What is the expected result?
An updated matrix.
What happens instead?
The Chrome tab crashes. For what it's worth the problem seems centered around the inverse() call. When that's not there it goes fine.
,
Nov 3 2017
There is also "DOMMatrix.invertSelf()", I wonder whether it happens with it as well.
,
Nov 3 2017
Demo: https://dom-maxtrix-crash.glitch.me/. The crash seems to happen on p.matrixTransform().
,
Nov 3 2017
invertSelf and inverse both crash the tab for me, but weirdly in the case of invertSelf only when I log the values out.
,
Nov 3 2017
Hah, given the intermittent nature, it's really difficult to reduce.
,
Nov 3 2017
There's essentially two issues at play here: 1) The invert operation for an 'is2d' matrix will, because of numerical errors, stray from the 'is2d' form. 2) DOMPoint.matrixTransform didn't deal with errors from the validate-and-fixup (among other things validating the 'is2d' property of a matrix) step brought on by the dictionary conversion, leading to the crash.
,
Nov 4 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/a3c63f7c118585fbcdd85083a5ba75781459f92f commit a3c63f7c118585fbcdd85083a5ba75781459f92f Author: Fredrik Söderquist <fs@opera.com> Date: Sat Nov 04 09:53:23 2017 Handle failed dictionary conversion in DOMPointReadOnly::matrixTransform DOMMatrixReadOnly::fromMatrix can fail, returning null and generating an exception. Bug: 781172 Change-Id: If77e4cd57d02e8a09d79875aa96f0bc243f08b40 Reviewed-on: https://chromium-review.googlesource.com/753485 Reviewed-by: Jinho Bang <jinho.bang@samsung.com> Commit-Queue: Fredrik Söderquist <fs@opera.com> Cr-Commit-Position: refs/heads/master@{#514041} [modify] https://crrev.com/a3c63f7c118585fbcdd85083a5ba75781459f92f/third_party/WebKit/LayoutTests/external/wpt/css/geometry/DOMPoint-002.html [modify] https://crrev.com/a3c63f7c118585fbcdd85083a5ba75781459f92f/third_party/WebKit/Source/core/geometry/DOMMatrixReadOnly.cpp [modify] https://crrev.com/a3c63f7c118585fbcdd85083a5ba75781459f92f/third_party/WebKit/Source/core/geometry/DOMPointReadOnly.cpp
,
Nov 4 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/d755f33ccd0298f34016a7d602b777bf0a8c3d73 commit d755f33ccd0298f34016a7d602b777bf0a8c3d73 Author: Fredrik Söderquist <fs@opera.com> Date: Sat Nov 04 10:19:44 2017 Special-case the 'is2D' case in DOMMatrix::invertSelf When the DOMMatrix is supposedly well-formed according to the 'is2D' restrictions, we can perform the inversion on the relevant submatrix rather than the full matrix. This should avoid some numerical errors sneaking in, breaking the 'is2D' invariant. It is probably a bit faster as well. Bug: 781172 Change-Id: I0e7678ccaf2baae9c40cff0acebb9d0fc498be11 Reviewed-on: https://chromium-review.googlesource.com/753685 Reviewed-by: Jinho Bang <jinho.bang@samsung.com> Commit-Queue: Fredrik Söderquist <fs@opera.com> Cr-Commit-Position: refs/heads/master@{#514044} [modify] https://crrev.com/d755f33ccd0298f34016a7d602b777bf0a8c3d73/third_party/WebKit/Source/core/geometry/DOMMatrix.cpp
,
Nov 4 2017
|
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by aerotwist@chromium.org
, Nov 3 2017