[webkit-changes] [WebKit/WebKit] 406e57: Cherry-pick 263590 at main (77bb4783cf75). https://bu...

Thu May 4 00:26:50 PDT 2023

  Branch: refs/heads/webkitglib/2.38
  Home:   https://github.com/WebKit/WebKit
  Commit: 406e5713ae613847ba6b87af3862d41a909f76f3
      https://github.com/WebKit/WebKit/commit/406e5713ae613847ba6b87af3862d41a909f76f3
  Author: Simon Fraser <simon.fraser at apple.com>
  Date:   2023-05-03 (Wed, 03 May 2023)

  Changed paths:
    A LayoutTests/scrollingcoordinator/scrolling-tree/scroller-with-proxy-nodes-loses-layer-expected.txt
    A LayoutTests/scrollingcoordinator/scrolling-tree/scroller-with-proxy-nodes-loses-layer.html
    M Source/WebCore/rendering/LayerAncestorClippingStack.cpp
    M Source/WebCore/rendering/RenderLayerBacking.cpp

  Log Message:
  -----------
  Cherry-pick 263590 at main (77bb4783cf75). https://bugs.webkit.org/show_bug.cgi?id=256195

    WebContent crash: Invalid message dispatched virtual void WebKit::RemoteScrollingCoordinatorProxyIOS::establishLayerTreeScrollingRelations(const RemoteLayerTreeHost &)
    https://bugs.webkit.org/show_bug.cgi?id=256195
    rdar://108204370

    Reviewed by Tim Horton.

    262413 at main added two MESSAGE_CHECK() in
    RemoteScrollingCoordinatorProxyIOS::establishLayerTreeScrollingRelations() that fire when the UI
    process receives a scrolling tree with invalid cross-references; ScrollingTreePositionedNodes or
    ScrollingTreeOverflowScrollProxyNodes with invalid references to overflow scrolling nodes.

    Sites triggering this MESSAGE_CHECK() all hit a pattern where an `overflow:scroll` element became
    non-scrollable, but we failed to clean up ScrollingTreeOverflowScrollProxyNodes that referenced this
    overflow scroll. ScrollingTreeOverflowScrollProxyNodes are created when the overflow scroller has
    non paint-order descendants (typically positioned) which need to move then the scroller scrolls;
    each of these has a LayerAncestorClippingStack which tracks the layers and scrolling tree nodes for
    non paint-order ancestors that affect the given layer.

    The bug was that we'd clear the LayerAncestorClippingStack without unregistering the
    ScrollingTreeOverflowScrollProxyNodes that it referenced, so when
    RenderLayerBacking::updateAncestorClipping() is removing the m_ancestorClippingStack, call
    LayerAncestorClippingStack::clear() to unregister those nodes.

    Also have LayerAncestorClippingStack::clear() unparent the scrolling layer as well as the clipping
    layer.

    * LayoutTests/scrollingcoordinator/scrolling-tree/scroller-with-proxy-nodes-loses-layer-expected.txt: Added.
    * LayoutTests/scrollingcoordinator/scrolling-tree/scroller-with-proxy-nodes-loses-layer.html: Added.
    * Source/WebCore/rendering/LayerAncestorClippingStack.cpp:
    (WebCore::LayerAncestorClippingStack::clear):
    * Source/WebCore/rendering/RenderLayerBacking.cpp:
    (WebCore::RenderLayerBacking::updateAncestorClipping):

    Canonical link: https://commits.webkit.org/263590@main