<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[179597] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/179597">179597</a></dd>
<dt>Author</dt> <dd>mjs@apple.com</dd>
<dt>Date</dt> <dd>2015-02-03 23:01:23 -0800 (Tue, 03 Feb 2015)</dd>
</dl>
<h3>Log Message</h3>
<pre>Crash when printing snapshotted plugins
https://bugs.webkit.org/show_bug.cgi?id=141212
Reviewed by Simon Fraser.
Source/WebCore:
Test: plugins/snapshotting/print-snapshotted-plugin.html
* html/HTMLPlugInImageElement.cpp:
(WebCore::HTMLPlugInImageElement::childShouldCreateRenderer): New
method. If the current renderer is a snapshotted plugin, only
allow children to create renderers if they are part of the
snapshot shadow dom. Otherwise RenderEmbeddedObject invariants
will be violated. This DOM class can have many other renderers, but they
can just follow their own rules.
(WebCore::HTMLPlugInImageElement::partOfSnapshotOverlay): Make this
const-correct, and don't create UA shadow DOM as a side effect if it doesn't
already exist.
* html/HTMLPlugInImageElement.h:
LayoutTests:
This test would crash without the fix due to a bad cast to RenderBox. <object>
is not prepared to have rendered inline children when rendering a plugin.
* plugins/snapshotting/print-snapshotted-plugin-expected.txt: Added.
* plugins/snapshotting/print-snapshotted-plugin.html: Added.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCorehtmlHTMLPlugInImageElementcpp">trunk/Source/WebCore/html/HTMLPlugInImageElement.cpp</a></li>
<li><a href="#trunkSourceWebCorehtmlHTMLPlugInImageElementh">trunk/Source/WebCore/html/HTMLPlugInImageElement.h</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestspluginssnapshottingprintsnapshottedpluginexpectedtxt">trunk/LayoutTests/plugins/snapshotting/print-snapshotted-plugin-expected.txt</a></li>
<li><a href="#trunkLayoutTestspluginssnapshottingprintsnapshottedpluginhtml">trunk/LayoutTests/plugins/snapshotting/print-snapshotted-plugin.html</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (179596 => 179597)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2015-02-04 06:51:46 UTC (rev 179596)
+++ trunk/LayoutTests/ChangeLog 2015-02-04 07:01:23 UTC (rev 179597)
</span><span class="lines">@@ -1,3 +1,16 @@
</span><ins>+2015-02-03 Maciej Stachowiak <mjs@apple.com>
+
+ Crash when printing snapshotted plugins
+ https://bugs.webkit.org/show_bug.cgi?id=141212
+
+ Reviewed by Simon Fraser.
+
+ This test would crash without the fix due to a bad cast to RenderBox. <object>
+ is not prepared to have rendered inline children when rendering a plugin.
+
+ * plugins/snapshotting/print-snapshotted-plugin-expected.txt: Added.
+ * plugins/snapshotting/print-snapshotted-plugin.html: Added.
+
</ins><span class="cx"> 2015-02-03 Brent Fulgham <bfulgham@apple.com>
</span><span class="cx">
</span><span class="cx"> [Win] Unreviewed. Activate more tests.
</span></span></pre></div>
<a id="trunkLayoutTestspluginssnapshottingprintsnapshottedpluginexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/plugins/snapshotting/print-snapshotted-plugin-expected.txt (0 => 179597)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/plugins/snapshotting/print-snapshotted-plugin-expected.txt (rev 0)
+++ trunk/LayoutTests/plugins/snapshotting/print-snapshotted-plugin-expected.txt 2015-02-04 07:01:23 UTC (rev 179597)
</span><span class="lines">@@ -0,0 +1 @@
</span><ins>+This test checks that printing a snapshotted plugin with text children does not crash or cause assertion failures.
</ins></span></pre></div>
<a id="trunkLayoutTestspluginssnapshottingprintsnapshottedpluginhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/plugins/snapshotting/print-snapshotted-plugin.html (0 => 179597)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/plugins/snapshotting/print-snapshotted-plugin.html (rev 0)
+++ trunk/LayoutTests/plugins/snapshotting/print-snapshotted-plugin.html 2015-02-04 07:01:23 UTC (rev 179597)
</span><span class="lines">@@ -0,0 +1,29 @@
</span><ins>+<!DOCTYPE html>
+<script>
+if (window.testRunner) {
+ internals.settings.setPlugInSnapshottingEnabled(true);
+ internals.settings.setMaximumPlugInSnapshotAttempts(0);
+ testRunner.waitUntilDone();
+ testRunner.dumpAsText();
+}
+</script>
+
+This test checks that printing a snapshotted plugin with text children
+does not crash or cause assertion failures.
+
+<object id="foo" type="application/x-shockwave-flash" data="../resources/lines.swf">
+ </object>
+
+<script>
+function boom()
+{
+ if (window.testRunner) {
+ testRunner.setPrinting();
+ testRunner.notifyDone();
+ } else {
+ window.print();
+ }
+}
+setTimeout(boom, 3000);
+</script>
+
</ins></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (179596 => 179597)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2015-02-04 06:51:46 UTC (rev 179596)
+++ trunk/Source/WebCore/ChangeLog 2015-02-04 07:01:23 UTC (rev 179597)
</span><span class="lines">@@ -1,3 +1,24 @@
</span><ins>+2015-02-03 Maciej Stachowiak <mjs@apple.com>
+
+ Crash when printing snapshotted plugins
+ https://bugs.webkit.org/show_bug.cgi?id=141212
+
+ Reviewed by Simon Fraser.
+
+ Test: plugins/snapshotting/print-snapshotted-plugin.html
+
+ * html/HTMLPlugInImageElement.cpp:
+ (WebCore::HTMLPlugInImageElement::childShouldCreateRenderer): New
+ method. If the current renderer is a snapshotted plugin, only
+ allow children to create renderers if they are part of the
+ snapshot shadow dom. Otherwise RenderEmbeddedObject invariants
+ will be violated. This DOM class can have many other renderers, but they
+ can just follow their own rules.
+ (WebCore::HTMLPlugInImageElement::partOfSnapshotOverlay): Make this
+ const-correct, and don't create UA shadow DOM as a side effect if it doesn't
+ already exist.
+ * html/HTMLPlugInImageElement.h:
+
</ins><span class="cx"> 2015-02-03 Chris Dumez <cdumez@apple.com>
</span><span class="cx">
</span><span class="cx"> Regression(r179584): Assertion hit in toResourceLoadPriority() on Yosemite
</span></span></pre></div>
<a id="trunkSourceWebCorehtmlHTMLPlugInImageElementcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/html/HTMLPlugInImageElement.cpp (179596 => 179597)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/html/HTMLPlugInImageElement.cpp 2015-02-04 06:51:46 UTC (rev 179596)
+++ trunk/Source/WebCore/html/HTMLPlugInImageElement.cpp 2015-02-04 07:01:23 UTC (rev 179597)
</span><span class="lines">@@ -221,6 +221,14 @@
</span><span class="cx"> return HTMLPlugInElement::createElementRenderer(WTF::move(style));
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+bool HTMLPlugInImageElement::childShouldCreateRenderer(const Node& child) const
+{
+ if (is<RenderSnapshottedPlugIn>(renderer()) && !partOfSnapshotOverlay(&child))
+ return false;
+
+ return HTMLPlugInElement::childShouldCreateRenderer(child);
+}
+
</ins><span class="cx"> bool HTMLPlugInImageElement::willRecalcStyle(Style::Change change)
</span><span class="cx"> {
</span><span class="cx"> // Make sure style recalcs scheduled by a child shadow tree don't trigger reconstruction and cause flicker.
</span><span class="lines">@@ -396,10 +404,13 @@
</span><span class="cx"> JSC::call(exec, overlay, callType, callData, globalObject, argList);
</span><span class="cx"> }
</span><span class="cx">
</span><del>-bool HTMLPlugInImageElement::partOfSnapshotOverlay(Node* node)
</del><ins>+bool HTMLPlugInImageElement::partOfSnapshotOverlay(const Node* node) const
</ins><span class="cx"> {
</span><span class="cx"> DEPRECATED_DEFINE_STATIC_LOCAL(AtomicString, selector, (".snapshot-overlay", AtomicString::ConstructFromLiteral));
</span><del>- RefPtr<Element> snapshotLabel = ensureUserAgentShadowRoot().querySelector(selector, ASSERT_NO_EXCEPTION);
</del><ins>+ ShadowRoot* shadow = userAgentShadowRoot();
+ if (!shadow)
+ return false;
+ RefPtr<Element> snapshotLabel = shadow->querySelector(selector, ASSERT_NO_EXCEPTION);
</ins><span class="cx"> return node && snapshotLabel && (node == snapshotLabel.get() || node->isDescendantOf(snapshotLabel.get()));
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCorehtmlHTMLPlugInImageElementh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/html/HTMLPlugInImageElement.h (179596 => 179597)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/html/HTMLPlugInImageElement.h 2015-02-04 06:51:46 UTC (rev 179596)
+++ trunk/Source/WebCore/html/HTMLPlugInImageElement.h 2015-02-04 07:01:23 UTC (rev 179597)
</span><span class="lines">@@ -77,7 +77,7 @@
</span><span class="cx"> void subframeLoaderDidCreatePlugIn(const Widget&);
</span><span class="cx">
</span><span class="cx"> WEBCORE_EXPORT void setIsPrimarySnapshottedPlugIn(bool);
</span><del>- bool partOfSnapshotOverlay(Node*);
</del><ins>+ bool partOfSnapshotOverlay(const Node*) const;
</ins><span class="cx">
</span><span class="cx"> bool needsCheckForSizeChange() const { return m_needsCheckForSizeChange; }
</span><span class="cx"> void setNeedsCheckForSizeChange() { m_needsCheckForSizeChange = true; }
</span><span class="lines">@@ -118,6 +118,7 @@
</span><span class="cx"> virtual void didAddUserAgentShadowRoot(ShadowRoot*) override final;
</span><span class="cx">
</span><span class="cx"> virtual RenderPtr<RenderElement> createElementRenderer(Ref<RenderStyle>&&) override;
</span><ins>+ virtual bool childShouldCreateRenderer(const Node&) const override;
</ins><span class="cx"> virtual bool willRecalcStyle(Style::Change) override final;
</span><span class="cx"> virtual void didAttachRenderers() override final;
</span><span class="cx"> virtual void willDetachRenderers() override final;
</span></span></pre>
</div>
</div>
</body>
</html>