<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[180063] trunk/Source/WebCore</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/180063">180063</a></dd>
<dt>Author</dt> <dd>simon.fraser@apple.com</dd>
<dt>Date</dt> <dd>2015-02-13 11:04:12 -0800 (Fri, 13 Feb 2015)</dd>
</dl>
<h3>Log Message</h3>
<pre>Crashes under RenderLayer::hitTestLayer under determinePrimarySnapshottedPlugIn()
https://bugs.webkit.org/show_bug.cgi?id=141551
Reviewed by Zalan Bujtas.
It's possible for a layout to dirty the parent frame's state, via the calls to
ownerElement()->scheduleSetNeedsStyleRecalc() that RenderLayerCompositor does when
iframes toggle their compositing mode.
That could cause FrameView::updateLayoutAndStyleIfNeededRecursive() to fail to
leave all the frames in a clean state. Later on, we could enter hit testing,
which calls document().updateLayout() on each frame's document. Document::updateLayout()
does layout on all ancestor documents, so in the middle of hit testing, we could
layout a subframe (dirtying an ancestor frame), then layout another frame, which
would forcing that ancestor to be laid out while we're hit testing it, thus
corrupting the RenderLayer tree while it's being iterated over.
Fix by having FrameView::updateLayoutAndStyleIfNeededRecursive() do a second
layout after laying out subframes, which most of the time will be a no-op.
Also add a stronger assertion, that this frame and all subframes are clean
at the end of FrameView::updateLayoutAndStyleIfNeededRecursive() for the
main frame.
Various existing frames tests hit the new assertion if the code change is removed,
so this is covered by existing tests.
* page/FrameView.cpp:
(WebCore::FrameView::needsStyleRecalcOrLayout):
(WebCore::FrameView::updateLayoutAndStyleIfNeededRecursive):
* page/FrameView.h:
* rendering/RenderWidget.cpp:
(WebCore::RenderWidget::willBeDestroyed):</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCorepageFrameViewcpp">trunk/Source/WebCore/page/FrameView.cpp</a></li>
<li><a href="#trunkSourceWebCorepageFrameViewh">trunk/Source/WebCore/page/FrameView.h</a></li>
<li><a href="#trunkSourceWebCorerenderingRenderWidgetcpp">trunk/Source/WebCore/rendering/RenderWidget.cpp</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (180062 => 180063)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2015-02-13 19:04:09 UTC (rev 180062)
+++ trunk/Source/WebCore/ChangeLog 2015-02-13 19:04:12 UTC (rev 180063)
</span><span class="lines">@@ -1,3 +1,39 @@
</span><ins>+2015-02-13 Simon Fraser <simon.fraser@apple.com>
+
+ Crashes under RenderLayer::hitTestLayer under determinePrimarySnapshottedPlugIn()
+ https://bugs.webkit.org/show_bug.cgi?id=141551
+
+ Reviewed by Zalan Bujtas.
+
+ It's possible for a layout to dirty the parent frame's state, via the calls to
+ ownerElement()->scheduleSetNeedsStyleRecalc() that RenderLayerCompositor does when
+ iframes toggle their compositing mode.
+
+ That could cause FrameView::updateLayoutAndStyleIfNeededRecursive() to fail to
+ leave all the frames in a clean state. Later on, we could enter hit testing,
+ which calls document().updateLayout() on each frame's document. Document::updateLayout()
+ does layout on all ancestor documents, so in the middle of hit testing, we could
+ layout a subframe (dirtying an ancestor frame), then layout another frame, which
+ would forcing that ancestor to be laid out while we're hit testing it, thus
+ corrupting the RenderLayer tree while it's being iterated over.
+
+ Fix by having FrameView::updateLayoutAndStyleIfNeededRecursive() do a second
+ layout after laying out subframes, which most of the time will be a no-op.
+
+ Also add a stronger assertion, that this frame and all subframes are clean
+ at the end of FrameView::updateLayoutAndStyleIfNeededRecursive() for the
+ main frame.
+
+ Various existing frames tests hit the new assertion if the code change is removed,
+ so this is covered by existing tests.
+
+ * page/FrameView.cpp:
+ (WebCore::FrameView::needsStyleRecalcOrLayout):
+ (WebCore::FrameView::updateLayoutAndStyleIfNeededRecursive):
+ * page/FrameView.h:
+ * rendering/RenderWidget.cpp:
+ (WebCore::RenderWidget::willBeDestroyed):
+
</ins><span class="cx"> 2015-02-12 Simon Fraser <simon.fraser@apple.com>
</span><span class="cx">
</span><span class="cx"> determinePrimarySnapshottedPlugIn() should only traverse visible Frames
</span></span></pre></div>
<a id="trunkSourceWebCorepageFrameViewcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/FrameView.cpp (180062 => 180063)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/FrameView.cpp 2015-02-13 19:04:09 UTC (rev 180062)
+++ trunk/Source/WebCore/page/FrameView.cpp 2015-02-13 19:04:12 UTC (rev 180063)
</span><span class="lines">@@ -2561,6 +2561,33 @@
</span><span class="cx"> return m_layoutTimer.isActive();
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+bool FrameView::needsStyleRecalcOrLayout(bool includeSubframes) const
+{
+ if (frame().document() && frame().document()->childNeedsStyleRecalc())
+ return true;
+
+ if (needsLayout())
+ return true;
+
+ if (!includeSubframes)
+ return false;
+
+ // Find child frames via the Widget tree, as updateLayoutAndStyleIfNeededRecursive() does.
+ Vector<Ref<FrameView>, 16> childViews;
+ childViews.reserveInitialCapacity(children().size());
+ for (auto& widget : children()) {
+ if (is<FrameView>(*widget))
+ childViews.uncheckedAppend(downcast<FrameView>(*widget));
+ }
+
+ for (unsigned i = 0; i < childViews.size(); ++i) {
+ if (childViews[i]->needsStyleRecalcOrLayout())
+ return true;
+ }
+
+ return false;
+}
+
</ins><span class="cx"> bool FrameView::needsLayout() const
</span><span class="cx"> {
</span><span class="cx"> // This can return true in cases where the document does not have a body yet.
</span><span class="lines">@@ -3980,10 +4007,12 @@
</span><span class="cx"> for (unsigned i = 0; i < childViews.size(); ++i)
</span><span class="cx"> childViews[i]->updateLayoutAndStyleIfNeededRecursive();
</span><span class="cx">
</span><del>- // When frame flattening is on, child frame can mark parent frame dirty. In such case, child frame
- // needs to call layout on parent frame recursively.
- // This assert ensures that parent frames are clean, when child frames finished updating layout and style.
- ASSERT(!needsLayout());
</del><ins>+ // A child frame may have dirtied us during its layout.
+ frame().document()->updateStyleIfNeeded();
+ if (needsLayout())
+ layout();
+
+ ASSERT(!frame().isMainFrame() || !needsStyleRecalcOrLayout());
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> bool FrameView::qualifiesAsVisuallyNonEmpty() const
</span></span></pre></div>
<a id="trunkSourceWebCorepageFrameViewh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/FrameView.h (180062 => 180063)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/FrameView.h 2015-02-13 19:04:09 UTC (rev 180062)
+++ trunk/Source/WebCore/page/FrameView.h 2015-02-13 19:04:12 UTC (rev 180063)
</span><span class="lines">@@ -122,6 +122,8 @@
</span><span class="cx"> WEBCORE_EXPORT void setNeedsLayout();
</span><span class="cx"> void setViewportConstrainedObjectsNeedLayout();
</span><span class="cx">
</span><ins>+ bool needsStyleRecalcOrLayout(bool includeSubframes = true) const;
+
</ins><span class="cx"> bool needsFullRepaint() const { return m_needsFullRepaint; }
</span><span class="cx">
</span><span class="cx"> WEBCORE_EXPORT bool renderedCharactersExceed(unsigned threshold);
</span></span></pre></div>
<a id="trunkSourceWebCorerenderingRenderWidgetcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/rendering/RenderWidget.cpp (180062 => 180063)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/rendering/RenderWidget.cpp 2015-02-13 19:04:09 UTC (rev 180062)
+++ trunk/Source/WebCore/rendering/RenderWidget.cpp 2015-02-13 19:04:12 UTC (rev 180063)
</span><span class="lines">@@ -99,7 +99,7 @@
</span><span class="cx"> cache->remove(this);
</span><span class="cx"> }
</span><span class="cx">
</span><del>- setWidget(0);
</del><ins>+ setWidget(nullptr);
</ins><span class="cx">
</span><span class="cx"> RenderReplaced::willBeDestroyed();
</span><span class="cx"> }
</span></span></pre>
</div>
</div>
</body>
</html>